Online advertising has been perfected to a science. With the aid of tracking cookies and social media, an advertiser can target you across multiple sites for as long as it takes to get the point across. Consumers have various tools at their disposal to remain anonymous, but some crafty advertisers have started using an unusual signal to keep tabs on even the most careful users — their battery level.
A recent update to the HTML5 standard included an interesting API for accessing an device’s battery level. The intention was to give a site the ability to query your phone’s battery level, then modify the content it serves if that level is low. The API doesn’t just provide a single number, though. It tells the site your battery percent, the time to discharge, and time to charge fully if connected to power. Together, those numbers have 14 million possible combinations.
If a site were to detect two connections in quick succession with the same ID based on the battery level, odds are high that they are actually coming from the same person. Perhaps one is an incognito/private browsing tab or is being routed through a VPN, but it’s still identifiable. Privacy advocates warned this was possible when HTML5 was deployed, and now two researchers claim this is more than a theoretical worry.
Steve Engelhard and Arvind Narayanan from Princeton University used a modified browser to catalog tracking scripts. They found two examples of scripts that were using the battery API to fingerprint a specific device. This tracking is possible in all current builds of Firefox, Opera, and Chrome. Some worry that there could be attempts to monetize access to the battery API data of site visitors, weakening privacy even more. If it becomes widespread, there’s not much you could do to stop it. The standard would need to be modified. Or we could just throw out our phones when they run out of power.