The battery status and longevity check built into HTML5 to allow web providers to display low-power versions of their sites to those without much battery left, has been hijacked by tracking APIs to keep an eye on web users. Using battery status and estimated time left as unique identifiers, they can track users through private browsing and even VPNs.
Consider that you were browsing content as normal on your phone. As you traverse different websites, adverts and other tracking APIs can access your battery life and expected lifespan before a charge is required. Should you then use a VPN or proxy to obfuscate you, that should protect your identity, but visiting those sites or others could still see you tracked based on your specific battery levels.
Although the identifiers aren’t unique, they are specific. The Guardian suggests that with around 14 million combinations for battery life and expected time remaining, it is close enough to identify most users, especially if other data like location is also known.
Initially pointed out by security researcher, Lukasz Olejnik, the issue has since been picked up by Steve Engelhard and Arvind Narayanan at Princeton University, who actually found two APIs running in the wild that utilise the battery indicator to identify users across different websites.
There are a few concerns that arise from this sort of tracking. For starters, it could be used to identify people who are hoping to hide who they are for some reason, allowing someone to potentially blackmail an individual based on their battery level indicators. It could also be used to sell services to people based on battery level, should research suggest that they make certain decisions as the per centage points tick down.
Discuss on our Facebook page, HERE.
KitGuru Says: It’s a shame that a feature designed to help people save battery life is being coopted for privacy invasion. I wonder if spoofing battery life will be the next step in the privacy arms race?