There are many ways for online snoops to grab hold of your private browsing habits, but who knew accessing information about your device's battery life is one way to do it?
A new study published by a group of French and Belgian security researchers reveal that the peeping Toms of the Internet can easily exploit the battery status API used in HTML5, the language used by modern websites so people can view their contents.
The World Wide Web Consortium (W3C), which manages web standards, introduced the battery status API as a way for websites to help their visitors preserve their device's battery energy. Using this API, websites can determine when a user is running low on battery and switch to a low-power mode. Under W3C's specifications, websites do not have to ask users' permission to use this API, as the consortium states that the information collected does not significantly affect the user's privacy.
However, the new study (pdf) demonstrates how this seemingly innocuous piece of information being released to the interwebs can actually let others in on what users thought were their private browsing activities.
The researchers say the battery status API, which used in Chrome, Firefox and Opera, extracts very specific information, namely the exact remaining battery percentage and the time in seconds it takes for the battery to run out. When put together, the numbers could create 14 million combinations that can each serve as identification numbers that can be used for 30 seconds, the amount of time it takes for the values to update.
Even with incognito mode on or with users browsing on a VPN, websites can still retain identifying information if users visit websites within a short period of time, or specifically, within half a minute of closing that website. While that may not seem alarming for many users, the researchers say it can be used to spy on certain users.
"When consecutive visits are made within a short interval, the website can link users' new and old identities by exploiting battery level and charge/discharge times. The websites can then reinstantiate users' cookies and other client side identifiers, a method known as respawning," the researchers say. "Note that, although this method of exploiting battery data as a linking identifier would only work for short time intervals, it may be used against power users who can not only clear their cookies but can go to great lengths to clear their evercookies."
Takashi Hososhima | Flickr