As part of HTML5, it is possible for sites to see the life remaining in the battery you are using to browse the internet. This feature exists so that it is possible to reduce the amount of data being sent and received by your device in order to preserve battery life. W3C have said that in their specification that the API “has minimal impact on privacy or fingerprinting” and because of this they allow sites to request the information without requiring permission to do so. However a paper published in the International Association for Cryptologic Research (IACR) explains how this API can be used to track users across the internet even when they are using tools such as a VPN.
Though this appears to be quite a limited way to track a user as it is restricted to a 30 second window, it’s actually a bit more serious than that. Once a user has been re-identified, the website can “respawn” the cookies for that identity. So let’s say you visit a site in normal browsing mode, then decide you want to do something on that site in incognito mode, if you load the page within the 30 second status update window you could be re-identified and your actions in incognito mode could be tied to your normal identity.
The authors of this paper recommend two possible solutions to this problem, one of which is to force the site to gain the user’s permission to access their battery information. This should be implemented but it is not a solution to the issue being discussed as the tracking can still be carried out behind the scenes. The second proposed solution is to reduce the precision of the current status value rendering them useless for the purpose of tracking without removing functionality.
Neither of these solutions are under the control of the user however and we simply now just need to wait for a patch to be released to fix this issue. Until then…wait 30 seconds between changing pages?