Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Privacy Security

Your Battery Status Is Being Used To Track You Online (theguardian.com) 88

A paper published last year revealed that the battery on a laptop or phone can be used to track one's online activities. The vulnerability resided in a built-in HTML 5 specification, which could be tricked into identifying people and tracking their online activities. One year later, we are now learning that the vulnerability is being exploited in the wild. The Guardian reports: [...] Two security researchers from Princeton University have shown that the battery status indicator really is being used in the wild to track users. By running a specially modified browser, Steve Engelhard and Arvind Narayanan found two tracking scripts that used the API to "fingerprint" a specific device, allowing them to continuously identify it across multiple contexts. The research was highlighted by Lukasz Olejnik, one of the four researchers who first called attention to the potential issues with the battery status API in 2015. Although Olejnik achieved some success following his warning, with the body in charge of the web's standards thanking his group for the privacy analysis, the API still has the potential for misuse. And while it is only tracking scripts using it now, Olejnik warns that unscrupulous actors could do more. "Some companies may be analysing the possibility of monetising the access to battery levels," he writes. "When battery is running low, people might be prone to some -- otherwise different -- decisions. In such circumstances, users will agree to pay more for a service."
This discussion has been archived. No new comments can be posted.

Your Battery Status Is Being Used To Track You Online

Comments Filter:
  • Old news (Score:5, Insightful)

    by LichtSpektren ( 4201985 ) on Wednesday August 03, 2016 @11:12AM (#52636437)
    In Firefox, you should go to about:config and toggle dom.battery.enabled to false. I've read this exact advice on many privacy-related websites for over a year, so this really isn't news.
    • Re:Old news (Score:4, Insightful)

      by arth1 ( 260657 ) on Wednesday August 03, 2016 @11:38AM (#52636643) Homepage Journal

      In Palemoon, the default is (of course) disabled.

    • Is there a Chrome (Vivaldi also) or FF build with this crap disabled by default? Honestly just sick and tired of seeing how much information my browser gives out by default.
      • It doesn't seem like you can disable it in Chrome, don't know about Opera or Vivaldi though. There's a Chromium fork called Iridium [iridiumbrowser.de] in the works that's hardened for privacy and security features, but I don't know enough about the company behind it to recommend it.

        For Firefox, there's a great extension called Privacy Settings [mozilla.org] that will automatically optimize your settings for security and privacy (N.B. I would select "Full Privacy" but turn on dom.storage.enabled so websites like GOG's and Protonmail's w
        • by I4ko ( 695382 )
          Well, uBlock origin can stop it. And to the ghost lurking around here - no, this is one of the things hosts have no chance to stop ever. I've been contemplating for a while to privoxy my traffic and return random values for battery, canvas, fonts and other fingerprints just for kicks.
        • I took a brief glance at that extension's source. From https://addons.mozilla.org/en-... [mozilla.org]:

          exports.main = function (options) {
          if (options.loadReason === 'install' || options.loadReason === 'startup') {
          var version = sp.prefs.version;
          if (self.version !== version) {
          if (sp.prefs.welcome) {

      • Step One: stop using a browser made by an advertising company.

    • by arth1 ( 260657 )

      In Firefox, you should go to about:config and toggle dom.battery.enabled to false.

      There's also "dom.vibrator.enabled". I'm not sure whether it was created for cell phones or haptic sex, but still, it doesn't seem like something remote sites should be able to read or set without explicit permissions.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      And by disabling it you are in minority and information can be used in your browser fingerprint. How about random value?

      • It's true or false.
        By setting it to false, they presumably can't get access to your battery level.
        There is absolutely zero reason a browser should ever send that info out without the user explicitly telling it to, but here we are.

  • Why on Earth? (Score:5, Insightful)

    by xororand ( 860319 ) on Wednesday August 03, 2016 @11:26AM (#52636543)

    Why on Earth are browsers revealing my battery status to random websites?
    Does Google dictate these changes in exchange for funding?

