Can you please explain how this can operate as a canary?
Edit: another post explains that the method is if the bogus data end up an a data leak, but that would require keeping track of bogus submissions and generating new data for each company where you create an account. Then you’d have to cross reference like crazy. Am I missing something simpler?
I know at least one person who has their own personal family domain set up so that his family members can just create new email addresses specific to the vendor when shopping online (for example, 'amazon@familyrobinson.com' and 'bestbuy@familyrobinson.com' ). Then all their shopping emails just get routed to his domain. Being able to track which company leaked or sold an email address seems like another benefit in addition to catching all the marketing emails.
Gmail has this feature baked in. Append a + sign to the username and then append any string you want, ie. username+ycombinator@gmail.com. It will forward these mails to your regular email address.
I started doing this for the exact same reason as mentioned above, but you can obviously do more than just creating honeypots.
Also you have to ignore the fact that it's Google...
I do this. A small annoyance can crop up when trying to log in to a service with your + modified email address. Hmmm, what did I append after the plus? If you can't remember that, you can't use the "forgot my password" function either :)
Basically treating the data from various email honeypots as a "Numbers station" but instead of using it to prime encryption keys, you use it as a form of steganography. To do this entirely anonymously, the next step would be to publish on a public blockchain or anonymous service so that the owner's device (that generated the emails originally) can uploaded a signed statement that proves they were the phone pwned and who the offending app was.
A similar idea seems baked into a couple of crypto initiatives https://coincentral.com/sentinel-protocol/ but fundamentally we're talking about an anonymous reputation system modeled after how swarms operate to gossip risk.
It would be necessarily stochastic in nature because you'd be depending on the 3rd parties to send emails a bit at a time, but if you get a deluge of phones all reporting the same app, you can assume fairly confidently that app has been compromised. Punishment (Brand reputation, sanctions by app store) for being compromised would encourage better security.
This could (and would need to be) operated at the hardware level and orchestrated by the OS, and OS provider. This is the kind of thing apple and google could do as part of their privacy initiatives around "differential privacy" https://venturebeat.com/2019/12/21/ai-has-a-privacy-problem-...
What, you think that deep learning chip on your phone is there to make cute avatars?
Can you please explain how this can operate as a canary?
Edit: another post explains that the method is if the bogus data end up an a data leak, but that would require keeping track of bogus submissions and generating new data for each company where you create an account. Then you’d have to cross reference like crazy. Am I missing something simpler?