Your privacy is at risk, thanks to a little known and understood web standard that allows website handlers to be privy to the amount of battery life your mobile device has left. But it also allows them to enable tracking online, as was warned a year ago by privacy researchers.
The battery status API was installed in HTML5, and had been in use in Firefox, Opera and Chrome since August 2015. This allows site owners and editors to be able track the percentage of battery life left in a device, also the time of discharge or recharging.
It was originally intended to allow site owners to serve low-power versions of websites and apps to users with little battery capacity left. But soon after its introduction, privacy researchers made it clear that it potentially be used to spy on the website visitors and users. The data that combines battery life as a percentage and battery life in seconds provides offers a unique 14m combinations, which can be used as an identifier for each device.
For example, a user loads a website of lets say a state organization in their version of Firefox; and then he opens the website for an anti-state organization using a Chrome browser in private browsing mode and a secure VPN. In theory, the two connections should be very difficult to be connected with each other. But because of an advertisement, that loads on both pages at once would be able to give the device owner away, with the certainty of this happening increasing the longer they stayed connected.
Two security researchers from Princeton University, Steve Engelhard and Arvind Narayanany have proved that by running a specially modified browser, two tracking scripts that used the API to “fingerprint” a specific device were discovered that were using the scripts to continuously identify certain devices across multiple contexts.
This research was highlighted by Lukasz Olejnik, who is one of the four researchers putting our attention towards the potential misuse of the internet standard. Although Olejnik’s warning got some recognition when the body in charge of the web’s standards thanked his group for the privacy analysis, the API still is vulnerable to multiple privacy issues. And while it is only tracking scripts for now, Olejnik warns that the malicious elements could do a lot worse.
Are you worried by these potential security loop holes in the new web standards? Comment below!