In 2015, a battery status API was introduced to HTML5 and had already been packaged in Firefox, Opera and Chrome by the end that year. Security researchers were concerned with the potential privacy invasion the API could lead to, but their warning went without raising many eyebrows. A year later, though, an in-depth analysis has proven the battery tracking API can do just that – aggressively track users.
The API was released with the aim of helping websites know when to display a ‘low-power-mode’ version of the site or web-app and then disable unnecessary features that drain the most battery. The World Wide Web Consortium (W3C), the organization that oversees the development of the web’s standards, introduced the API in 2012 – but it wasn’t until finalized until 2015.
When the W3C initially introduced the HTML5 specification, there were immediate concerns as to the possible blow-back it could have. Since it would allow sites to grab visitor’s battery data without the user’s explicit permission, Lukasz Olejnik published a paper on how much of an invasion this could be.
The W3C responded by saying “the information disclosed has minimal impact on privacy or fingerprinting, and therefore is exposed without permission grants.” But the recent 1-million site analysis of the API has finally proven differently.
In the privacy-threatening API, 14m combinations, providing a “pseudo-unique identifier” for each device, are offered to the website utilizing the battery tracking code.
The Guardian gives a great example of how this could work:
“Suppose a user loaded their church website in their version of Firefox, and then opened up the website for a satanic cult using a Chrome browser in private browsing mode piped through a secure VPN. Ordinarily, the two connections should be very difficult to associate with one another, but an advert that was loaded on both pages at once would be able to tell that the two devices were almost certainly the same, with the certainty increasing the longer they stayed connected.”
And the 1-million site analysis done by Princeton’s Steven Englehardt and Arvind Narayanan has shown that the API does, in fact, grant sites the ability to do what The Guardian suggests.
The two researchers ran a specially modified browser to find sites using the invasive API; specifically, they “found two tracking scripts that used the API to ‘fingerprint’ a specific device, allowing them to continuously identify it across multiple contexts.”
They were able to track the scripts used to record battery levels and found them to be incredibly invasive and able to fingerprint devices more easily than many would have assumed.
“We present the largest and most detailed measurement of online tracking conducted to date, based on a crawl of the top 1 million websites. We make 15 types of measurements on each site, including stateful (cookie-based) and stateless (fingerprinting-based) tracking, the effect of browser privacy tools, and the exchange of tracking data between different sites (“cookie syncing”). Our findings include multiple sophisticated fingerprinting techniques never before measured in the wild.”
What does this mean for us, the end users? The answer is yet to be known but something will have to change. Hopefully this research will lead to the ability for us to be able to disable to battery-tracking-script on sites that could use it maliciously.