By now, you probably know that using a smartphone in just about any way will send personal data across the Internet. Service carriers log text messages and details about calls. Third-party apps can access or upload identifying data. Weather- and map-based services track a user’s geographic location. It seems that even the most passive, inoffensive service on our phones can leak our information.
Battery-life indicators—tiny icons that usually hover at the top of a screen—show how much charge a device has left before it needs to be connected to a power source. Though useful, these indicators might not be as innocuous as we think, according to a team of four European cybersecurity researchers. The experts recently authored a paper titled “The Leaking Battery” that explains how websites can access a user’s online browsing activity just by monitoring his or her device’s battery status—which means that data can be taken not just from mobile phones, but also laptops. When browsers give battery information to websites, they expose a “fingerprintable surface that can be used to track web users in short time intervals,” the researchers write.
Why does this happen? Under current rules from the World Wide Web Consortium, the organization that sets global Web standards, sites are allowed to get details on a user’s battery status in order to help save energy. Upon detecting low battery, sites can turn off power-sucking features and display an energy-saving page instead. The consortium permits sites to retrieve these details without asking permission because the feature was deemed to have a “minimal impact” on privacy. But information about a phone or laptop’s battery life can be oddly specific—so much so that it can be used to identify one user from another. Here’s how that works, succinctly explained by the Guardian:
The researchers point out that the information a website receives is surprisingly specific, containing the estimated time in seconds that the battery will take to fully discharge, as well the remaining battery capacity expressed as a percentage. Those two numbers, taken together, can be in any one of around 14 million combinations, meaning that they operate as a potential ID number. What’s more, those values only update around every 30 seconds, however, meaning that for half a minute, the battery status API can be used to identify users across websites.
For instance, if a user visits a website in Chrome’s private browsing mode using a VPN, the website should not be able to link them to a subsequent visit with private browsing and the VPN off. But the researchers warn that that may no longer work: “Users who try to revisit a website with a new identity may use browsers’ private mode or clear cookies and other client side identifiers. When consecutive visits are made within a short interval, the website can link users’ new and old identities by exploiting battery level and charge/discharge times. The website can then reinstantiate users’ cookies and other client side identifiers, a method known as respawning.”
The possibility of this kind of microlevel tracking might not be surprising to jaded consumers who are used to hearing about all sorts of Web-based data breaches these days. Still, it’s certainly unnerving. And the researchers’ report comes on the heels of many other recent revelations about unexpected identification.
Here’s one example: Web users can be recognized from just the way they type on a keyboard, even if they use an identity-shielding service like Tor. And another: Browser size and quality can also be used to pick people out. The unconventional ways in which we can be recognized, recorded, and tracked by our gadgets are stacking up—and, with them, likely a whole new set of privacy battles.