The researcher’s test was conducted over Firefox on a Linux machine, which allowed particularly accurate battery status data – down to 16 decimal points. Hence, without the knowledge of the users, the information can then be used as a way of identifying the phones themselves.
Advertisement
In The leaking battery A privacy analysis of the HTML5 Battery Status API, authors Lukasz Olejnik, Gunes Acar, Claude Castelluccia and Claudia Diaz warn: “In short time intervals, Battery Status API can be used to reinstantiate tracking identifiers of users, similar to evercookies”.
The tracking can occur by looking at the actual battery life readings delivered by the API, which was designed to help save user’s power by letting sites know when to switch to energy-saving modes.
Website requires particular information as well as estimated time in seconds the battery will take to discharge along with the precise battery percentage that is left.
According to security boffins writing at the global Association for Cryptologic Research, “all the information exposed by the Battery Status API is available without users’ permission or awareness”.
However, researchers provides cautionary advice that “Users who try to revisit a website with a new identity may use browsers’ private mode or clear cookies and other client side identifiers”.
In addition to fingerprinting devices based on battery level, the researchers suggest battery capacity could also be used as a tracking vector – noting that the Battery Status API can be used to “infer the current battery capacity (EnergyFull) of a device if it allows high precision level readouts”.
The feature was introduced in 2012 by the World Wide Web Consortium (W3C), the group that develops web standards, and said that given so little information would be collected, user permissions were not required.
The researchers have proposed the necessary “minor modifications” to the battery API to Mozilla and Firefox and said that a fix has been made and deployed.
Phone batteries are sending out info that would be used to determine their house owners and monitor them across the web, even when they’ve taken very cautious privateness precautions, in accordance to a paper by safety researchers. By rounding the values down, none of the functionality would be lost, but it would be almost impossible to track a user down.
Advertisement
A third-party script that is present across multiple websites can link users’ visits in a short time interval by exploiting the battery information provided to Web scripts.
