A team of French and Belgian researchers, including iMinds – KU Leuven in Belgium, have conducted a study that reveals the privacy risks of the ‘HTML5 Battery Status API’ used in laptops and mobile phones. The API (application programming interface) can be used to identify a device’s unique fingerprint with the intent to track the user’s online activity.
The research team put special focus on the API’s implementation in the Firefox browser. They found out that combining data on a battery’s energy level and its predicted time to (dis)charge effectively enables websites to track people’s online behavior.
“Currently, the Battery Status API operates without users’ permission or awareness – as it claims that the information which is gathered has minimal impact on privacy or fingerprinting,” says Gunes Acar – a researcher at the COSIC security research group of iMinds – KU Leuven.
“Yet, as batteries age, their capacities reduce in different amounts. Exploiting those unique readings, users’ online behavior can be monitored – even if they have opted to surf in private mode or with cookies cleared.”
According to the researchers, there are two possible approaches to prevent the exploitation of the Battery Status API for fingerprinting and tracking.
If the information that is extracted on the battery’s level values is rounded-off, the threat is minimized, without losing any of the API’s functionalities. Browser vendors should also ask users’ permission to access the Battery Status API – thus making users aware of the type (and value) of information that is being gathered.
iMinds conducts strategic and applied research at five Flemish universities in areas such as ICT, Media and Health.
The Brussels Times