Your Battery Status Is Being Used To Track You Online

A paper published last year revealed that the battery on a laptop or phone can be used to track one's online activities. The vulnerability resided in a built-in HTML 5 specification, which could be tricked into identifying people and tracking their online activities. One year later, we are now learning that the vulnerability is being exploited in the wild. The Guardian reports: [...] Two security researchers from Princeton University have shown that the battery status indicator really is being used in the wild to track users. By running a specially modified browser, Steve Engelhard and Arvind Narayanan found two tracking scripts that used the API to "fingerprint" a specific device, allowing them to continuously identify it across multiple contexts. The research was highlighted by Lukasz Olejnik, one of the four researchers who first called attention to the potential issues with the battery status API in 2015. Although Olejnik achieved some success following his warning, with the body in charge of the web's standards thanking his group for the privacy analysis, the API still has the potential for misuse. And while it is only tracking scripts using it now, Olejnik warns that unscrupulous actors could do more. "Some companies may be analysing the possibility of monetising the access to battery levels," he writes. "When battery is running low, people might be prone to some -- otherwise different -- decisions. In such circumstances, users will agree to pay more for a service."

Old news

[LichtSpektren]

In Firefox, you should go to about:config and toggle dom.battery.enabled to false. I've read this exact advice on many privacy-related websites for over a year, so this really isn't news.

Re:Old news

[arth1]

In Palemoon, the default is (of course) disabled.

Re: Old news

[kaiser423]

Is there a Chrome (Vivaldi also) or FF build with this crap disabled by default? Honestly just sick and tired of seeing how much information my browser gives out by default.

Re:

[LichtSpektren]

It doesn't seem like you can disable it in Chrome, don't know about Opera or Vivaldi though. There's a Chromium fork called Iridium [iridiumbrowser.de] in the works that's hardened for privacy and security features, but I don't know enough about the company behind it to recommend it.

For Firefox, there's a great extension called Privacy Settings [mozilla.org] that will automatically optimize your settings for security and privacy (N.B. I would select "Full Privacy" but turn on dom.storage.enabled so websites like GOG's and Protonmail's w

Re:

[I4ko]

Well, uBlock origin can stop it. And to the ghost lurking around here - no, this is one of the things hosts have no chance to stop ever. I've been contemplating for a while to privoxy my traffic and return random values for battery, canvas, fonts and other fingerprints just for kicks.

Re:

[Dagger2]

I took a brief glance at that extension's source. From https://addons.mozilla.org/en-... [mozilla.org]:

exports.main = function (options) {
if (options.loadReason === 'install' || options.loadReason === 'startup') {
var version = sp.prefs.version;
if (self.version !== version) {
if (sp.prefs.welcome) {

Re:

[FunkSoulBrother]

Step One: stop using a browser made by an advertising company.

Re:

[arth1]

In Firefox, you should go to about:config and toggle dom.battery.enabled to false.

There's also "dom.vibrator.enabled". I'm not sure whether it was created for cell phones or haptic sex, but still, it doesn't seem like something remote sites should be able to read or set without explicit permissions.

Re:

[Anonymous Coward]

And by disabling it you are in minority and information can be used in your browser fingerprint. How about random value?

Re:

[sexconker]

It's true or false.
By setting it to false, they presumably can't get access to your battery level.
There is absolutely zero reason a browser should ever send that info out without the user explicitly telling it to, but here we are.

Why on Earth?

[xororand]

Why on Earth are browsers revealing my battery status to random websites?
Does Google dictate these changes in exchange for funding?

Re:Why on Earth?

[Lennie]

This is what the specification has in the introduction:

"The Battery Status API can be used to defer or scale back work when the device is not charging in or is low on battery. An archetype of an advanced web application, a web-based email client, may check the server for new email every few seconds if the device is charging, but do so less frequently if the device is not charging or is low on battery. Another example is a web-based word processor which could monitor the battery level and save changes before the battery runs out to prevent data loss. "

https://www.w3.org/TR/2016/CR-... [w3.org]

Re:Why on Earth?

