French and Belgian researchers have found a way to use battery power monitoring to track browsers online. In a paper, The leaking battery A privacy analysis of the HTML5 Battery Status API, by Lukasz Olejnik1, Gunes Acar, Claude Castelluccia , and Claudia Diaz, the researchers exploited the fact that HTML5 on Firefox, Opera and Chrome browsers enables websites to see how much battery power a visitor has left on their laptop or smartphone.
It can do so because the World Wide Web Consortium (W3C) introduced a system to help websites conserve users' energy by disabling unnecessary features if a user's power is low – without needing user permission.
“Our study shows that websites can discover the capacity of users' batteries by exploiting the high precision readouts provided by Firefox on Linux,” says the report.The researchers found that there are 14172310 different values for a discharging battery and twice that for a charging battery. By correlating the estimated seconds that the battery will take to fully discharge and the remaining battery capacity percentage, these 14 million combinations effectively provide a potential ID number. As they only update every 30 seconds the battery status API can be used to identify users across websites.
As users visit websites, even with a new identity and not allowing cookies, consecutive visits within a short interval will allow the website to link the users' new and old identities by comparing their battery level and charge/discharge times. The website can then reinstate users' cookies and other client side identifiers, a method known as respawning.
In conclusion the researchers proposed what they describe as minor modifications to Battery Status API and its implementation in the Firefox browser to address the privacy issues presented in the study, adding: “Our bug report for Firefox was accepted and a fix is deployed.”