In today's always-on digital age, we're used to sacrificing a little privacy in return for some extra convenience, but a new security loophole has come to light that could allow unscrupulous companies or individuals to follow your movements using the battery in your smartphone or laptop. It's not a vulnerability as such - it's a built-in feature of the HTML5 code that much of the modern Web is created with, designed to help websites and online apps monitor battery life and adapt their services accordingly.
So, for example, a Web app might shut down some of its extra bells and whistles if it detects that you don't have much juice left in your phone. However, as Alex Hern atThe Guardian reports, that same feature can also be used to identify your device in the same way that a fingerprint identifies your body. By logging the amount of battery life left, the time taken to charge it, and its overall capacity, a website could theoretically tell your device apart from everyone else's, and that means being able to spot which sites you're visiting, even if you're using a private browsing mode.
This Battery Status API (Application Programming Interface) has been around since 2012 and is supported by Google Chrome, Mozilla Firefox, and Opera. In a paper put together by four French and Belgian security experts, which focussed on the use of Firefox on the Linux operating system, questions are raised about just how safe the protocol is for users - the API requires no special permissions to run, so you might not even know it's being deployed when you fire up your phone, tablet or laptop.
Because the readings taken can be so precise, the millions of possible combinations give coders a good chance of identifying exactly who you are, say the researchers.
The authors of the paper warn that the tracking mechanism could work even where traditional logging attempts fail, such as when users are behind a corporate firewall in the office or using a Virtual Private Network (VPN). They're asking that the Battery Status API readings be made less accurate - this would reduce the chance of a website being able to uniquely identify someone while still allowing the site to adapt to a changing battery level.
For now though, it's a potential privacy issue that needs addressing. "Users who try to revisit a website with a new identity may use [a] browser's private mode or clear cookies and other client-side identifiers," write the researchers. "When consecutive visits are made within a short interval, the website can link users' new and old identities by exploiting battery level and charge/discharge times. The website can then reinstate users' cookies and other client-side identifiers, a method known as respawning."