Researchers have confirmed that an HTML5 standard for browsers, known as the Battery Status API, is being used to track users on the web.
The Battery Status API allows a site owner to ask for the device's current battery level or charging status, and was highlighted last year as a potential privacy risk. It was designed to let developers offer a scaled-down version of their websites to devices with a low battery.
However, researchers at INRIA and KU Leuven last year found that site owners could use unique combinations of a device's battery level as well as its charge and discharge times to fingerprint a user and follow them across websites.
Also, the API, which had been implemented in Firefox, Chrome, and Opera, didn't require user permission to read battery information, nor did it require users to be told when battery data is being collected.
Back then, the authors of the standard didn't consider it posed a fingerprinting risk, but as The Guardian points out, these combined and highly-detailed readings can provide a pseudo-unique identifier for each device.
Two researchers at Princeton University, Steven Englehardt and Arvind Narayanan, have now found two scripts in the wild that use the Battery API to fingerprint users on the web.
They've added it to an ongoing large-scale study that uses a privacy tool they developed, OpenWPM running on Firefox, to identify techniques to track users across the web. Earlier this year they found the AudioContext API was also being used to identify audio signals to fingerprint users.
One of the scripts targeting battery readings retrieves the current charge level of the device and combines that with other fingerprint data and the user's local IP address. The second retrieves the current charging status, the charge level, and the time remaining to discharge or recharge.
Besides identifying and tracking users, battery and charge-status readings may be useful for other reasons, such as exploiting different attitudes to price when a device is about to die.
"When battery is running low, people might be prone to some, otherwise different, decisions," wrote Lukasz Olejnik, one of the INRIA researchers who raised the leaky-battery issue last year.
Uber earlier this year revealed that a passenger whose phone is about to die is willing to accept a surge price up to 9.9 times the normal rate. Uber said it didn't use battery readings to determine surge pricing.
"As a response, some browser vendors are considering restricting or removing access to battery readout mechanisms," noted Olejnik.
The Battery Status API standard's privacy and security implementations have also been updated to reflect the researchers' findings. For example, now it states that the API shouldn't reveal precise readouts of battery status information since it can expose users to fingerprinting.