Security researchers have identified ways that browser activity could be tracked by an HMTL5 feature that analyses the battery life of a device without user permission, leading to a number of privacy concerns.
The leaking battery: A privacy analysis of the HTML5 Battery Status API, published by four French and Belgian security researchers, outlines how user privacy is at risk because of information revealed by Battery Status APIs in Firefox, Opera and Chrome.
The API feature relays information to websites about the battery level of a visitor's device so that, if needed, the page can load in a reduced format to preserve battery life.
However, the research suggests that the information collected by browsers can be used to identify a user even if they are using a virtual private network (VPN) or private browsing mode.
"When consecutive visits are made within a short interval, the website can link users' new and old identities by exploiting battery level and charge/discharge times. The website can then reinstantiate users' cookies and other client side identifiers, a method known as respawning," reads the report.
The tracking would occur without the knowledge of the device user as the Battery Status API doesn't need user permission to function.
The feature was introduced in 2012 by the World Wide Web Consortium (W3C), the group that develops web standards, which said that user permissions were not required as so little information would be collected,.
"The API defined in this specification is used to determine the battery status of the hosting device," explained the W3C, which also said that the information collected has a minimal impact on privacy.
However, the study claimed that the Battery Status API in Firefox not only allows the discovery of battery capacity but other "short term identifiers" even via business networks.
"In short time intervals, Battery Status API can be used to reinstantiate tracking identifiers of users, similar to evercookies. Moreover, battery information can be used in cases where a user can go to great lengths to clear the evercookies.
"In a corporate setting, where devices share similar characteristics and IP addresses, the battery information can be used to distinguish devices behind a network address translation."
The study goes on to warn that monitoring this type of information exposes a "fingerprintable surface" that could be used to track devices around the web.
"Our analysis shows that the risk is much higher for old or used batteries with reduced capacities, as the battery capacity may potentially serve as a tracking identifier," the report added.
The researchers also noted that many people have been aware of the risks of the Battery Status API, but nothing was done about it. They hope this will change with the publication of the research.
"Although the potential privacy problems of the Battery Status API were discussed by Mozilla and Tor browser developers as early as in 2012, neither the API nor the Firefox implementation has undergone a major revision," they wrote.
"We hope to draw attention to this privacy issue by demonstrating the ways to abuse the API for fingerprinting and tracking."
Bharat Mistry, cyber security consultant at Trend Micro, confirmed that the exploit is possible but played down reports that it is a cause for concern.
"Yes I suppose you could track mobiles. However, potentially significant server side resources (CPU cycles, memory and storage) could be required to keep track of devices as frequent 'heart beat' would be required to track the device," he told V3.
"Now if the server was to impose a cookie based on battery/power profile that would be different as multiple visits of the device to a site would be easily tracked.
"However, in order to do this a user would be prompted to accept a cookie of some form, which would alert a user that the device is being tracked."
Antarctica lost on average 252 gigatons of ice mass per year from 2009 to 2017, claims study
Buyers can demand refunds if they've had a game for no more than 14 days and not registered more than two hours of play
Total lunar eclipse 2019: 'Super Blood Wolf Moon' to be visible across Europe and North America on Sunday night
Moon will turn reddish-orange in colour during this weekend's total lunar eclipse
Hackers to compete for prize money of between $35,000 and $250,000 cracking the Tesla Model 3 at this year's Pwn2Own contest