Your battery life is betraying your identity all across the internet, potentially allowing companies to take advantage of you—even if you’ve tried to protect your privacy.
That’s the conclusion of new research from Princeton University, which found instances of tracking scripts using the HTML5 Battery Status API to identify users across multiple online locations.
The Battery Status API is a standard used by modern web browsers on mobile devices and laptops alike. It tells websites how much battery life your device has left. On the surface, this benefits users by allowing sites to serve versions that use less power, thus preserving battery life.
As a group of researchers discovered in 2015, however, the data conveyed by the Battery Status API—battery life as a percentage and the amount of time it would take to drain or charge a device’s specific battery—creates a “fingerprintable surface” that can be used to single out users and track them online.
By combining battery life percentage and battery capacity data, the Battery Status API effectively creates this nearly unique identifier because, as researchers found, this combination only repeats itself about one out of every 14 million instances. The uniqueness of this “fingerprint” is particularly pronounced in older devices with degraded batteries, according to the 2015 research.
The existence of this battery life fingerprint means websites can track you not only across the web but also across different web browsers—yes, even in incognito mode.
Building upon the 2015 findings, Princeton researchers Steve Engelhard and Arvind Narayanan created a privacy-tracking tool called OpenWPM, which led them to discover the existence of two tracking scripts—or automated programs—that use the Battery Status API data to track devices.
“Battery Status API is currently provided with no permissions, so any script and website can assess this information,” Lukasz Olejnik, a security and privacy consultant and University College London researcher and one of the four original researchers behind the 2015 study, told the Daily Dot in an email.
Tracking is possible even when users take steps to protect their privacy. Engelhard and Narayanan found that “existing privacy tools are not effective at detecting these newer and more obscure fingerprinting techniques.” That means privacy tools like Ghostery or uBlock Origin or even a virtual private network (VPN) do not currently stop websites from tracking you through your battery life ID, though the risk is not the same for all users.
As Olejnik points out in a recent blog post on the subject, it’s not simply your privacy that’s at stake. In May, an Uber executive revealed that the company’s app knows when your phone is nearly dead—the exact point when you might be willing to pay more for a ride.
H/T Guardian