Is Anyone Looking At Your Files? A Canary Will Tell You.


Canary tokenHas anyone been looking at the files on your computer? Or on your cloud drive? Has anyone been browsing parts of your web site that they're not supposed to, and which you thought you'd secured? Has anyone managed to find your contacts database online?

Your answer to all of these questions is probably "I would hope not". But you can't be sure, of course. And that's where the idea of a canary token comes in.

If you're not familiar with the idea of a canary as an early warning system, its origins lie in coal mining. Miners would carry a small bird (typically a canary) in a cage. If the mine filled with dangerous gases, and an explosion or suffocation was imminent, the canary would die quickly. This gave the miners time to get out of the area to safety.

Nowadays, of course, electronic detectors are used in place of caged birds, but the name still sticks.

A canary token is a web URL, email address, document file and so on which will trigger an action if it's ever accessed. In the case of a web URL, the canary token is the address of a unique yet non-existent page on the web site of the company that issued the token. If someone were to ever attempt to access that page, the web server would notice (because it would attempt to serve that non-existent page to whoever requested it). The server will then notify the owner of the canary token that someone tried to access it.

Canary tokens don't have to be web URLs. They could be an email address, a Word document, a PDF file, and so on.

So why is this useful? Imagine that you keep your files on Dropbox. You suspect that someone else has guessed your password and has been looking at your files, but you can't prove it. Create a canary token in the form of a Word document and put it in your dropbox folder. If anyone accesses that file, you'll get an email with the IP address of the person who tried to access it.

Equally, if you have a password-protected area of your web site that is for your own private use only, put a canary token HTML file in there. If anyone attempts to access that page, you'll be notified. And if you have a database of email addresses, create an email address that is actually a canary token and add it to your database. If anyone steals the database and tries to send email to that canary address, you'll find out.

Neat, eh?

Creating canary tokens is really easy, fun, and free. Just head to and type in your email address plus a brief description of what the token is going to be used for. Then download it in whatever form you need, and plant it somewhere. Now just wait for it to be triggered, at which point you'll receive an email.

Please rate this article: 

Your rating: None
Average: 4.5 (28 votes)


A tip to help assure they open your canary protected file: Name it passwords.doc. You can be sure that's the first one they will open..