It’s naive to believe you can remain anonymous while surfing the web without going out of your way to do so. There’s no shortage of sneaky tricks that can be used to track a target’s online activity but it’s a new technique recently disclosed by a team of Belgian and French security researchers that may trump them all.
In a newly published paper, the team points to the little-known HTML5 Battery Status API as suspect. The API, used in Chrome, Firefox and Opera, allows websites to ping a notebook or mobile device to determine how much battery life it has left. The idea is that when a site notices a user’s battery is low, it can disable some features to help prolong the remaining juice.
The API doesn’t require any sort of permission from the user to ping battery life due to the fact that said information has “minimal impact on privacy or fingerprinting.” The researchers, however, aren’t convinced.
They found that websites receive quite a bit of detailed information about a mobile device via the API. As The Guardian notes, the data includes an estimate (in seconds) of how long it’ll take to discharge the battery as well as the remaining capacity as a percentage.
Those two figures can result in a combination of around 14 million possibilities which could be used as an ID number. Furthermore, the values only update every 30 seconds or so.
To help illustrate what’s possible, entertain the following scenario. If a user visits a website in private browsing mode across a VPN then turns off private browsing mode and the VPN, the website shouldn’t be able to link the user to the earlier visit. If the two visits are made within half a minute of each other (before the battery status API updates), the site could potentially link the user using data from the API.