The idea is pretty cool when you start to think about adding self-destructing properties to individual pieces of data, so reasoning about data type and entropy becomes a risk modeling problem.
A concrete example: imagine if bank account numbers, credit card numbers, emails etc have self-destructing properties where there exists an outer shell "pointing" to the data but the underlying data is destroyed (using techniques like crypto-shredding et al.). The outer shell would have canary properties that work in real-word systems but since the underlying data is destroyed, all we would be left with are canary properties without the underlying data leak.
A good example of some companies that offer something similar:
Pretty cool technology that can really go far.
We ran something similar, firing ‘insiders’ across many of the top 100 sites and services, to spot breaches (either in the traditional sense of security incidents, or lapses in privacy for end users).
This is the real alarming part
Since some people might not read the article and just the title, it seemed worth calling out.
Edit: ah, the title was edited from "Facebook app" to "third party social network app". So never mind :)
Lead author of the paper here. I am encouraged to see such insightful discussion on our work. Excited to discuss and address any questions/concerns that you anyone may have.
A preprint of our full paper can be found here: https://arxiv.org/pdf/2006.15794.pdf.
We are also publicly sharing a disclosure page (https://github.com/shehrozef/canarytrap). This page contains details of third-party apps which are detected as misusing user data or violating Facebook's TOS in our work.