Slashdot Mirror

← Back to Stories (view on slashdot.org)

Privacy Alert: Your Laptop Or Phone Battery Could Track You Online

Posted by samzenpus on from the all-the-better-to-follow-you-with dept.

Mark Wilson writes: Is the battery in your smartphone being used to track your online activities? It might seem unlikely, but it's not quite as farfetched as you might first think. This is not a case of malware or hacking, but a built-in component of the HTML5 specification. Originally designed to help reduce power consumption, the Battery Status API makes it possible for websites and apps to monitor the battery level of laptops, tablets, and phones. A paper published by a team of security researchers suggests that this represents a huge privacy risk. Using little more than the amount of power remaining in your battery, it is possible for people to be identified and tracked online. As reported by The Guardian, a paper entitled The Leaking Battery by Belgian and French privacy and security experts say that the API can be used in device fingerprinting.

15 of 95 comments (clear)

  1. We need an OS fix by Anonymous Coward · · Score: 5, Interesting

    If the OS randomizes the LSBs of the value every time it is asked that would reduce the use for tracking but still provide the function that might be useful to a user.

    1. Re:We need an OS fix by Ghostworks · · Score: 5, Insightful

      I'm going to propose a more radical fix: we need to stop letting the DOM have reliable access to so damn much information.

      When we started the move away from webpages and toward web applications, we let the DOM have access to pretty much everything, because applications are big and general and data-hungry: The DOM captures keystrokes so each website can have it's own controls and hotkeys (and which unintentionally lets a user be identified by keystroke dynamics). The DOM has access to blocks of offline memory so that applications can be stable offline or when infrequently connected (and which is another vector for super-cookie tracking). It has access to viewports and peripherals for responsive layouts (which is more data for a browser signature that can easily allow user activity to be correlated). CSS needs read access to layout colors if it's going to be changing them dynamically (which means that those colored as recently-visited by the browser are know, which allows for history-based signatures).

      Hell, we still have to live with all the ancient tracking methods and features like HTTP referer [sic], cookies, and user agent strings. And even though the World Wide Web was meant to be extensible, fail gracefully wherever possible, and be tolerant or varying levels of technological support, most modern websites will go out of their way to detect that you are not 100% compliant with their demands, then tell you to play by their rules or get off the net. Usually this is couched in the language of "reasonable compatibility testing" or "consistent experience", but most such sites will work perfectly well once you spoof some parameter, thus proving it wasn't necessary after all (for example, Gmail after spoofing javascript). Some I can only believe are deliberately architectured to fail: static pages which could be served entirely as native HTML, but instead decided to have just enough HTML to call Javascript to do all the real work by manipulating DOM to insert HTML into a mostly-blank structure (looking at you, Board Game Geek).

      The DOM has demanded every piece of data available to the browser in the name of ever more byzantine applications, even though all but an insignificant portion of the web is still consumed in a page-like way. You can use NoScript and set Opera/Firefox/Chrome preferences until your blue in the face, but you will never reduce your tracking cross-section while the standards bodies insist on pushing these very broad, demanding features in the standards themselves.

    2. Re:We need an OS fix by steelfood · · Score: 2

      Kill either the percentage or the time part of the spec and it won't be nearly as specific.

      And why the fuck is this shit in a markup language specification in the first place?

      --
      "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
  2. But... but... but... but... by QuietLagoon · · Score: 2

    The EFF Coalition has just proposed a new Do Not Track standard.

  3. Re:Facepalm. by mrbester · · Score: 2

    So it could stream lower quality video / audio that would take less battery to play is one thing that springs to mind. If a site monitored battery usage while streaming HD to your phone it could calculate if you had enough to juice left to finish watching.

    --
    "Wait. Something's happening. It's opening up! My God, it's full of apricots!"
  4. Re:Facepalm. by dunkindave · · Score: 2, Insightful

    Sounds like the ideal sort of thing to be able to disable (or provide a random response to) in the browser.

    Everything your browser does that is different than other browsers can be used to fingerprint you, so sending a random response would be an identifiable trait to narrow the group they think you are in. Better to send nothing, assuming most people's browsers don't send anything, or whatever the response a desktop sends when asked for its battery level.

  5. in firefox by Anonymous Coward · · Score: 3, Informative

    Is story about that:
    dom.battery.enabled false

  6. No, we need to ditch this web idiocy completely. by Anonymous Coward · · Score: 5, Insightful

    We shouldn't resort to hacks like that.

    Seriously, get rid of this shitty functionality. It does not belong in a web browser.

    After getting rid of this battery shit, get rid of the goddamn video and audio capabilities that have been added recently. If a website wants me to watch some audio or video, it can serve up a file that VLC or some other external player can play, after I've been promoted to allow this to happen.

    Since they audio and video shit would be gone, the motherfucking DRM that has been added lately can be totally removed, too.

