Here’s How Your Battery Status Is Being Used To Track You Online

[SansVarnic]

Here’s How Your Battery Status Is Being Used To Track You Online

By: UMER S - AUGUST, 4TH 2016

Source: http://wonderfulengineering.com/heres-how-your-battery-status-is-being-used-to-track-you-online/

 

 

I found this a bit interesting, may want to put on your tin foil for this one. I never used battery apps in the past beside the built in one.

Quote

The battery status API was installed in HTML5, and had been in use in Firefox, Opera and Chrome since August 2015. This allows site owners and editors to be able track the percentage of battery life left in a device, also the time of discharge or recharging.

Quote

originally intended to allow site owners to serve low-power versions of websites and apps to users with little battery capacity left. But soon after its introduction, privacy researchers made it clear that it potentially be used to spy on the website visitors and users. 

Quote

Two security researchers from Princeton University, Steve Engelhard and Arvind Narayanany have proved that by running a specially modified browser, two tracking scripts that used the API to “fingerprint” a specific device were discovered that were using the scripts to continuously identify certain devices across multiple contexts.

 

Well since I use the Windows Mobile Phone there is a few battery apps available but I believe this is a bit more of a worry with Apple and Android phone of course.

Honestly not sure if I should worry about this myself, but maybe there is something to this.

 

Thoughts?

 

*edit

 @colonel_mortis points out a correction;

Quote

This isn't to do with battery apps, it's to do with websites that can access your battery levels.

It is websites accessing your battery levels via the phones own battery status.  

Edited August 7, 2016 by SansVarnic

[GirlFromYonder]

wait so i am being tracked and need a third party app to solve it. Ok but then how do i disable my stock battery thing

[SansVarnic]

2 minutes ago, DeezNoNos said:

wait so i am being tracked and need a third party app to solve it. Ok but then how do i disable my stock battery thing

No I think it is battery apps that this applies to not the firmware battery indicator.

[colonel_mortis]

Looking at the article, it looks like it just allows two websites that you visit immediately after one another to potentially correlate those visits by seeing whether your battery level has changed between the two visits. It's not ideal, but it's not a massive privacy risk.

IMO, it would be better if, rather than providing the site with the exact percentage and time remaining, it should just round it to the nearest 5 or 10%, and only give times in minutes/5 minutes/etc, so there are considerably fewer combinations, and therefore far less confidence in any conclusions that could be drawn.

14 minutes ago, SansVarnic said:

Well since I use the Windows Mobile Phone there is a few battery apps available but I believe this is a bit more of a worry with Apple and Android phone of course.

This isn't to do with battery apps, it's to do with websites that can access your battery levels.

[GirlFromYonder]

3 minutes ago, SansVarnic said:

No I think it is battery apps that this applies to not the firmware battery indicator.

ooh

[SansVarnic]

4 minutes ago, colonel_mortis said:

Looking at the article, it looks like it just allows two websites that you visit immediately after one another to potentially correlate those visits by seeing whether your battery level has changed between the two visits. It's not ideal, but it's not a massive privacy risk.

IMO, it would be better if, rather than providing the site with the exact percentage and time remaining, it should just round it to the nearest 5 or 10%, and only give times in minutes/5 minutes/etc, so there are considerably fewer combinations, and therefore far less confidence in any conclusions that could be drawn.

This isn't to do with battery apps, it's to do with websites that can access your battery levels.

OhhhHHH Ok, was reading the article wrong... Thanks.  

@DeezNoNos I was wrong. @colonel_mortis pointed it out correctly. 

 

Edited August 7, 2016 by SansVarnic

[Nup]

I had no idea this was a possible avenue for data collection!  

what won't they do...

[Kamil]

I like this approach of "Give everybody all your information all the time without questioning anything. I'm sure somebody will do something with it that benefits you!" Previously it was all about providing relevant advertisement, which never happened. And now they're going to serve low-power versions of websites if... No wait, that would require extra work for no profit. They're going to use it to track you instead.

 

Did I say "like"? I meant the other one.

