Governments everywhere are terribly keen on tracking everything you’re doing all of the time.
Since it can be hard to not participate in these schemes, it occurred to me that if you’re going to supply information at all, why not sprinkle some honeytokens in amongst the regular data you have to supply.
What Is A Honey Token?
Without getting into too much InfoSec jargon and history, a honeytoken is a piece of information you supply that is slightly, deliberately wrong or misleading. A little like using your dog’s name to get postal mail when you order something to be delivered to your house. Then, when your dog starts getting offers for a credit card, you know that the place you ordered your new drill from has sold your information to someone else so they can try to get you to sign up for a credit card you don’t need.
A great example of using them online to detect when someone looks at information they shouldn’t is the CanaryTokens service run by Thinkst.
Data Honey Tokens
Unfortunately, the options for honeytokens are more limited when we’re dealing with simple inactive data rather than more active systems like email or websites.
Ideally, we want something that gives us information if it’s used, like our dog’s name example above.
We also need these honeytokens to be benign if at all possible. Misspelling your name or street name can happen by accident.
Ideally, we’d also need a way to keep track of which honeytoken we used for which purpose, which is easier with computerised systems like CanaryTokens that can keep track of this stuff for us.
Here are some ideas that people have come up with. If you think of a new one, let me know and I’ll add it to the list.
- Add a house name to your address. Something like The Burrow, or Windemere, or Castellian that some people add to their address when they’re being pretentious. It doesn’t affect the ability of mail to get to your house, but it can add meaning that isn’t immediately obvious. For example, your address could be
86 Data Leakage Boulevarde
Wrongthink, CA, 77485
- Nicknames. Put a made-up nickname as part of your name, e.g. Justin “DataBreach” Warren so if you ever see this name used somewhere else, you know it’s been leaked.
- Phone Number Extension. Add a made up extension number to your phone number, like 309-232-0032 extension 3354. This won’t work in a lot of form fields that expect your phone number to be a specific, restricted format, but for other places it’s worth a try.