[jeffb (2.718)]

If you're building a "web-based word processor" that can lose work because a client goes away, You're Doing It Wrong, so much so that responding to a low-battery signal is pointless. What if a router goes down? What if the user moves out of range of an access point, or cellular data?

If Web developers (or the companies issuing their marching orders) wanted to respect my battery, they could start by ditching all the gratuitous animated ads, transitions, and whatnot. For bonus points, they could do it before my battery gets low, so that my battery doesn't get low in the first place.

My five-year-old laptop still gets up to six or seven hours off a charge -- as long as I'm not visiting typical Web sites. If I start browsing, especially without blocking Flash or ads, I'm lucky to get an hour and a half.

Re:

[JohnFen]

This sort of thing is one of the main reasons why I consider HTML 5 to be a terrible specification. It allows far too much data leakage to websites. Combine that with the underlying attitude behind HTML 5 that users shouldn't have control over their machines makes is a bridge too far.

Re:

[Lennie]

I'm sorry, but HTML5 no control over their machines ? What are you talking about ?

OS and devices manufactures like Apple, Microsoft and Google are very busy trying to take control of your machines and your data this seems like a much worse situation.

Re:Why on Earth?

[EvilSS]

Why on Earth are browsers revealing my battery status to random websites? Does Google dictate these changes in exchange for funding?

It was added to the HTML5 spec to allow sites to supply "low power" versions of their site to devices when their battery is low. Or so they say.

Re:

[NatasRevol]

But the ad companies will ignore it, rendering it mostly useless.

Re:

[ShaunC]

The ad companies will be the first ones using it, just not for the intended purpose. They won't tone down the ads if your battery is low but they'll definitely build a cross-site fingerprint of you. From the study,

The second script, http://js.ad-score.com/score.m... [ad-score.com], queries all properties of the BatteryManager interface, retrieving the current charging status, the charge level, and the time remaining to discharge or recharge. As with the previous script, these features are combined with other identifying features used to fingerprint a device.

Re:

[EvilSS]

I kind of question if this wasn't the intended purpose all along. The reason is that it's not necessary for a site to see exact battery level and recharge time to know if they should present a low power site or now. Knowing battery life in bands of x% (0-10%, 11-20%, etc), or even just a preset level (in the HTML5 spec) that would trigger a battery low flag and maybe another that would show on AC power (so the site would know it could possibly ignore the low battery) would be enough. I can't believe the pe

Re:

[dj245]

Why on Earth are browsers revealing my battery status to random websites? Does Google dictate these changes in exchange for funding?

I think it might be a case of "we could do it, so we did". The battery HTML API can indicate whether a device is plugged in and charging, or not. In theory, you could write code that was more computationally-intensive if the device was plugged in, or very lean if the device was on battery. That seems like a legitimate use to me. It may not have occurred to anyone that this would be used for nefarious purposes.

Re:

[rock_climbing_guy]

I wonder why they didn't just program browsers to prompt the user to allow the server to see their battery status similarly to how they did it with location services. I deny location services to web sites all the time that have no need to know my location.

If I log onto a web site that uses geolocation to help me find something, of course I will share my location. If I log onto a web site to read news and it wants to know my location, I deny that every time. Why shouldn't it be the same with the battery

Re:

[JohnFen]

That seems like a legitimate use to me.

Not to me. We already have far too much horribleness resulting from web sites deciding to alter their functionality according to web browser and machine characteristics as it is.

Re:Why on Earth?

[jellomizer]

I am guessing the purpose was for a few things.
1. Remote Desktop Help to help identify problems with your system.
2. Websites that may have rules to Save/Commit your session before your battery dies.
3. Websites to lower the amount of JS processing based on your battery usage

Re:

[wonkey_monkey]

2. Websites that may have rules to Save/Commit your session before your battery dies.

Websites should have rules like that anyway, if required. An internet connection, particularly a mobile one, should probably be considered less reliable than a device's battery.

Re:

[jellomizer]

However the variables will stay in memory of the Browser and device even if the network connection is off then can send it over when it returns. However typically if the battery dies. Then your local memory will go too.

