Privacy Alert: Your Laptop Or Phone Battery Could Track You Online

Mark Wilson writes: Is the battery in your smartphone being used to track your online activities? It might seem unlikely, but it's not quite as farfetched as you might first think. This is not a case of malware or hacking, but a built-in component of the HTML5 specification. Originally designed to help reduce power consumption, the Battery Status API makes it possible for websites and apps to monitor the battery level of laptops, tablets, and phones. A paper published by a team of security researchers suggests that this represents a huge privacy risk. Using little more than the amount of power remaining in your battery, it is possible for people to be identified and tracked online. As reported by The Guardian, a paper entitled The Leaking Battery by Belgian and French privacy and security experts say that the API can be used in device fingerprinting.

We need an OS fix

If the OS randomizes the LSBs of the value every time it is asked that would reduce the use for tracking but still provide the function that might be useful to a user.

Re:We need an OS fix

[Ghostworks]

I'm going to propose a more radical fix: we need to stop letting the DOM have reliable access to so damn much information.

When we started the move away from webpages and toward web applications, we let the DOM have access to pretty much everything, because applications are big and general and data-hungry: The DOM captures keystrokes so each website can have it's own controls and hotkeys (and which unintentionally lets a user be identified by keystroke dynamics). The DOM has access to blocks of offline memory so that applications can be stable offline or when infrequently connected (and which is another vector for super-cookie tracking). It has access to viewports and peripherals for responsive layouts (which is more data for a browser signature that can easily allow user activity to be correlated). CSS needs read access to layout colors if it's going to be changing them dynamically (which means that those colored as recently-visited by the browser are know, which allows for history-based signatures).

Hell, we still have to live with all the ancient tracking methods and features like HTTP referer [sic], cookies, and user agent strings. And even though the World Wide Web was meant to be extensible, fail gracefully wherever possible, and be tolerant or varying levels of technological support, most modern websites will go out of their way to detect that you are not 100% compliant with their demands, then tell you to play by their rules or get off the net. Usually this is couched in the language of "reasonable compatibility testing" or "consistent experience", but most such sites will work perfectly well once you spoof some parameter, thus proving it wasn't necessary after all (for example, Gmail after spoofing javascript). Some I can only believe are deliberately architectured to fail: static pages which could be served entirely as native HTML, but instead decided to have just enough HTML to call Javascript to do all the real work by manipulating DOM to insert HTML into a mostly-blank structure (looking at you, Board Game Geek).

The DOM has demanded every piece of data available to the browser in the name of ever more byzantine applications, even though all but an insignificant portion of the web is still consumed in a page-like way. You can use NoScript and set Opera/Firefox/Chrome preferences until your blue in the face, but you will never reduce your tracking cross-section while the standards bodies insist on pushing these very broad, demanding features in the standards themselves.

No, we need to ditch this web idiocy completely.

We shouldn't resort to hacks like that.

Seriously, get rid of this shitty functionality. It does not belong in a web browser.

After getting rid of this battery shit, get rid of the goddamn video and audio capabilities that have been added recently. If a website wants me to watch some audio or video, it can serve up a file that VLC or some other external player can play, after I've been promoted to allow this to happen.

Since they audio and video shit would be gone, the motherfucking DRM that has been added lately can be totally removed, too.

Get rid of JavaScript, too. It's a total piece of shit, and it hasn't gotten any better after 20 frigging years! If a browser needs to be scriptable, at least use a real language, like Lua or Python.

We shouldn't hack around this idiotic functionality that's been added to web browsers lately. We should remove it completely.

Re:Facepalm.

[alzoron]

That's a determination that the device and/or user should make, not some website that doesn't know all the facts. This is the same type of thinking that led to some Youtube changes that piss me off. "We've detected that your connection is sub optimal so instead of buffering the video we've made the video entirely unwatchable."

lower the reported sample rate

[johnrpenner]

| the estimated time in seconds that the battery will take to
| fully discharge, as well the remaining battery capacity
| expressed as a percentage. Those two numbers, taken together,
| can be in any one of around 14 million combinations, meaning
| that they operate as a potential ID number

okay — so why not decrease the provided resolution of the values?

i.e. time til battery discharges expressed in minutes instead of seconds,
and remaining battery capacity expressed to the nearest 5% -- this will
provide substantially less unique combinations to ID your battery, while
still being sufficiently useful enough for what the feature was intended.

2cents
jp

Old Mozilla would have stopped this.

This kind of shit makes me yearn for the days of what I'll call Old Mozilla. I'm talking about Mozilla like it was back in the early days of Phoenix/Firebird/Firefox, when providing a damn good browser was the most important thing. They wouldn't have stood for dumb functionality like this ending up in the browser. It's totally unnecessary, and totally out of place. In the days of Old Mozilla, that would have been apparent, and this functionality would never have gotten implemented in the first place. We wouldn't have to fuck around with the dom.battery.enabled config option.

But Modern Mozilla? They've shown us time and time again that they apparently don't give a flying fuck about providing a good browser experience. Firefox 4 and every release after it have been a massive clusterfuck or disaster of one sort or another. The usability of Firefox's UI is like shit in a urinal today. We've seen almost no visible improvement to Firefox's memory usage and performance under real-world usage as well (so fuck off with the useless, totally unrealistic "Are We Fast Yet?" pseudobenchmarks that don't tell the real story!). Then there has been all of the shit about ads and Pocket lately. And we can't forget about Firefox OS, one of the biggest and most wasteful software development failures we've seen in ages.

Each and every day I wish that Old Mozilla came back, or something close to it formed. Sorry, Pale Moon doesn't cut it. Vivaldi is showing some potential, but it has its own problems.

Is it really too much to ask for Mozilla to go back to doing the right thing with Firefox? Is it really too much to ask for them to make Firefox about the users first and foremost? Is it really too much to ask for them to throw out stupid functionality, or just to avoid implementing it in the first place?

Re:No, we need to ditch this web idiocy completely

I was starting to think the API was the most stupid thing ever, but I realize how to turn it to my advantage. The API is present so that websites can know to dial down the dumb crap when the user's device has low battery. All I'll need to do is hack the browser so that it permenantly reports the battery level as 10% of a full charge. If I'm lucky, that will make the sites revert to being useful.