Slashdot Mirror

← Back to Stories (view on slashdot.org)

Your Battery Status Is Being Used To Track You Online (theguardian.com)

Posted by msmash on from the security-blues dept.

A paper published last year revealed that the battery on a laptop or phone can be used to track one's online activities. The vulnerability resided in a built-in HTML 5 specification, which could be tricked into identifying people and tracking their online activities. One year later, we are now learning that the vulnerability is being exploited in the wild. The Guardian reports: [...] Two security researchers from Princeton University have shown that the battery status indicator really is being used in the wild to track users. By running a specially modified browser, Steve Engelhard and Arvind Narayanan found two tracking scripts that used the API to "fingerprint" a specific device, allowing them to continuously identify it across multiple contexts. The research was highlighted by Lukasz Olejnik, one of the four researchers who first called attention to the potential issues with the battery status API in 2015. Although Olejnik achieved some success following his warning, with the body in charge of the web's standards thanking his group for the privacy analysis, the API still has the potential for misuse. And while it is only tracking scripts using it now, Olejnik warns that unscrupulous actors could do more. "Some companies may be analysing the possibility of monetising the access to battery levels," he writes. "When battery is running low, people might be prone to some -- otherwise different -- decisions. In such circumstances, users will agree to pay more for a service."

10 of 88 comments (clear)

  1. Old news by LichtSpektren · · Score: 5, Insightful

    In Firefox, you should go to about:config and toggle dom.battery.enabled to false. I've read this exact advice on many privacy-related websites for over a year, so this really isn't news.

    1. Re:Old news by arth1 · · Score: 3, Insightful

      In Palemoon, the default is (of course) disabled.

  2. Why on Earth? by xororand · · Score: 4, Insightful

    Why on Earth are browsers revealing my battery status to random websites?
    Does Google dictate these changes in exchange for funding?

    1. Re:Why on Earth? by Lennie · · Score: 5, Informative

      This is what the specification has in the introduction:

      "The Battery Status API can be used to defer or scale back work when the device is not charging in or is low on battery. An archetype of an advanced web application, a web-based email client, may check the server for new email every few seconds if the device is charging, but do so less frequently if the device is not charging or is low on battery. Another example is a web-based word processor which could monitor the battery level and save changes before the battery runs out to prevent data loss. "

      https://www.w3.org/TR/2016/CR-...

      --
      New things are always on the horizon
    2. Re:Why on Earth? by EvilSS · · Score: 5, Insightful

      Why on Earth are browsers revealing my battery status to random websites? Does Google dictate these changes in exchange for funding?

      It was added to the HTML5 spec to allow sites to supply "low power" versions of their site to devices when their battery is low. Or so they say.

      --
      I browse on +1 so AC's need not respond, I won't see it.
    3. Re:Why on Earth? by jellomizer · · Score: 4, Interesting

      I am guessing the purpose was for a few things.
      1. Remote Desktop Help to help identify problems with your system.
      2. Websites that may have rules to Save/Commit your session before your battery dies.
      3. Websites to lower the amount of JS processing based on your battery usage

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    4. Re:Why on Earth? by jeffb+(2.718) · · Score: 4, Informative

      If you're building a "web-based word processor" that can lose work because a client goes away, You're Doing It Wrong, so much so that responding to a low-battery signal is pointless. What if a router goes down? What if the user moves out of range of an access point, or cellular data?

      If Web developers (or the companies issuing their marching orders) wanted to respect my battery, they could start by ditching all the gratuitous animated ads, transitions, and whatnot. For bonus points, they could do it before my battery gets low, so that my battery doesn't get low in the first place.

      My five-year-old laptop still gets up to six or seven hours off a charge -- as long as I'm not visiting typical Web sites. If I start browsing, especially without blocking Flash or ads, I'm lucky to get an hour and a half.

  3. Uber is doing it by scorp1us · · Score: 5, Insightful

    Uber is doing it

    But as for tracking, why not just report battery level by 10% increment, or some other increment where you can hide in a gaussian distribution? Really they only need to know Full, low, and not full or low.

    --
    Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
  4. Tired of this whole security/privacy mess! by grumpy-cowboy · · Score: 3, Insightful

    WHY ON EARTH a browser need to expose the status of my laptop battery!! Why?!?! Can we have a browser that JUST display text, images and basic please! Can we go back to HTML 3.2 and flush everything made after this!

    --
    Will $CURRENT_YEAR be the year of the Linux Desktop?
  5. Fuck off with the clickbait headlines, please by wonkey_monkey · · Score: 4, Insightful

    Your Battery Status Is Being Used To Track You Online

    Oh, do fuck off with the tiresome clickbait headlines. My battery status isn't being used to track me online, but even if it was, you could write the headline without having to personally address it to me.

    --
    systemd is Roko's Basilisk.