    • Re:Why on Earth? (Score:5, Informative)

      by Lennie ( 16154 ) on Wednesday August 03, 2016 @11:41AM (#52636675)

      This is what the specification has in the introduction:

      "The Battery Status API can be used to defer or scale back work when the device is not charging in or is low on battery. An archetype of an advanced web application, a web-based email client, may check the server for new email every few seconds if the device is charging, but do so less frequently if the device is not charging or is low on battery. Another example is a web-based word processor which could monitor the battery level and save changes before the battery runs out to prevent data loss. "

      https://www.w3.org/TR/2016/CR-... [w3.org]

      • Re:Why on Earth? (Score:5, Informative)

        by jeffb (2.718) ( 1189693 ) on Wednesday August 03, 2016 @11:53AM (#52636793)

        If you're building a "web-based word processor" that can lose work because a client goes away, You're Doing It Wrong, so much so that responding to a low-battery signal is pointless. What if a router goes down? What if the user moves out of range of an access point, or cellular data?

        If Web developers (or the companies issuing their marching orders) wanted to respect my battery, they could start by ditching all the gratuitous animated ads, transitions, and whatnot. For bonus points, they could do it before my battery gets low, so that my battery doesn't get low in the first place.

        My five-year-old laptop still gets up to six or seven hours off a charge -- as long as I'm not visiting typical Web sites. If I start browsing, especially without blocking Flash or ads, I'm lucky to get an hour and a half.

      • This sort of thing is one of the main reasons why I consider HTML 5 to be a terrible specification. It allows far too much data leakage to websites. Combine that with the underlying attitude behind HTML 5 that users shouldn't have control over their machines makes is a bridge too far.

        • by Lennie ( 16154 )

          I'm sorry, but HTML5 no control over their machines ? What are you talking about ?

          OS and devices manufactures like Apple, Microsoft and Google are very busy trying to take control of your machines and your data this seems like a much worse situation.

    • Re:Why on Earth? (Score:5, Insightful)

      by EvilSS ( 557649 ) on Wednesday August 03, 2016 @11:42AM (#52636681)

      Why on Earth are browsers revealing my battery status to random websites? Does Google dictate these changes in exchange for funding?

      It was added to the HTML5 spec to allow sites to supply "low power" versions of their site to devices when their battery is low. Or so they say.

      • But the ad companies will ignore it, rendering it mostly useless.

        • by ShaunC ( 203807 )

          The ad companies will be the first ones using it, just not for the intended purpose. They won't tone down the ads if your battery is low but they'll definitely build a cross-site fingerprint of you. From the study,

          The second script, http://js.ad-score.com/score.m... [ad-score.com], queries all properties of the BatteryManager interface, retrieving the current charging status, the charge level, and the time remaining to discharge or recharge. As with the previous script, these features are combined with other identifying features used to fingerprint a device.

          • by EvilSS ( 557649 )
            I kind of question if this wasn't the intended purpose all along. The reason is that it's not necessary for a site to see exact battery level and recharge time to know if they should present a low power site or now. Knowing battery life in bands of x% (0-10%, 11-20%, etc), or even just a preset level (in the HTML5 spec) that would trigger a battery low flag and maybe another that would show on AC power (so the site would know it could possibly ignore the low battery) would be enough. I can't believe the pe
    • by dj245 ( 732906 )

      Why on Earth are browsers revealing my battery status to random websites? Does Google dictate these changes in exchange for funding?

      I think it might be a case of "we could do it, so we did". The battery HTML API can indicate whether a device is plugged in and charging, or not. In theory, you could write code that was more computationally-intensive if the device was plugged in, or very lean if the device was on battery. That seems like a legitimate use to me. It may not have occurred to anyone that this would be used for nefarious purposes.

      • I wonder why they didn't just program browsers to prompt the user to allow the server to see their battery status similarly to how they did it with location services. I deny location services to web sites all the time that have no need to know my location.

        If I log onto a web site that uses geolocation to help me find something, of course I will share my location. If I log onto a web site to read news and it wants to know my location, I deny that every time. Why shouldn't it be the same with the battery

      • That seems like a legitimate use to me.

