Websites are able to identify and track users through the amount of battery on their laptops or mobile devices, according to a report published by European researchers. Security experts from France and Belgium discovered the privacy risks associated with the HTML5 Battery Status API, which is currently supported by the Chrome, Firefox and Opera web browsers.
"HTML5 Battery Status API enables websites to access the battery state of a mobile device or a laptop," the study states. "Using the API, websites can check the battery level of a device and use this information to switch between energy-saving or high-performance modes. All the information exposed by the Battery Status API is available without users' permission or awareness."
The study revealed that even if a user were to revisit a website with a new identity – which can be achieved using a virtual private network (VPN) or a browser's private viewing mode, for example –the site would still be able to link the user to subsequent visits. This allows websites to track a user's previous web history and reinstate cookies and other identifiers.
"Users who try to revisit a website with a new identity may use browsers' private mode or clear cookies and other client side identifiers," the research states. "When consecutive visits are made within a short interval, the website can link users' new and old identities by exploiting battery level and charge/discharge times. The website can then reinstantiate users' cookies and other client side identifiers, a method known as respawning."
The analysis also reveals that users with old or used batteries are at a much higher risk of being susceptible to such tracking. In order to address the privacy issues relating to HTML5 Battery Status, the researchers proposed minor modifications to Firefox, which have since been deployed by the web browser.