    Get rid of JavaScript, too. It's a total piece of shit, and it hasn't gotten any better after 20 frigging years! If a browser needs to be scriptable, at least use a real language, like Lua or Python.

    We shouldn't hack around this idiotic functionality that's been added to web browsers lately. We should remove it completely.

  7. Re:Facepalm. by alzoron · · Score: 5, Insightful

    That's a determination that the device and/or user should make, not some website that doesn't know all the facts. This is the same type of thinking that led to some Youtube changes that piss me off. "We've detected that your connection is sub optimal so instead of buffering the video we've made the video entirely unwatchable."

  8. lower the reported sample rate by johnrpenner · · Score: 4, Interesting

    | the estimated time in seconds that the battery will take to
    | fully discharge, as well the remaining battery capacity
    | expressed as a percentage. Those two numbers, taken together,
    | can be in any one of around 14 million combinations, meaning
    | that they operate as a potential ID number

    okay — so why not decrease the provided resolution of the values?

    i.e. time til battery discharges expressed in minutes instead of seconds,
    and remaining battery capacity expressed to the nearest 5% -- this will
    provide substantially less unique combinations to ID your battery, while
    still being sufficiently useful enough for what the feature was intended.

    2cents
    jp

    1. Re: lower the reported sample rate by yeshuawatso · · Score: 2

      Did anyone actually read the actual paper? They were only able to track Firefox browsers on Linux due to the precision of the battery level outputs. Their recommendation was to limit the precision to two significant digits, something a home and Opera were already doing, and something all of them do on every other OS. So this is only applicable to that 2% of PC users running Linux desktops with their tin foil hats. For the vast majority of us, THIS DOESNT WORK!

  9. Old Mozilla would have stopped this. by Anonymous Coward · · Score: 5, Interesting

    This kind of shit makes me yearn for the days of what I'll call Old Mozilla. I'm talking about Mozilla like it was back in the early days of Phoenix/Firebird/Firefox, when providing a damn good browser was the most important thing. They wouldn't have stood for dumb functionality like this ending up in the browser. It's totally unnecessary, and totally out of place. In the days of Old Mozilla, that would have been apparent, and this functionality would never have gotten implemented in the first place. We wouldn't have to fuck around with the dom.battery.enabled config option.

    But Modern Mozilla? They've shown us time and time again that they apparently don't give a flying fuck about providing a good browser experience. Firefox 4 and every release after it have been a massive clusterfuck or disaster of one sort or another. The usability of Firefox's UI is like shit in a urinal today. We've seen almost no visible improvement to Firefox's memory usage and performance under real-world usage as well (so fuck off with the useless, totally unrealistic "Are We Fast Yet?" pseudobenchmarks that don't tell the real story!). Then there has been all of the shit about ads and Pocket lately. And we can't forget about Firefox OS, one of the biggest and most wasteful software development failures we've seen in ages.

    Each and every day I wish that Old Mozilla came back, or something close to it formed. Sorry, Pale Moon doesn't cut it. Vivaldi is showing some potential, but it has its own problems.

    Is it really too much to ask for Mozilla to go back to doing the right thing with Firefox? Is it really too much to ask for them to make Firefox about the users first and foremost? Is it really too much to ask for them to throw out stupid functionality, or just to avoid implementing it in the first place?

  10. No, not the battery by AndyKron · · Score: 2

    Now batteries can fucking track you? I don't need websites to know how much battery power I have. Who the hell thought this was a good idea, and fuck them all to hell in advance.

  11. Re:No, we need to ditch this web idiocy completely by Anonymous Coward · · Score: 4, Interesting

    I was starting to think the API was the most stupid thing ever, but I realize how to turn it to my advantage. The API is present so that websites can know to dial down the dumb crap when the user's device has low battery. All I'll need to do is hack the browser so that it permenantly reports the battery level as 10% of a full charge. If I'm lucky, that will make the sites revert to being useful.

  12. use much lower resolution data by Lehk228 · · Score: 2

    so why not set a sequence of battery states rather than actual %. "excellent" "ok" "poor" "critical" with 'excellent' being defined as ok to use as much resources as the application would like, 'ok' would be a request to minimize unnecessary utilization 'poor' being an enforced power restriction mode and 'critical' being an explicit warning that failure is imminent and data being handled may be lost instead of saved. The thresholds themselves will vary based on device and user settings. for example my blackberry cuts off radio signal below about 7% battery and so should export 'critical' around 10% shortly before it ceases communication and it refuses to turn on the camera light below around 17% (exact % point varies i think the actual decision is based on current battery voltage data not exposed to the user) so around there should trigger poor. there should be a setting of when to request lower intensity web pages on the power or browser settings that would tweak the excellent/ok point, and of course on a charger would put the device into excellent.

    --
    Snowden and Manning are heroes.