A legitimate reason to poll your battery’s status is to stop intensive operations from executing if you’re running low on juice.
But it’s also open to exploitation by those who want to track your online activity, writes Lukasz Olejnik:
The information provided by the Battery Status API is not always changing fast. In other words, they are static for a period of time; it may give rise to a short-lived identifier. At the same time, users sometimes clear standard web identifiers (such as cookies). But a web script could analyze identifiers provided by Battery Status API, which could then possibly even lead to recreation of other identifiers. A simple sketch follows.
An example web script continuously monitors the status of identifiers and the information obtained from Battery API. At some point, the user clears (e.g.) all the identifying cookies. The monitoring web script suddenly sees a new user – with no cookie – so it sets new ones. But battery level analysis could provide hints that this new user is – in fact – not a new user, but the previously known one. The script’s operator could then conclude and reason that those this is a single user, and resume with tracking. This is an example scenario of identifier recreation, also known as respawning.
A recent study reported that battery status is being monitored by some tracking scripts.
It sounds like it would be a positive step if browsers stopped accessing such detailed information about our battery.
Aside from tracking, there are other ways that battery information could be exploited.
Uber, for instance, says that it knows customers are more likely to accept a much higher price to hire a cab when their battery is running low.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.