Building a Personal Counter-Surveillance Stack to Catch Data Harvesters

TLDR: Modern smart devices and online services constantly leak telemetry that allows third parties to build detailed profiles of our daily lives. By deploying a containerized stack of OpenCanary and SpiderFoot, you can turn the tables and monitor who is probing your network or scraping your digital footprint. This setup provides real-time alerts via ntfy to help you identify and isolate unauthorized surveillance attempts before they escalate.

Every device in your home is a potential sensor for a data broker. From the smart refrigerator reporting your grocery habits to the vehicle navigation system logging your precise GPS coordinates, the amount of telemetry leaking from our personal environments is staggering. We often treat these data points as isolated incidents, but they are part of a massive, interconnected web of surveillance. When you combine this with the reality of frequent data breaches, the risk is no longer theoretical. Your personal information is already being aggregated, linked, and sold.

The Mechanics of Personal Surveillance

Surveillance today relies on the aggregation of disparate data sources. A single smart doorbell might seem harmless, but when its logs are combined with your social media activity, your browsing history, and the metadata from your mobile device, the result is a high-fidelity map of your life. Attackers and data brokers do not need to compromise your primary workstation to track you. They simply need to tap into the low-hanging fruit of your IoT ecosystem or purchase your data from a broker who already has it.

The core issue is that we lack visibility into this process. We do not know when our data is being probed, and we certainly do not know when someone is actively using that data to build a profile against us. To change this, you need to move from a passive consumer of technology to an active monitor of your own digital perimeter.

Deploying a Defensive Monitoring Stack

You can implement a robust counter-surveillance architecture using a few open-source tools. The goal is to create a system that alerts you when someone or something interacts with your digital footprint. By using Docker, you can containerize this entire stack, making it portable and easy to manage.

The architecture relies on three primary components:

1. Detection: OpenCanary acts as your honeypot. It mimics common network services, and when an unauthorized actor probes these services, it generates a log event.
2. Analysis: SpiderFoot automates the collection of OSINT data. By pointing it at your own identifiers—like your email address or IP range—you can see what information is publicly available and potentially being used to track you.
3. Alerting: ntfy provides the glue. It sends push notifications to your mobile device, ensuring that you are alerted in real-time when your honeypot is triggered or when your OSINT scans reveal new exposures.

To tie these together, you can use a simple script to parse the logs from OpenCanary and push them to your ntfy instance. Here is a basic example of how you might structure a watcher script to monitor your logs:

# Simple watcher to tail logs and send alerts via ntfy
tail -f /var/log/opencanary.log | while read line
do
  if [[ "$line" == *"connection"* ]]; then
    curl -d "Unauthorized probe detected: $line" ntfy.sh/your_topic_name
  fi
done

By hosting this on a private network, you ensure that you are not leaking your own monitoring data to the very entities you are trying to track. Using Tailscale allows you to maintain access to your dashboard from anywhere in the world without exposing your management interface to the public internet.

Real-World Applicability for Researchers

For a penetration tester or a bug bounty hunter, this setup is more than just a defensive tool. It is a way to understand the adversary's perspective. When you see a probe hitting your honeypot, you can analyze the source IP, the timing, and the specific services being targeted. This gives you a baseline for what "normal" looks like in your environment.

During an engagement, you can use these same techniques to identify how an organization's internal assets are being probed. If you are testing a client's network, deploying a similar, albeit more scaled, version of this stack can help you identify lateral movement or reconnaissance activity that might otherwise go unnoticed by traditional security appliances. The impact of identifying these probes early cannot be overstated. It allows you to rotate credentials, isolate compromised segments, and gather intelligence on the attacker's TTPs before they reach their objective.

The Defensive Imperative

Defenders often focus on hardening systems, but they rarely focus on detecting the reconnaissance phase of an attack. By implementing a counter-surveillance strategy, you force the attacker to reveal themselves. When an attacker probes your honeypot, they are no longer operating in the shadows. They are interacting with a system you control.

This approach requires a shift in mindset. You must be willing to invest the time to configure your honeypots, review your logs, and act on the information you gather. It is not a "set it and forget it" solution. It is a continuous process of monitoring and adjustment. If you find a threat, you must be prepared to isolate the affected device, rotate your credentials, and, if necessary, involve the appropriate authorities.

The tools are available, and the barrier to entry is lower than ever. Start by mapping your own digital footprint and identifying the most likely vectors for surveillance. Once you have that baseline, deploy your monitoring stack and start watching the watchers. The data you gather might just be the key to securing your own digital life.