The idea of being tracked through your mobile or devices battery status seems frightening, absurd at the very least.
But that is exactly what Steve Engelhard and Arvind Narayanan – two academics from Stanford – have said is the case: Online tracking: A 1-million-site measurement and analysis.
The HTML5 Battery Status API was set up as a system that allowed servers, and web apps, to determine when they need to send an energy-efficient version of a website – when a user’s battery is low.
Soon after, however, it was pointed out that this system was vulnerable. Hackers could use it to track location and infringe on privacy.
The ‘voyeurs’ do this by retrieving the current charge level of the host device, and the current charging status, the charge level, and the time remaining to discharge or recharge.
These features are combined with other identifying features used to fingerprint a device – tracking it and your location.
It is a big jump from ‘Find my iPhone’, and a whole lot more sinister. Not only can they track your device, but they can tag it as well.
Stanford’s researchers found two tracking scripts – https://go.lynxbroker.de/eat_ heartbeat.js and http://js.ad-score.com/score.min.js – in the HTML5 Battery Status API that imprinted on a specific device, meaning it could be continuously tracked.
“Fingerprinting scripts pose a unique challenge for manually curated block lists. They don’t typically change the rendering of a page and may not be included by an advertising entity.”
This flaw in the APIs system is also exploited by business, like Uber. It found when a device battery was low the customer was willing to pay 9.9x surge pricing, and would charge more accordingly.
There is no real solution to preventing the exploitation of the API to track location.
It is not possible to disable the device’s battery feature.
The only way to guarantee privacy protection is when the device is charging.