Canadian election databases rely on canary traps to catch leaks
▼ Summary
– A canary trap identifies leakers by giving each recipient a document with unique, tiny changes that reveal the source if leaked.
– Alberta’s electoral list contains personal data like names and addresses; political parties can access it with restrictions against sharing with third parties.
– The Centurion Project, a separatist group, used the electoral list for an online voter database without authorization.
– Elections Alberta traced the leak to the Republican Party of Alberta by finding bogus entries from that party’s copy in Centurion’s tool.
– The canary trap allowed Elections Alberta to quickly pressure both the Republican Party and Centurion, leading to the tool’s removal.
In an era dominated by sophisticated cybersecurity measures like passkeys, quantum-safe algorithms, and public-key cryptography, there is something almost charming about returning to a classic investigative technique: the canary trap. This low-tech method remains remarkably effective for identifying leakers or double agents. The premise is simple: distribute a document, image, or database with minor, unique alterations for each recipient. If those specific changes appear verbatim in any unauthorized leak, the source is immediately identifiable.
While canary traps are a staple of spy novels and intelligence work, they rarely make headlines. That changed last week with a notable case from Canada.
The drama unfolded in the Canadian province of Alberta, centered on its electoral list,a database containing sensitive information like names, addresses, and voting districts for millions of citizens. Political parties are legally permitted to access this list, but they operate under strict restrictions. Sharing the data with third parties, for example, is strictly prohibited.
Despite these rules, a group called The Centurion Project,described by the CBC as a “separatist group”,used the list to power an online voter database. Elections Alberta, the agency responsible for maintaining the list, responded swiftly. Last week, it obtained a court order to shut down the Centurion site.
The immediate question was: how did Centurion get the data?
Elections Alberta launched an investigation and quickly traced the source. The list used by Centurion matched a copy that had been legitimately released to the Republican Party of Alberta. Officials were certain of this link because, each time they distribute the electoral list, they salt it with fake entries,bogus records inserted specifically to act as digital fingerprints. Those fabricated entries, unique to the Republican Party’s version, appeared intact within Centurion’s online tool.
Exactly how the data traveled from the Republican Party to Centurion remains unclear. But the canary trap allowed Elections Alberta to act decisively, putting pressure on both groups. Each publicly pledged to comply with the law, and Centurion promptly took its database offline.
(Source: Ars Technica)