A new study by conducted by European privacy and security experts has shown that a little known feature of the HTML5 specification, called the battery status API (application programming interface), can be used to track the web browsing habits of people. The battery status API is currently supported in the Chrome, Opera and Firefox web browsers and was originally developed to help websites conserve users’ energy. However, there are “side effects” of the API. The study is published in a paper entitled, “The Leaking Battery: A Privacy Analysis of The HTML5 Battery Status API,” and was reported by The Guardian earlier this week.
The highly technical study concludes “that websites can discover the capacity of users’ batteries by exploiting the high precision readouts provided by Firefox on Linux. The capacity of the battery, as well as its level, expose a fingerprintable surface that can be used to track web users in short time intervals. [Their] analysis shows that the risk is much higher for old or used batteries with reduced capacities, as the battery capacity may potentially serve as a tracking identifier.”
Basically, the API can determine the remaining capacity of a website user’s battery, in addition to its current charge level and the amount of time it will take to run out of juice. When these values are combined, a unique identifier is created which can be used to track a user’s browsing activity.
The researchers point out another worrying fact regarding battery status API. As it stands now, websites do not need to ask users’ permission to discover their battery life as “the information disclosed has minimal impact on privacy or fingerprinting, and therefore is exposed without permission grants.” The researchers state this “allows website and third-party scripts to access the battery information transparently - without users’ awareness.”
In addition to the findings reached in the study, the authors propose a solution to the problem. They suggest that the readings gathered by the battery status API be rounded rather than be exact values. This would apparently not interfere with the API’s functionality, but would eliminate the problem of website tracking. The authors additionally propose that permission to use the API should be sought from users, rather than making it automatic. This would increase transparency surrounding these developing technologies.