Re:

[Actually, I do RTFA]

Does Google dictate these changes in exchange for funding?

No, no, no. Nothing so crass. Google is a member of the W3C. Therefore it has the right to propose and vote for standards. Okay, Google is a Gold sponsor, so they have a bit more weight. Okay, the Gold sponsor.

But they can only propose regulations. There are 421 voting members of the W3C. You too can join. That is, for a sum of between $3k (if a

See, Google doesn't dictate changes for funding. All above board.

Re:

[Actually, I do RTFA]

Oops, stupidly left an unescaped <. That second line should read "... for a sum between $3k (if < 10 employees) up to over $75k, you too can purchase a vote"

Re:

[xororand]

Sorry, didn't mean to put you on the defensive. You're doing that because your web browser does it. You didn't want to run some random application, but you did, at some point, load a web page which contained a script tag that shouldn't have been there. You say "but it's just a web browser!" and I'm explaining, "No, it's an Operating System." Eww.

You have a very good point and the user really is responsible for what they run in the end.
I should use Tor Browser more often, which is less chatty. Someone ought to make a fork of Tor Browser without Tor. It really is superior to any other browser in that regard.

a way for schools to charge more?

[Joe_Dragon]

Edna Krabappel: Now, whose calculator can tell what seven times eight is?

Milhouse Van Houten: Oh! Oh! Low Battery?

Edna Krabappel: [sighs] Whatever.

Re:

[bluefoxlucid]

56. You should have that memorized. If you don't, the square of 8 is 64, and subtracting 8 gets you 56--because (8,2) gives 5[4+2] = 56, one straight look-up operation with a decrementing carry built-in so you don't have to count on your fingers.

Of course, having both the rote-memorized multiplication table (36 entries, including 8 perfect squares) and the two addition tables memorized (7 entries, including one reflexive (5,5) entry) means you can rapidly-multiply large numbers with arbitrary decimal p

Re:

[sexconker]

You're trying too hard to look clever.

No one with a brain would multiply 36.5 * 192 the way you did. Someone with a brain would use 36.5*200 and then subtract 8*36.5 (or 4*73 since they've already doubled 36.5 and have that result in their head).

And no floating point processor would handle it as you did either.

Re:

[bluefoxlucid]

My brain isn't a floating-point processor and has different hardware.

As for how anyone with a brain would do it... the method I displayed is exactly the method used by mental mathematics world champions, was the method used by high-rated accountants in Japan for thousands of years, and is the method taught in schools in several Asian countries (Japan and some parts of Korea).

Your method requires pre-analysis to form a strategy, then a subtraction (1), three accumulating multiplications (3), and then thr

Re:

[BancBoy]

I think we have a winner.

Re:

[I4ko]

Hmm, really is that the easiest method? The way I was though at school. It is basically the same in reverse order of magnitude. Far less additions

36.5 x 192 = 7008.0
73*0*
328*5*|0
365|00
-----------
70080, rewind decimal point by one place The star indicates carryover to the left, and the pipe indicates zeros added for alignment.

Re:

[bluefoxlucid]

I don't know why left-to-right is the standard for mental mathematics, to be honest. The more vs less argument is significant, but less-so than the procedural argument; it just happens to be easier to digest (most people aren't well-convinced that doing something millions of times means doing that thing 5 times is easier than doing some other thing once--even when they answer a text message while exiting their car and IMMEDIATELY LOCK THEIR KEYS INSIDE).

If you like paper methods, you could look into lat

Uber is doing it

[scorp1us]

Uber is doing it [zdnet.com]

But as for tracking, why not just report battery level by 10% increment, or some other increment where you can hide in a gaussian distribution? Really they only need to know Full, low, and not full or low.

Re:

[Anonymous Coward]

Uber is doing it [zdnet.com]

Uber's head of economic research, Keith Chen, told NPR's Shankar Vedantam during an episode of The Hidden Brain podcast that users of the service are willing to accept surge pricing increases of as much as 9.9 times if their smartphone's battery is close to flat.

