Could Your Phone’s Battery Be Spying On You?

As The Independent explains, a piece of software in HTML5 tells websites how much battery your phone has left in what’s meant to be a power-saving mechanism for when your device is running low, but this same information could be used to identify your phone without you ever knowing. And assuming that a device is used by the same user, it can therefore be used to track a person’s online activities.

The paper which revealed this problem claims that “In short time intervals, Battery Status API can be used to reinstantiate tracking identifiers of users, similar to evercookies”. The ideal use of this API was that websites may get to know whenever a user is low on battery and they may disable a few power consuming features to extend battery life.

The researchers point out that the information a website receives is surprisingly specific, containing the estimated time in seconds that the battery will take to fully discharge, as well the remaining battery capacity expressed as a percentage. The API also does not require browsers to notify users when the battery information is accessed. Researchers say that even if you have privacy measures in place this will still affect you because websites do not have to ask permission for the battery data and data the script is calling for is not protected.

The ostensible aim of the battery API is to allow websites to automatically switch from high power to energy-saving versions if they detect a user needs to conserve battery.

Researchers, who tested the Firefox browser on the Linux operating system, found that there could be at least 14.2 million different combinations of this data, which was easily enough for internet users to be identified by their battery status.

“Our analysis shows that the risk is much higher for old or used batteries with reduced capacities, as the battery capacity may potentially serve as a tracking identifier”, the report added.

Tech savvies think the situation should be remedied as soon as possible as there is little that users can do to protect themselves against these privacy intrusions. When consecutive visits are made within a short interval, the website can link users’ new and old identities by exploiting battery level and charge/discharge times.

According to the paper, the potential privacy issues of the Battery Status API have been discussed as early as 2012, but the API was not revised to alleviate them.