And the hits just keep on coming. It seems that Android’s security and privacy can’t get a break these days. We’ve all gotten a bit of Stagefright, and as a result we’re in for a massive update from Google to secure that particular vulnerability. Now we’re hearing that even our battery level notifier can get our privacy in trouble.
This issue was put in a paper by four French and Belgian researchers, commenting on how the HTML 5 Battery Status API can give websites information about who specifically is browsing their content. This API is currently supported and used in Firefox, Opera and Chrome browsers, and was introduced by the World Wide Web Consortium in 2012. The aim was practical – to help websites conserve users’ energy.
But this means that the website will need specific data from the user – that is, the estimated time in seconds that the battery will take to fully discharge, and the remaining battery capacity in percentage. Put these two numbers together and you have a unique ID number for any device. The numbers update every 30 seconds, which is fast for our standards, but this just means that for 30 seconds, the website can identify your device specifically.
The researchers warn that even if you try to revisit a website with a new identity or in a browser’s private mode or even clear cookies, the website can still identify you if “consecutive visits are made within a short interval” because “the website can link users’ new and old identities by exploiting battery level and charge/discharge times. The website can then reinstantiate users’ cookies and other client side identifiers, a method known as respawning.”