        Not to me. We already have far too much horribleness resulting from web sites deciding to alter their functionality according to web browser and machine characteristics as it is.

    • Re:Why on Earth? (Score:5, Interesting)

      by jellomizer ( 103300 ) on Wednesday August 03, 2016 @11:47AM (#52636743)

      I am guessing the purpose was for a few things.
      1. Remote Desktop Help to help identify problems with your system.
      2. Websites that may have rules to Save/Commit your session before your battery dies.
      3. Websites to lower the amount of JS processing based on your battery usage

      • 2. Websites that may have rules to Save/Commit your session before your battery dies.

        Websites should have rules like that anyway, if required. An internet connection, particularly a mobile one, should probably be considered less reliable than a device's battery.

        • However the variables will stay in memory of the Browser and device even if the network connection is off then can send it over when it returns. However typically if the battery dies. Then your local memory will go too.

    • Does Google dictate these changes in exchange for funding?

      No, no, no. Nothing so crass. Google is a member of the W3C. Therefore it has the right to propose and vote for standards. Okay, Google is a Gold sponsor, so they have a bit more weight. Okay, the Gold sponsor.

      But they can only propose regulations. There are 421 voting members of the W3C. You too can join. That is, for a sum of between $3k (if a

      See, Google doesn't dictate changes for funding. All above board.

      • Oops, stupidly left an unescaped <. That second line should read "... for a sum between $3k (if < 10 employees) up to over $75k, you too can purchase a vote"

  • Edna Krabappel: Now, whose calculator can tell what seven times eight is?

    Milhouse Van Houten: Oh! Oh! Low Battery?

    Edna Krabappel: [sighs] Whatever.

    • 56. You should have that memorized. If you don't, the square of 8 is 64, and subtracting 8 gets you 56--because (8,2) gives 5[4+2] = 56, one straight look-up operation with a decrementing carry built-in so you don't have to count on your fingers.

      Of course, having both the rote-memorized multiplication table (36 entries, including 8 perfect squares) and the two addition tables memorized (7 entries, including one reflexive (5,5) entry) means you can rapidly-multiply large numbers with arbitrary decimal p

      • You're trying too hard to look clever.

        No one with a brain would multiply 36.5 * 192 the way you did. Someone with a brain would use 36.5*200 and then subtract 8*36.5 (or 4*73 since they've already doubled 36.5 and have that result in their head).

        And no floating point processor would handle it as you did either.

        • My brain isn't a floating-point processor and has different hardware.

          As for how anyone with a brain would do it... the method I displayed is exactly the method used by mental mathematics world champions, was the method used by high-rated accountants in Japan for thousands of years, and is the method taught in schools in several Asian countries (Japan and some parts of Korea).

          Your method requires pre-analysis to form a strategy, then a subtraction (1), three accumulating multiplications (3), and then thr

      • by I4ko ( 695382 )
        Hmm, really is that the easiest method? The way I was though at school. It is basically the same in reverse order of magnitude. Far less additions

        36.5 x 192 = 7008.0
        73*0*
        328*5*|0
        365|00
        -----------
        70080, rewind decimal point by one place The star indicates carryover to the left, and the pipe indicates zeros added for alignment.
        • I don't know why left-to-right is the standard for mental mathematics, to be honest. The more vs less argument is significant, but less-so than the procedural argument; it just happens to be easier to digest (most people aren't well-convinced that doing something millions of times means doing that thing 5 times is easier than doing some other thing once--even when they answer a text message while exiting their car and IMMEDIATELY LOCK THEIR KEYS INSIDE).

          If you like paper methods, you could look into lat

  • Uber is doing it (Score:5, Insightful)

    by scorp1us ( 235526 ) on Wednesday August 03, 2016 @11:39AM (#52636645) Journal

    Uber is doing it [zdnet.com]

    But as for tracking, why not just report battery level by 10% increment, or some other increment where you can hide in a gaussian distribution? Really they only need to know Full, low, and not full or low.

