Slashdot Mirror

← Back to Stories (view on slashdot.org)

Privacy Alert: Your Laptop Or Phone Battery Could Track You Online

Posted by samzenpus on from the all-the-better-to-follow-you-with dept.

Mark Wilson writes: Is the battery in your smartphone being used to track your online activities? It might seem unlikely, but it's not quite as farfetched as you might first think. This is not a case of malware or hacking, but a built-in component of the HTML5 specification. Originally designed to help reduce power consumption, the Battery Status API makes it possible for websites and apps to monitor the battery level of laptops, tablets, and phones. A paper published by a team of security researchers suggests that this represents a huge privacy risk. Using little more than the amount of power remaining in your battery, it is possible for people to be identified and tracked online. As reported by The Guardian, a paper entitled The Leaking Battery by Belgian and French privacy and security experts say that the API can be used in device fingerprinting.

4 of 95 comments (clear)

  1. Re:Facepalm. by dunkindave · · Score: 2, Insightful

    Sounds like the ideal sort of thing to be able to disable (or provide a random response to) in the browser.

    Everything your browser does that is different than other browsers can be used to fingerprint you, so sending a random response would be an identifiable trait to narrow the group they think you are in. Better to send nothing, assuming most people's browsers don't send anything, or whatever the response a desktop sends when asked for its battery level.

  2. No, we need to ditch this web idiocy completely. by Anonymous Coward · · Score: 5, Insightful

    We shouldn't resort to hacks like that.

    Seriously, get rid of this shitty functionality. It does not belong in a web browser.

    After getting rid of this battery shit, get rid of the goddamn video and audio capabilities that have been added recently. If a website wants me to watch some audio or video, it can serve up a file that VLC or some other external player can play, after I've been promoted to allow this to happen.

    Since they audio and video shit would be gone, the motherfucking DRM that has been added lately can be totally removed, too.

    Get rid of JavaScript, too. It's a total piece of shit, and it hasn't gotten any better after 20 frigging years! If a browser needs to be scriptable, at least use a real language, like Lua or Python.

    We shouldn't hack around this idiotic functionality that's been added to web browsers lately. We should remove it completely.

  3. Re:We need an OS fix by Ghostworks · · Score: 5, Insightful

    I'm going to propose a more radical fix: we need to stop letting the DOM have reliable access to so damn much information.

    When we started the move away from webpages and toward web applications, we let the DOM have access to pretty much everything, because applications are big and general and data-hungry: The DOM captures keystrokes so each website can have it's own controls and hotkeys (and which unintentionally lets a user be identified by keystroke dynamics). The DOM has access to blocks of offline memory so that applications can be stable offline or when infrequently connected (and which is another vector for super-cookie tracking). It has access to viewports and peripherals for responsive layouts (which is more data for a browser signature that can easily allow user activity to be correlated). CSS needs read access to layout colors if it's going to be changing them dynamically (which means that those colored as recently-visited by the browser are know, which allows for history-based signatures).

    Hell, we still have to live with all the ancient tracking methods and features like HTTP referer [sic], cookies, and user agent strings. And even though the World Wide Web was meant to be extensible, fail gracefully wherever possible, and be tolerant or varying levels of technological support, most modern websites will go out of their way to detect that you are not 100% compliant with their demands, then tell you to play by their rules or get off the net. Usually this is couched in the language of "reasonable compatibility testing" or "consistent experience", but most such sites will work perfectly well once you spoof some parameter, thus proving it wasn't necessary after all (for example, Gmail after spoofing javascript). Some I can only believe are deliberately architectured to fail: static pages which could be served entirely as native HTML, but instead decided to have just enough HTML to call Javascript to do all the real work by manipulating DOM to insert HTML into a mostly-blank structure (looking at you, Board Game Geek).

    The DOM has demanded every piece of data available to the browser in the name of ever more byzantine applications, even though all but an insignificant portion of the web is still consumed in a page-like way. You can use NoScript and set Opera/Firefox/Chrome preferences until your blue in the face, but you will never reduce your tracking cross-section while the standards bodies insist on pushing these very broad, demanding features in the standards themselves.

  4. Re:Facepalm. by alzoron · · Score: 5, Insightful

    That's a determination that the device and/or user should make, not some website that doesn't know all the facts. This is the same type of thinking that led to some Youtube changes that piss me off. "We've detected that your connection is sub optimal so instead of buffering the video we've made the video entirely unwatchable."