Government Dataset HoneyTokens

Governments everywhere are terribly keen on tracking everything you’re doing all of the time.

From census information to your health data to your shopping habits, there’s nothing they deem inaccessible in the names of nebulous “societal benefits” that may or may not eventuate.

Since it can be hard to not participate in these schemes, it occurred to me that if you’re going to supply information at all, why not sprinkle some honeytokens in amongst the regular data you have to supply.

What Is A Honey Token?

Without getting into too much InfoSec jargon and history, a honeytoken is a piece of information you supply that is slightly, deliberately wrong or misleading. A little like using your dog’s name to get postal mail when you order something to be delivered to your house. Then, when your dog starts getting offers for a credit card, you know that the place you ordered your new drill from has sold your information to someone else so they can try to get you to sign up for a credit card you don’t need.

A great example of using them online to detect when someone looks at information they shouldn’t is the CanaryTokens service run by Thinkst.

Data Honey Tokens

Unfortunately, the options for honeytokens are more limited when we’re dealing with simple inactive data rather than more active systems like email or websites.

Ideally, we want something that gives us information if it’s used, like our dog’s name example above.

We also need these honeytokens to be benign if at all possible. Misspelling your name or street name can happen by accident.

Ideally, we’d also need a way to keep track of which honeytoken we used for which purpose, which is easier with computerised systems like CanaryTokens that can keep track of this stuff for us.

Ideas

Here are some ideas that people have come up with. If you think of a new one, let me know and I’ll add it to the list.

  • Add a house name to your address. Something like The Burrow, or Windemere, or Castellian that some people add to their address when they’re being pretentious. It doesn’t affect the ability of mail to get to your house, but it can add meaning that isn’t immediately obvious. For example, your address could be
    Justin Warren
    Windemere
    86 Data Leakage Boulevarde
    Wrongthink, CA, 77485
  • Nicknames. Put a made-up nickname as part of your name, e.g. Justin “DataBreach” Warren so if you ever see this name used somewhere else, you know it’s been leaked.
  • Phone Number Extension. Add a made up extension number to your phone number, like 309-232-0032 extension 3354. This won’t work in a lot of form fields that expect your phone number to be a specific, restricted format, but for other places it’s worth a try.
Bookmark the permalink.

4 Comments

  1. hey Justin,

    I don’t know if other emails services allow you to do this, but gmail allows you to add “tokens” to your email address ie
    [email protected]
    [email protected]
    [email protected]

    Will all be delivered to the myname gmail account, full stops are ignored as is anything after a +

    but you have to weigh up giving your email to the evil giant that is google

  2. Close. A dot ‘.’ character is part of the name, so [email protected] and [email protected] are different addresses. The [email protected] syntax should deliver to the same place as [email protected] but you should still see the [email protected] in the To: field when the mail arrives.

    Apparently some lesser email services don’t support the [email protected] decorator syntax, alas, but postfix does, and sendmail did back when that was all the rage.

  3. Just tested it and I think it’s gmail specific but the dots “.” in the username portion of the address are ignored by gmail

  4. That’s odd. It shouldn’t, IIRC.

Leave a Reply

Your email address will not be published. Required fields are marked *