HTML5 Battery Status API used in fingerprinting scripts

Aug 4, 2016 15:15 GMT  ·  By

The Battery Status API that's supported by all major browsers has turned from a theoretical method of tracking users online into a de-facto reality, Princeton researchers have discovered.

The HTML5 Battery Status API was developed by the W3C (World Wide Web Consortium), the organization that regulates most Web standards, and was introduced in most Web browsers by the summer of 2015.

The API allows browsers to share information with online entities (websites, Web services, other APIs) about the device's battery level, the time it will take to discharge the battery, and the time it will take to recharge it.

W3C argued that this API could be useful for websites and services that wanted to automatically shift to a low-power consumption mode when the underlying device's battery was draining.

From theoretical research to a cruel reality

In 2015, four security researchers from Belgium and France tried to warn the W3C and other user privacy groups that this API could, in theory, be used to track users online.

They argued that advertisers or malicious entities could use the Battery Status API readings, together with other user fingerprinting techniques to identify users online.

Three days ago, Lukasz Olejnik, one of those researchers, published a blog post pointing to a new research study from Princeton University, published in July 2016.

The study was a massive work that analyzed how the Alexa 1 million websites track users online. Among the study's findings was a section (6.5) that detailed the usage of the Battery Status API to identify and track users online.

At least two advertisers employ HTML5 Battery Status API readouts

The Princeton researchers say they identified two tracking scripts, loaded across multiple websites, which utilized battery levels as a method of fingerprinting users.

Used together with other fingerprinting details, advertisers could create a very accurate tracking system that could distinguish between users, and based on their battery status, reconstruct the exact order in which the user had accessed various services. This method is efficient even if the user is using browsers in the private browsing mode.

"Expected or not, battery readout is actually being used by tracking scripts," Lukasz Olejnik notes. "Some companies may be analyzing the possibility of monetizing the access to battery levels. When battery is running low, people might be prone to some - otherwise different - decisions. In such circumstances, users will agree to pay more for a service."

Olejnik says that, in a response to this study, he was told that some browser makers were considering restricting or removing access to this API.