    • by Anonymous Coward

      Uber is doing it [zdnet.com]

      Uber's head of economic research, Keith Chen, told NPR's Shankar Vedantam during an episode of The Hidden Brain podcast that users of the service are willing to accept surge pricing increases of as much as 9.9 times if their smartphone's battery is close to flat.

      The logic is that if your battery is almost dead, then you feel at risk of being stranded, and that means that rides are much more valuable to you than they would be if your battery had sufficient charge.

      Oh, but don't worry, Chen promises that the company doesn't use this information to set fares.

      Wow, Uber is such a classy business.

    • Why even in 10% increments. You just need to know, at most, three levels: Normal, Low, Shutdown Eminent.

    • by Anonymous Coward

      They don't need to know anything. I assume complete privacy unless I choose what things to reveal.

    • by Anonymous Coward

      How about a binary flag, with a user configurable threshold? Not like anybody's going to use that as intended either, but at least that only leaks one bit of information.

    • Really they only need to know Full, low, and not full or low.

      They don't even need to know that.

  • by grumpy-cowboy ( 4342983 ) on Wednesday August 03, 2016 @11:42AM (#52636693)

    WHY ON EARTH a browser need to expose the status of my laptop battery!! Why?!?! Can we have a browser that JUST display text, images and basic please! Can we go back to HTML 3.2 and flush everything made after this!

  • To call profit-maximizing strategies "unscrupulous", we'd have to claim everyone who makes above bare subsistence income is an unscrupulous actor. Women complaining they don't get paid as much as men would be unscrupulous, trying to get more pay without doing more work.

    You need a bit more of an ethical quandry than that before you can start claiming bad ethics.

    • Abusing people who are in a desperate position is despicable. Good enough?

      • by JustNiz ( 692889 )

        Abusing people at all is despicable.

        • I fail to see the problem with some contemporary pests. They are technically people, but ... well, abusing them isn't really a disservice to humanity.

      • Every position is desperate. People with low battery are often plenty comfortable with their near-term access to a charging port; and, at the same time, cognizant of the low battery state. That applies stress, in the same way that being hungry applies stress (omg you might starve! ... there's a 0% chance of that happening). That changes the way the brain makes decisions; it's not that you might go tapping on e-purchases in a desperate attempt to outrun impending battery failure, but rather that you've g

  • this sort of manipulative and underhanded approach is also known as "aggressive marketing." its been essentially the only means advertisers use to sell since the 70s when we stopped marketing products and switched to marketing brands and lifestyles.

    im guessing in another 20 years most advertising is just going to be a thin man with a dark cape standing next to me attempting to exploit random fears until i buy some deodorant.
  • by wonkey_monkey ( 2592601 ) on Wednesday August 03, 2016 @12:10PM (#52636947) Homepage

    Your Battery Status Is Being Used To Track You Online

    Oh, do fuck off with the tiresome clickbait headlines. My battery status isn't being used to track me online, but even if it was, you could write the headline without having to personally address it to me.

  • If it was easy for someone to plant a modified binary on your phone they could also do just about anything they wanted.

  • "In such circumstances, users will agree to pay more for a service." -- cough *Uber*
  • I/m always plugged in when I go online

  • Is there anything that can't be used to suck up your personal information, location, spending habits, etc etc?

    "Some companies may be analysing the possibility of monetising the access to battery levels"

    Holy shit, kill me now. But first let me throw a few marketers into the wood chipper.

    "When battery is running low, people might be prone to some -- otherwise different -- decisions. In such circumstances, users will agree to pay more for a service."

    Okay, now I really mean it, just kill me. And make sure to pl

  • Not only is there no reason for the computer to send my battery, but there is NO reason to send ANY information beyond what I expressly tell it to.

    Someone wants to know what my browser or what addons I am using, I should have to expressely tell them. Otherwise it should send a default value.

  • Should be DISABLED by default... who would even want a "low powered" version of a website? This was a bad idea from the beginning

A company is known by the men it keeps.

Working...