As if we needed another vector for our online privacy to be invaded, it appears that site operators may have another tool at their disposal when it comes tracking visitors. Security researchers from Princeton University have identified two scripts that are actively tracking users across the web using an HTML5 API.
The Battery Status API is part of the HTML5 standard, and can be found in modern browsers like Google Chrome, Opera, and Mozilla Firefox. Using the API, a website can determine if a mobile device’s battery is close to full capacity, near depletion, or anywhere in between.
The World Wide Web Consortium (W3C) describes the API, writing in its official documentation, “Given knowledge of the battery status, web developers are able to craft web content and applications which are power-efficient, thereby leading to improved user experience… The Battery Status API can be used to defer or scale back work when the device is not charging in or is low on battery.”
However, site operators can also use this same information to accurately “fingerprint” a device, linking it to a particular user. According to the Princeton researchers [PDF], site operators don’t need permission to access the Battery Status API, and third-party scripts and ad networks can also be privy to the information.
By tying together battery level, dischargingTime and chargingTime, an accurate fingerprint can be identified and tracked with relative ease (a modified version of Firefox was used carry out testing).
“A third-party script that is present across multiple websites can link users’ visits in a short time interval by exploiting the battery information provided to Web scripts,” write the researchers involved in the study. “This could enable the third-party script to link these concurrent visits. Moreover, in case the user leaves these sites but then, shortly afterwards, visits another site with the same third-party script, the readings would likely be utilized to help in linking the current visit with the preceding ones.”
That’s some pretty sneaky stuff, and the W3C has acknowledged the work of the researchers and the viability of the exploit. And Mozilla is already issued a fix to help stamp out prying eyes from using your battery status to track you across the web. Now if we can just get some swift action from Google and Opera…