A new report found outside websites are tracking users online by using a battery status API on devices to find out what websites they have visited.
According to security researchers at Princeton University who examined one million websites, some used HTML5 Battery Status API to track users online.
Battery Status API
The Battery Status API allows site owners to request the battery level of the device or the charging status. This was flagged as a potential privacy risk in the past.
This feature initially let developers offer a scaled-down version of their websites for devices with a low battery.
The unknown feature of the HTML5 specification ensures that websites can use battery power information to track browsers online.
Battery status API was introduced by the World Wide Web Consortium and is supported by Opera, Firefox and Chrome browsers.
Battery life information offers 14 million combinations, which identifies users.
Why this is dangerous
Princeton researchers Steve Engelhard and Arvind Narayanan found that battery level information as well as browser extensions and IP address is being used by websites to track them, which is worrying for users.
A 2015 study found that, “the capacity of the battery, as well as its level, expose a fingerprintable surface that can be used to track web users in short time intervals.”
The API also did not need permission to read battery information and it did not inform users that battery data was collected.
Steven Englehardt and Avind Narayan found two scripts that use Battery API to track users whilst online. They are also developing a privacy tool, OpenWPM running on Firefox, finding ways to track users online. AudioContext AP is also being used to find audio signals to fingerprint users.
They found that some of the top one million sites on the web are using Battery Status API, despite users’ ignorance to this fact.
This allows users who have low battery to receive a ‘low-power’ version of the site or app. Simultaneously, the site will take the device’s battery level and the time it will run out of battery.
The study found that the websites could access the local IP address of users, which means that it can examine data to find out what websites the user has visited.
Third Party Online Tracking
Princeton University found that, “As users browse and interact with websites, they are observed by both “first parties,” which are the sites the user visits directly, and “third parties” which are typically hidden trackers such as ad networks embedded on most web pages,”
The study goes on to state that, “Third parties can obtain users’ browsing histories through a combination of cookies and other tracking technologies that allow them to uniquely identify users, and the “referer” header that tells the third party which first-party site the user is currently visiting. “
“Other sensitive information such as email addresses may also be leaked to third parties via the referer header.”
Previous Study 2015
Lukasz Olejnik, one of four INRIA researchers, found potential risks with battery status API warned that, “Some companies may be analysing the possibility of monetising the access to battery level,” and that, “When battery is running low, people might be prone to some-otherwise different-decisions. In such circumstances, users will agree to pay more for the service.”
For example, Uber stated that a passenger whose phone was about to die was willing to pay up to 9.9 times the normal fare, although Uber denied that it had used low battery readings in order to gain the information.
What happens next
The Princeton study has pressured the Battery Status API standard’s privacy and security to update the implementations to reflect the study so that API does not reveal battery status information.
Olejnik said, “As a response, some browser vendors are considering restricting or removing access to battery readout mechanisms.”
- Websites are tracking users online by using a battery status API on devices to find out what websites they have visited.
- Research from Princeton University found that some sites used HTML5 Battery Status API to track users online.
- Sites gain access to when you’re running low on battery and the local IP address, knowing what sites the user has been visiting
- Lukasz Olejnik, who conducted a previous research in 2015 said, “Some companies may be analysing the possibility of monetising the access to battery level.”
- Since users are ignorant to the breach of information this has presented concerns over security and safety.