Your Smartphone Battery Could Be Tracking You
Your smartphone's battery is probably the last thing you'd guess is threatening your privacy, but a new research paper says that's exactly the case. Websites can make use of battery-life data given up by HTML5 to identify mobile devices.
The World Wide Web Consortium debuted the battery status API back in 2012 with the goal of helping websites maximize the battery life of mobile devices that visit them. The basic function allows websites to see how much battery life remains on any given device so the site can switch to a low-power mode if needed. For example, websites viewed in Chrome, Firefox, and Opera can suspend select power-sapping features if the site detects a device has limited power left.
There are a few problems with the battery status API, according to a new paper from Belgian and French security researchers. First, the W3C specification does not mandate user permission to query the device's battery life. The spec reads, in part, "[T]he information disclosed has minimal impact on privacy or fingerprinting, and therefore is exposed without permission grants."
The researchers disagree.
Websites are able to snag incredibly specific information about the devices that visit them. Recorded data includes the estimated time it will take the battery to discharge (specific to the second) and the remaining battery life as a percentage.
Combined, these numbers can form a potential identifier for devices.
This data is updated once every 30 seconds. The specificity of the data, and the frequency with which it is collected lead to a significant chance of identified users.
"In short time intervals, [the] battery status API can be used [to track] identifiers of users," explained the researchers. "Users who try to revisit a web site with a new identity may use browsers' private mode or clear cookies and other client side identifiers. When consecutive visits are made within a short interval, the web site can link users' new and old identities by exploiting battery level and charge/discharge times. The web site can then reinstantiate users' cookies and other client side identifiers, a method known as respawning."
Think your corporate VPN will protect you? It won't, the researchers warn.
"In a corporate setting, where devices share similar characteristics and IP addresses, the battery information can be used to distinguish devices behind a [firewall]," according to the paper.
Devices that visit websites often give them enough data to attach a semi-permanent identifier to the smartphone. That's disconcerting to ponder.
The battery status API's privacy issues have been documented since 2012, but the API has yet to be revised. The researchers suggest it can be fixed by making the battery readings less precise. Rounding the values downward won't affect functionality and will protect users from being identified.