The API battery status or “Battery API” is one of the components of HTML5, the new web standard W3C two years ago. In principle, the API does something as innocent as allowing the pages you visit to know the battery state of our devices so that they can offer lighter versions.
But several studies presented by security researchers suggest that combinations of data that can be obtained with this API are enough to be used as device identifiers. With them you cannot know who we are, but our behavior spy on the network without asking permission.
Image Source: Google Image
A good idea that turns against us
API Battery Status only offers three specific data, the percentage of current load of the device, the total time remaining before the battery is discharged and which would need to be cargase completely if the device was connected to a charger .They are intended to stop the execution sites content or offer less demanding versions depending on the state of our battery.
On page of the W3C itself ensures that the information disclosed by the API has minimal impact on user privacy. However, last year appeared first study pointing in the opposite direction, arguing that the data from these three parameters can be obtained up to 14 million combinations number, enough to utilize as a fairly reliable unique ID.
The other major problem is that the data provided by the API are not updated too fast . This means that, by remaining static, can serve the identifier allows them to companies and websites use scripts to register with the pages that users visit a device.
Imagine a particular script that has been housed in the X and Y pages, and be able to get the code number of the Battery Status API. Although after visiting X we removed cookies or other trace elements, even if we were to use VPNs, if when we visit and the API has not been updated the script will identify, and those responsible will know that we have gone from X to Y.
You may also like to read another article on Lab-Soft: Why I can’t listen to FM radio on my smartphone?
The sites already are taking advantage of it
In another study published last month by researchers at Princeton University it has shown that this technique is being used by different companies to identify the ephemeral fingerprint that creates this API in different contexts. Lukasz Olejnik, one of the study investigators last year, speculates in his blog with the possibility that there are companies that are exploring the possibility of monetizing access to battery levels of users.
Which these data have come to light has caused various reactions. First Mozilla, whose Firefox browser is one of the most vulnerable when used in Linux, has launched a position fix to try to patch the problem. The W3C has also warned of the problem in its web, but once discovered what can be done with API may go out new ways to take advantage of it.