How your battery can be used to track your online activity

As part of HTML5, it is possible for sites to see the life remaining in the battery you are using to browse the internet. This feature exists so that it is possible to reduce the amount of data being sent and received by your device in order to preserve battery life. W3C have said that in their specification that the API “has minimal impact on privacy or fingerprinting” and because of this they allow sites to request the information without requiring permission to do so. However a paper published in the International Association for Cryptologic Research (IACR) explains how this API can be used to track users across the internet even when they are using tools such as a VPN.

The battery status API gives sites access to the current status of the battery and also charging and discharging time. Battery life is measured between 1 (full) and 0 (empty) and returns a value as a double-precision floating-point number, which means the value is incredibly precise (N.B. there is a difference between precision and accuracy), though the paper explains that this isn’t necessarily the case for all browsers & operating systems. This value can be monitored using JavaScript event handlers to frequently report back the life of the battery which updates every 30 seconds. It is because of this update period that the battery status can act as a (likely unique) identifier of the device allowing scripts to link visits to different sites from the same device even when employing the use of a VPN.

HTML 5 logo

Source: etrainingpedia

Though this appears to be quite a limited way to track a user as it is restricted to a 30 second window, it’s actually a bit more serious than that. Once a user has been re-identified, the website can “respawn” the cookies for that identity. So let’s say you visit a site in normal browsing mode, then decide you want to do something on that site in incognito mode, if you load the page within the 30 second status update window you could be re-identified and your actions in incognito mode could be tied to your normal identity.

The authors of this paper recommend two possible solutions to this problem, one of which is to force the site to gain the user’s permission to access their battery information. This should be implemented but it is not a solution to the issue being discussed as the tracking can still be carried out behind the scenes. The second proposed solution is to reduce the precision of the current status value rendering them useless for the purpose of tracking without removing functionality.

Neither of these solutions are under the control of the user however and we simply now just need to wait for a patch to be released to fix this issue. Until then…wait 30 seconds between changing pages?

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s