Your Smartphone Battery Could Fingerprint Your Online Identity, Compromise Privacy

by Brandon Hill — Wednesday, August 03, 2016, 02:11 PM EDT

As if we needed another vector for our online privacy to be invaded, it appears that site operators may have another tool at their disposal when it comes tracking visitors. Security researchers from Princeton University have identified two scripts that are actively tracking users across the web using an HTML5 API.

The Battery Status API is part of the HTML5 standard, and can be found in modern browsers like Google Chrome, Opera, and Mozilla Firefox. Using the API, a website can determine if a mobile device’s battery is close to full capacity, near depletion, or anywhere in between.

The World Wide Web Consortium (W3C) describes the API, writing in its official documentation, “Given knowledge of the battery status, web developers are able to craft web content and applications which are power-efficient, thereby leading to improved user experience… The Battery Status API can be used to defer or scale back work when the device is not charging in or is low on battery.”

However, site operators can also use this same information to accurately “fingerprint” a device, linking it to a particular user. According to the Princeton researchers [PDF], site operators don’t need permission to access the Battery Status API, and third-party scripts and ad networks can also be privy to the information.

By tying together battery level, dischargingTime and chargingTime, an accurate fingerprint can be identified and tracked with relative ease (a modified version of Firefox was used carry out testing).

“A third-party script that is present across multiple websites can link users’ visits in a short time interval by exploiting the battery information provided to Web scripts,” write the researchers involved in the study. “This could enable the third-party script to link these concurrent visits. Moreover, in case the user leaves these sites but then, shortly afterwards, visits another site with the same third-party script, the readings would likely be utilized to help in linking the current visit with the preceding ones.”

That’s some pretty sneaky stuff, and the W3C has acknowledged the work of the researchers and the viability of the exploit. And Mozilla is already issued a fix to help stamp out prying eyes from using your battery status to track you across the web. Now if we can just get some swift action from Google and Opera…

Tags: Firefox, Chrome, Opera, Mozilla, HTML5, battery status api

Brandon Hill

Brandon received his first PC, an IBM Aptiva 310, in 1994 and hasn’t looked back since. He cut his teeth on computer building/repair working at a mom and pop computer shop as a plucky teen in the mid 90s and went on to join AnandTech as the Senior News Editor in 1999. Brandon would later help to form DailyTech where he served as Editor-in-Chief from 2008 until 2014. Brandon is a tech geek at heart, and family members always know where to turn when they need free tech support. When he isn’t writing about the tech hardware or studying up on the latest in mobile gadgets, you’ll find him browsing forums that cater to his long-running passion: automobiles.

Opinions and content posted by HotHardware contributors are their own.

Which New GPU Is For You?

Stay updated with the latest news and updates. Subscribe to our newsletter!

Subscribe Now