Security researchers have identified ways that browser activity could be tracked by an HMTL5 feature that analyses the battery life of a device without user permission, leading to a number of privacy concerns.
The leaking battery: A privacy analysis of the HTML5 Battery Status API, published by four French and Belgian security researchers, outlines how user privacy is at risk because of information revealed by Battery Status APIs in Firefox, Opera and Chrome.
The API feature relays information to websites about the battery level of a visitor's device so that, if needed, the page can load in a reduced format to preserve battery life.
However, the research suggests that the information collected by browsers can be used to identify a user even if they are using a virtual private network (VPN) or private browsing mode.
"When consecutive visits are made within a short interval, the website can link users' new and old identities by exploiting battery level and charge/discharge times. The website can then reinstantiate users' cookies and other client side identifiers, a method known as respawning," reads the report.
The tracking would occur without the knowledge of the device user as the Battery Status API doesn't need user permission to function.
The feature was introduced in 2012 by the World Wide Web Consortium (W3C), the group that develops web standards, which said that user permissions were not required as so little information would be collected,.
"The API defined in this specification is used to determine the battery status of the hosting device," explained the W3C, which also said that the information collected has a minimal impact on privacy.
However, the study claimed that the Battery Status API in Firefox not only allows the discovery of battery capacity but other "short term identifiers" even via business networks.
"In short time intervals, Battery Status API can be used to reinstantiate tracking identifiers of users, similar to evercookies. Moreover, battery information can be used in cases where a user can go to great lengths to clear the evercookies.
"In a corporate setting, where devices share similar characteristics and IP addresses, the battery information can be used to distinguish devices behind a network address translation."
The study goes on to warn that monitoring this type of information exposes a "fingerprintable surface" that could be used to track devices around the web.
"Our analysis shows that the risk is much higher for old or used batteries with reduced capacities, as the battery capacity may potentially serve as a tracking identifier," the report added.
The researchers also noted that many people have been aware of the risks of the Battery Status API, but nothing was done about it. They hope this will change with the publication of the research.
"Although the potential privacy problems of the Battery Status API were discussed by Mozilla and Tor browser developers as early as in 2012, neither the API nor the Firefox implementation has undergone a major revision," they wrote.
"We hope to draw attention to this privacy issue by demonstrating the ways to abuse the API for fingerprinting and tracking."
Bharat Mistry, cyber security consultant at Trend Micro, confirmed that the exploit is possible but played down reports that it is a cause for concern.
"Yes I suppose you could track mobiles. However, potentially significant server side resources (CPU cycles, memory and storage) could be required to keep track of devices as frequent 'heart beat' would be required to track the device," he told V3.
"Now if the server was to impose a cookie based on battery/power profile that would be different as multiple visits of the device to a site would be easily tracked.
"However, in order to do this a user would be prompted to accept a cookie of some form, which would alert a user that the device is being tracked."
The new processors support Intel's Optane memory acceleration technology
Blockchain's killer app is bitcoin, the rest is mostly 'pure marketing', says MaidSafe's David Irvine
Blockchains are not suited to many of the data security purposes being put forward for them
Applications from some member states were down more than 40 per cent
A new RSA report urges coders to sign a 'Hippocratic Oath' before embarking on AI programmes.