Persistent authentication has become the default across services. A person who has signed in to a service typically remains signed in across sessions, across devices, and across years. The friction of signing in again has been engineered away in favour of a continuous identified state. The convenience is real; so is the implication.
A signed-in person is a person whose every action on the service is attributed to them by name. The records of those actions accrue without interruption. The pattern of use becomes, in effect, a long unbroken narrative of the person's engagement with the service, with each entry dated and located.
The signed-in state is also a state in which other identifying data flows freely. The device is known to the service, the IP address is known, the location (where the device has consented to share it) is known, the network is known. The session links them all to the named identity. The data collected during the session is therefore tagged with the identity from the start.
Cross-service identification follows. A person signed in to one service who navigates to another service may be identified across both, through shared authentication infrastructure or through tracking that links the two. The signed-in state is rarely confined to the single service that initiated it.
· · ·
The desk reads the implications as they presently apply. The work is not to sign clients out of services where staying signed in is, in fact, what they want; the work is to ensure that the picture being assembled under their persistent identity is the picture they would describe themselves.
More from the desk
The difference between private and unsearchable
When removal is rarely the end of the matter
Why caution is not the same as concealment
Heraldic registration and the modern record
What older fortunes knew about not being interesting
The discipline of saying less