[ThinkWithPortals]

And now I'm even more paranoid.

[LAwLz]

Seems like it's just another variable for browser fingerprinting.

It's bad that it's another tool that can be used to track users, but in the big picture it does not chance the current situation where we are already tracked by fingerprinting.

[PlayStation 2]

I'm surprised AluminumTech isn't screaming the praises of Windows 10 Mobile.

 

Does this really surprise anyone though.

[Dabombinable]

would manually setting permissions help? My phone actually has a nag notification in its draw that shows which app can do what, and lets me deny them permissions even after install. My tablet just has to deal with Supper User and me choosing apps carefully (ZTE 4G fit smart and Transformer Prime TF201 on a custom ROM)

[LAwLz]

11 minutes ago, Dan Castellaneta said:

I'm surprised AluminumTech isn't screaming the praises of Windows 10 Mobile.

 

Does this really surprise anyone though.

What's funny is that IE and Edge are not affected by this because Microsoft are so sloppy with following web standards. For once their incompetence pays off.

 

 

Anyway, this shouldn't be a big deal. I haven't looked into how Chrome and Firefox has implemented this, but the standard suggests that the client should not expose high precision battery status info precisely because it can be used for fingerprinting. The recommendation also says that the browser should inform users about the website asking for permission to get battery information (similar to how a website can ask for permission to view your location).

 

If Firefox and Chrome implemented it as the standard suggests then it will be fine.

[Sauron]

Why do they care though?

[LAwLz]

31 minutes ago, Sauron said:

Why do they care though?

Because they want to know your browsing history.

[Sauron]

1 minute ago, LAwLz said:

Because they want to know your browsing history.

How do they extract that from my battery levels?

[LAwLz]

Just now, Sauron said:

How do they extract that from my battery levels?

They don't extract your entire browsing history. What they do is place a piece of code on multiple websites and then use that to see which sites you visit.

 

Let's take Facebook as an example. I am sure you have seen this button before:

 

Every time you see that Facebook share button (same goes for Twitter, LinkedIn, etc), it's because your browser makes a request to Facebook. The website tells your browser "hey, ask Facebook for how many people has shared this page, and also tell Facebook which site sent you". When your browser makes that request it also sends a bunch of other info such as which browser you are using, which version, which OS you are using and so on. This is important information for displaying the webpage properly. But Facebook can (and probably does) collect all this data to create a unique fingerprint.

 

To make things simple, let's say that I am the only person in Sweden using a particular version of Firefox. Facebook will see this and go "oh, this person from Sweden is using this special version of Firefox. Every time we see a request from this browser in Sweden we will know that it is the same person". This particular fingerprint is unique.

 

So let's say LinusTechTips had a Facebook share button, Facebook would know that I visited LinusTechTips because they would see my browser fingerprint making a request when I load LinusTechTips. After browsing LinusTechTips I might visit YouTube, and once again that Facebook button might be there. Now Facebook knows that I visited YouTube.

Then I go to The Huffington Post and once again, Facebook sees that unique fingerprint making a request from The Huffington Post.

 

 

This battery indicator is another variable they can use to make the fingerprint more unique. So instead of identifying me as "this person in Sweden using Firefox version 47.0a2" they can say "this person in Sweden using Firefox version 47.0a2, and has 83% battery".

More variables = more likely that your fingerprint is unique.

 

I posted a link to a site (created by the EFF) which measures how unique your browser fingerprint is.

 

 

In the Facebook example it is even worse because if you are logged into Facebook they will be able to link it to your profile (which is why you might see "XXXX people shared this. Be the first of your friends").

 

Also, the piece of code used for tracking might not be something as obvious as a Facebook share button. It can be an ad service (like Google Adsense), or an API used by multiple websites.

Basically, the more sites a particular service runs on (like the Facebook share button being everywhere, even on some porn sites), the more sites that service knows you visit.

 

 

A very long-winded explanation but hopefully it made things more clear.

[Theorak]

Good thing my phone's battery does not last for long, only read they get from me is "ohhh... he turned it off again."