The logic is that if your battery is almost dead, then you feel at risk of being stranded, and that means that rides are much more valuable to you than they would be if your battery had sufficient charge.

Oh, but don't worry, Chen promises that the company doesn't use this information to set fares.

Wow, Uber is such a classy business.

Re:

[Actually, I do RTFA]

Why even in 10% increments. You just need to know, at most, three levels: Normal, Low, Shutdown Eminent.

Re:

[NatasRevol]

Imminent. Eminent is ... something else.

Re:

[The-Ixian]

But it has to do with domains....

Re:

[NatasRevol]

Eminent domain may negatively impact my imminent domain.

Re:

[Anonymous Coward]

They don't need to know anything. I assume complete privacy unless I choose what things to reveal.

Re:

[Anonymous Coward]

How about a binary flag, with a user configurable threshold? Not like anybody's going to use that as intended either, but at least that only leaks one bit of information.

Re:

[JohnFen]

Really they only need to know Full, low, and not full or low.

They don't even need to know that.

Tired of this whole security/privacy mess!

[grumpy-cowboy]

WHY ON EARTH a browser need to expose the status of my laptop battery!! Why?!?! Can we have a browser that JUST display text, images and basic please! Can we go back to HTML 3.2 and flush everything made after this!

Rational actors

[bluefoxlucid]

To call profit-maximizing strategies "unscrupulous", we'd have to claim everyone who makes above bare subsistence income is an unscrupulous actor. Women complaining they don't get paid as much as men would be unscrupulous, trying to get more pay without doing more work.

You need a bit more of an ethical quandry than that before you can start claiming bad ethics.

Re:

[Opportunist]

Abusing people who are in a desperate position is despicable. Good enough?

Re:

[JustNiz]

Abusing people at all is despicable.

Re:

[Opportunist]

I fail to see the problem with some contemporary pests. They are technically people, but ... well, abusing them isn't really a disservice to humanity.

Re:

[bluefoxlucid]

Every position is desperate. People with low battery are often plenty comfortable with their near-term access to a charging port; and, at the same time, cognizant of the low battery state. That applies stress, in the same way that being hungry applies stress (omg you might starve! ... there's a 0% chance of that happening). That changes the way the brain makes decisions; it's not that you might go tapping on e-purchases in a desperate attempt to outrun impending battery failure, but rather that you've g

Re:

[account_deleted]

Comment removed based on user account deletion

Fuck off with the clickbait headlines, please

[wonkey_monkey]

Your Battery Status Is Being Used To Track You Online

Oh, do fuck off with the tiresome clickbait headlines. My battery status isn't being used to track me online, but even if it was, you could write the headline without having to personally address it to me.

Re:

[sexconker]

He was correct. The plural "your" is still directed AT YOU.

...By running a specially modified browser

[JustNiz]

If it was easy for someone to plant a modified binary on your phone they could also do just about anything they wanted.

sounds familiar

[bobmajdakjr]

"In such circumstances, users will agree to pay more for a service." -- cough *Uber*

bATTERY STATUS?

[rossdee]

I/m always plugged in when I go online

Good gawd

[JustAnotherOldGuy]

Is there anything that can't be used to suck up your personal information, location, spending habits, etc etc?

"Some companies may be analysing the possibility of monetising the access to battery levels"

Holy shit, kill me now. But first let me throw a few marketers into the wood chipper.

"When battery is running low, people might be prone to some -- otherwise different -- decisions. In such circumstances, users will agree to pay more for a service."

Okay, now I really mean it, just kill me. And make sure to pl

My Compuer should not be sending ANY of that info

[gurps_npc]

Not only is there no reason for the computer to send my battery, but there is NO reason to send ANY information beyond what I expressly tell it to.

Someone wants to know what my browser or what addons I am using, I should have to expressely tell them. Otherwise it should send a default value.

what a useless feature

[wardrich86]

Should be DISABLED by default... who would even want a "low powered" version of a website? This was a bad idea from the beginning