Your phone battery is leaking details about you
Phone battery level could be used to monitor the online activity of its owner. That comes according to security researchers from Princeton University, who have published a paper describing the way battery status is being used to track users across different sites.
The research focuses on battery status API (application programming interface) – introduced in HTML5 and present in browsers including Firefox, Chrome and Opera. The programming is intended to allow site owners to see details about different users’ battery life, and therefore serve up low-power versions of their sites.
When it was introduced, however, researchers warned in 2015 about the API’s potential to be used to turn battery level into a “fingerprintable” tracking identifier. Using a combination of battery life loss in seconds and battery life as a percentage, and potentially cross-referencing this information with other web identifiers, sites could pinpoint specific devices across different situations.
One of those researchers – Lukasz Olejnik – has written this week about the potential for this information to be leveraged by companies: “Some companies may be analyzing the possibility of monetising the access to battery levels,” Olejnik wrote in a blog post. “When battery is running low, people might be prone to some – otherwise different – decisions. In such circumstances, users will agree to pay more for a service.”
Olejnik highlighted the research by Princeton’s Steven Englehardt and Arvind Narayanan, who found two tracking scripts that made use of phone battery API. “These features are combined with other identifying features used to fingerprint a device,” write the researchers.
While Olejnik’s research from 2015 resulted in the some fixes being made, and an acknowledgement of thanks from the international standards organisation for the World Wide Web for his group’s work, he nevertheless warns that there remains a potential for tracking scripts to be exploited.
“Unfortunately, it is no surprise that battery levels are being used to track individuals,” commented Dr Richard Tynan, technologist for Privacy International. “At face value, battery levels appear to be something that no one would or should ever spend time caring about. However we have seen companies gleefully exploit this seemingly mundane data that is generated as you use the battery in your device. For example, Uber exploited this battery level data to potentially charge app users more when their phones were low on battery, making the assumption that in their desperation, they would be willing to pay more for the ride.”
“It is vital that legal and technical protections are developed to take account of the power that seemingly trivial data can wield, and the notion of anonymous data must be reconsidered,” Tynan added. “The current consent and permissions regimes are not fit for purpose in the modern data exploitation age.”