Privacy alert: your laptop or phone battery could track you online
Is the battery in your smartphone being used to track your online activities? It might seem unlikely, but it's not quite as farfetched as you might first think. This is not a case of malware or hacking, but a built-in component of the HTML5 specification.
Originally designed to help reduce power consumption, the Battery Status API makes it possible for websites and apps to monitor the battery level of laptops, tablets, and phones. A paper published by a team of security researchers suggests that this represents a huge privacy risk. Using little more than the amount of power remaining in your battery, it is possible for people to be identified and tracked online.
As reported by The Guardian, a paper entitled The Leaking Battery by Belgian and French privacy and security experts say that the API can be used in device fingerprinting. The API can be used to determine the capacity of a website visitor's battery, as well as its current charge level, and the length of time it will take to fully discharge. When combined, these pieces of information create a unique identifier which can be used like a supercookie.
We hope to draw attention to this privacy issue by demonstrating the ways to abuse the API for fingerprinting and tracking.
At particular risk are older phones. The age of the battery reduces the battery life, making it easier to generate unique identifiers. What is especially concerning is the fact that users do not need to be warned when the Battery Status API is being used. This is because when drawing up the HTML5 standard, the W3C said:
The information disclosed has minimal impact on privacy or fingerprinting, and therefore is exposed without permission grants.
To overcome the security and privacy issues, the authors of the report suggest that the readings gathered by the API be rounded. They say this would not interfere with the functionality of the API, but would eliminate the problem of tracking. At the moment, nothing more than a simple script is needed to monitor someone's movement from one website to another. The creation of a unique identifier also opens up the possibility of a phenomenon known as respawning. Even if a user goes to the trouble of deleting local-stored cookies, they could instead be remotely stored and reinstate when a user is identified through Battery Status API data.
The researchers also suggest that permission to access the API should be sought from users rather than just allowing its use by default.