First introduced in August 2012, Battery Status API is an HTML5 specification that provides information about a devices’ battery charge level; it’s used in Firefox, Opera, and Chrome. Security researchers have warned that the information can be used to track mobile browsers online, adding to the long list of sophisticated fingerprinting techniques that can be exploited by companies.
Battery API readouts provide the current charge level of the battery (formatted 0.00−1.0 for empty and full, respectively), the time to a full discharge of the battery (in seconds), and the time needed to fully recharge the battery if connected to a charger (in seconds). While designed to allow website owners to serve low-power versions of sites and web apps to mobile users with low remaining battery capacity, researchers at the University of Princeton have found that the seemingly innocuous web standard could also be used for spying. At any one time, the combination of battery level as a percentage and battery life in seconds offers 14 million possible digit-combinations. By identifying information from standard web identifiers such as cookies, a script operator could then reasonably draw a unique identifier for a device, even if operating within a private browser.
Take, for example, a web script like HTML that continuously monitors the status of identifiers and the information obtained from Battery API. At some point, it is safe to assume that a user will clear all identifying cookies. When the user goes on a different site, the monitoring web script suddenly sees a new user with no cookie, so it establishes a new one. However, the pseudo-unique battery level analysis could provide clues indicating that this new user is, in fact, not a new user but the previously known one. The script operator could then reasonably conclude that this is a single user and resume tracking, a tactic known as respawning.
During a 1 million site measurement and analysis, Princeton security researchers used OpenWPM, an automated version of a full-fledged consumer browser, to observe two tracking scripts that used the API to fingerprint a specific device. The test allowed them to continuously identify the device across multiple contexts as in the example above.
So what does this mean for users? “Some companies may be analyzing the possibility of monetizing the access to battery levels. When battery is running low, people might be prone to some – otherwise different – decisions. In such circumstances, users will agree to pay more for a service,” Lukasz Olejnik, a privacy expert said in a blog post . For example, a potential customer with a low battery might be more inclined to accept a higher surge price for an Uber ride, exploiting the psychological tendency of this human behavior. Giving companies the tools to analyze how frequently a user’s device is under heavy use could also ultimately lead to noncompliant behavior analysis.
Sources: The Guardian 1 , The Guardian 2 , Lukasz
Learn more about Electronic Products Digital