Site owners keen on user tracking, but blocked by the kind of militant user that installs AdBlock or similar, could instead look at someone’s battery charge information to identify them. Researchers say that even if you have privacy measures in place this will still affect you because websites do not have to ask permission for the battery data and data the script is calling for is not protected.
Advertisement
The ostensible aim of the battery API is to allow websites to automatically switch from high power to energy-saving versions if they detect a user needs to conserve battery.
The feature was introduced in 2012 by the World Wide Web Consortium (W3C), the group that develops web standards, and said that given so little information would be collected, user permissions were not required.
Because the API works out the percent of your remaining battery and the estimated time in seconds that it will take to run down, it has a one-in-14-million combination that basically identifies you as a specific user.
A third-party script that is present across multiple websites can link users’ visits in a short time interval by exploiting the battery information provided to Web scripts.
Lukasz Olejnik, Gunes Acar, Claude Castelluccia and Claudia Diaz, authors of new research entitled ‘The leaking battery: A privacy analysis of the HTML5 Battery Status API, ‘ explain: “In short time intervals, Battery Status API can be used to reinstantiate tracking identifiers of users, similar to evercookies”.
Worse still, on some platforms, the researchers found that it is possible to determine the maximum battery capacity of the device with enough queries, creating a semi-permanent metric to compare devices. This goes to demonstrate that user privacy can not be taken for granted and at the very least, users need to be informed of how information, whether personal or impersonal, will be used.
Advertisement
“Yes I suppose you could track mobiles – however potentially significant server side resources (CPU cycles, memory and storage) could be required to keep track of devices as frequent “heart-beat” would be required to track the device”, he told V3. One could use Tor, a Firefox-based browser with advanced privacy and security features, to hide their identity, researchers noted. Their viewing history could then be tracked as the move around websites.
