It's common to see advice along these lines:
Don't build your stuff in someone else's sandbox. Get your own domain and point it to whatever service you choose to use. Your email address should be @yourdomain, where you have full control and no one can lock you out. Don't fall into the trap of digital sharecropping.There are complicated tradeoffs here and different choices will make sense for different people, but it's close to what I do personally. My writing and projects are hosted on my own domain [1] and my email is
jeff@jefftk.com.
On the other hand, I don't think this is something to do lightly.
Say you register you.example and start going by
you@you.example. A few years later you decide this is
too much hassle, switch to using you@fastmail.com or
you@gmail.com, and let you.example expire.
Someone else can register it, send email legitimately as
you@you.example, and Angular
gets compromised. If there is anywhere you forgot to remove your
former email from your profile, now you are open to being
impersonated.
This problem isn't unique to personal domains, but it's much more likely: the major email services don't make abandoned email addresses open to reregistration, to avoid exactly this issue.
If you're considering registering a domain to use as your online identity, make sure you're willing to take on the cost and hassle of keeping the domain registered indefinitely.
[1] I do cross-post to Facebook, LessWrong, and occasionally other
places. I also rely on them to host discussions on my posts, though I
attempt to archive those discussions back on my site.
This is a great point I have been considering when trying to figure out how I want to "own" my digital identity and considering different web 2.0, web3/crypto, and IndieWeb options.
I'd like to point out the mitigating nature of using Multi-Factor Authentication and/or public/private key encryption (ala PGP), for some of the above situations mentioned! Of course these wouldn't replace the directives of
(1) not letting the domain expire, and
(2) being sure to carefully remove/update/inform contacts and websites
but failing both of those, MFA/PGP would help!
And yes, PGP is neither widespread nor easy (the latter definitely driving the former), and YubiKeys aren't as nearly as ubiquitous as silly SMS 2FA, but my point isn't about the specific implemention. I think the PGP/MFA angle just emphasize to me the importance of accepting that our Digital Identities are very much like Theseus's ship, composed of many planks. The devil is in the details, of course, on which plank has write access to the others, to mix some metaphors : )
As far as that is concerned, I find it instructive to look at the US's attempts to ameliorate its awful system of "We don't have a national ID because that's oppressive but if you know someone's SSN we think you're definitely the right person!" I would much prefer a National or State level ID with Zero-Knowledge Proof (thanks Silvio Micali!) capability, but in the mean time the admission that "Some combination of personal knowledge, various forms of official identification attained at different points at life (SSN card, Drivers License, Passport), and access to certain other communication channels (SMS, Physical Mail, Backup Email)" represents identity pretty okay seems philosophically important, even as the hodge-podge, ad-hoc nature of its development has allowed for some awful ("identity theft")[‘Identity theft’? It’s daylight robbery by the banks | David Mitchell | The Guardian] (read: daylight bank robbery but somehow you are responsible for it instead of the bank)