How much charge does your computer’s battery have right now?
Actually, you don’t have to tell me because if you’re using Firefox, Chrome or Opera I can find out for myself with a little code and some help from the HTML5 Battery Status API (Application Program Interface).
Your browser will happily give up information about your battery to any website that asks, without asking your permission so that it can… well I’m not actually sure. I bet it seemed like a good idea when they were drawing up the specification though.
A recently released research paper titled “The leaking battery” has revealed something else that the Battery Status API can tell us too – it can be used to generate a handy little number that’s yours and yours alone.
And if that sounds like a unique ID to you (a cookie in other words), it should.
In their tests, the researchers determined that there are 14172310 different values for a battery that’s discharging and double that for a battery that’s charging.
The probability of a (level, dischargeTime) collision (between different users, and assuming a uniform distribution) is therefore low and for a short time frame this would effectively be a unique identifier.
On most computers those unique IDs are short-lived, perhaps 30 seconds, but that’s still long enough to pull off some clever tricks like respawning deleted cookies, defeating incognito mode or teasing apart users with otherwise similar browser fingerprints.
In short time intervals, Battery Status API can be used to reinstantiate tracking identiers of users, similar to evercookies. Moreover, battery information can be used in cases where a user can go to great lenghts to clear her evercookies. In a corporate setting, where devices share similar characteristics and IP addresses, the battery information can be used to distinguish devices behind a NAT, of traditional tracking mechanisms do not work.
The situation gets far worse for that rare group of users running their Firefox browser on top of Linux. Thanks to a ridiculous over-delivery of precision in the battery level value, the researchers were able to calculate accurate battery capacity numbers that hang around and have a low likelihood of collision.
And if that sounds like a unique ID too, it should.
Any information that varies from one browser to another, remains fairly constant and can be accessed by code has the potential to be used to track you.
There is, of course, one type of information that your browser gives up that’s actually designed for that purpose – browser cookies.
Cookies help websites maintain state, they’re well understood by users, browsers make it easy to control them and there are loads of tools to help you manage, refuse them or wash them away.
Which is exactly why unscrupulous sites that really, really want to track you have never liked them.
The search for alternative ways of tracking users has been going on since not long after Sir Tim of CERN deleted his first cookie.
Websites have used all manner of exotica from Locally Shared Objects to ETags to track us, but the first generation of tracking techniques all had one thing in common: they gave us something that clued-up users could delete.
More recently there’s been an increased focus on passive tracking techniques that rely on the information that browsers broadcast voluntarily – a technique demonstrated vividly by the Panopticlick tool.
Passive tracking is harder to spot and harder to defend against than the more traditional techniques, so much of what’s discussed is research like “The leaking battery” – work by the good guys that highlights things the bad guys could use.
Browser fingerprinting is certainly being used in the wild though.
In 2012 researchers Keaton Mowery and Hovav Shacham demonstrated that they could exploit slight variations in the way that graphics cards and operating systems worked to create browser fingerprints using the HTML5 Canvas element.
For two years it remained a clever theory until a different group of researchers discovered that social media company AddThis had squirreled Canvas fingerprinting code onto as many as 13 million customer websites without asking.
The Battery Status API is probably not much of a tracking threat on its own but it could certainly be used to make existing fingerprint techniques more accurate.
Effective fingerprinting relies on an attacker combining as many sources of entropy as they can.
Unfortunately, browsers don’t deal well with fingerprinting.
Your browser’s profile is much less distinct if you disable Java and Flash, and the EFF’s Privacy Badger plugin offers protection against canvas fingerprinting, but your best defence is to use the Tor Browser.