Phone batteries are sending out information that could be used to identify their owners and track them around the internet, even if they have taken very careful privacy precautions, according to a paper by security researchers.
A piece of software in HTML5 — the technology used to let people read sites on the web — tells websites how much battery is left in a users’ phone, and is intended to allow websites to help preserve battery if phones are running low. But that same information can be used to identify phones as they move around the internet, allowing people to be tracked.
Websites and the scripts that run on them don’t have to ask users’ permission to see how much charge is left, so phones will respond to the request to say how much charge they have and how long it will take them to power back up. That information can then be used as a way of identifying the phones themselves, without their users ever knowing.
A website could put those two numbers together and watch for a phone with an identical or similar profile appearing on other pages, for instance. Malicious people could then put those two events together and work out that the same phone had accessed both websites, which can usually be hidden.
Technology like VPNs (which are used to route internet traffic through another place, to anonymise it) and private browsing (which stops websites from reading tracking cookies that have previously been saved) are normally enough to keep people from following a user around the internet. But the security problems in the battery software could be used to get around those precautions.
The researchers writer in their paper, ‘The leaking battery: A privacy analysis of the HTML5 Battery Status API’, that user should at the very least be able to make sites ask permission before they see the battery information. The researchers — Lukasz Olejnik, Gunes Acar, Claude Castelluccia and Claudia Diaz — also suggest that users should be given more information about how the battery status software is used.Reuse content