You may have started taking extra steps to protect your privacy online in the post-Snowden era. But there’s a component in your phone that advertisers might be abusing right now to track you online despite your best efforts: its battery.
It turns out that your battery can be leveraged to fingerprint your device with amazing precision, and it can be done silently without your permission. How is that possible? Because the W3C implemented a new specification that allows websites to check power stats, the Battery Status API.
A group of French and Belgian researchers have just published a paper that details how the battery in a device with a W3C-compliant browser — in this case Firefox running on Linux — can be exploited to identify its user.
The revelation that a device’s battery status can be misused in this way isn’t a new one. Back in February of this year, Yan Michalevski and a group of researchers from Stanford made the same discovery. Michalevski reported that “measuring the phone’s aggregate power consumption over time completely reveals the phone’s location and movement.”
For the advertisers looking to identify you so they can target ads, this is a beautiful thing. It doesn’t make a difference whether your smartphone runs iOS, Android, Windows Phone, or even BlackBerry or Firefox OS. It doesn’t matter if you have location services disabled. If you have a battery in your device and use a standards-compliant browser, you’re at risk.
The most worrisome part about both of these reports is that battery-based tracking can keep tabs on you in spite of other precautions you might be taking. Browsing in private mode? By identifying your battery before and after, advertisers can simply replace the cookie that disappears when you end your private session.
There are a couple of easy fixes suggested in the European team’s paper. One, the level of precision that the Battery Status API is allowed to report could be limited. Another is that browsers prompt users for permission when a site wants to tap the API.
Hopefully one or both of those suggestions is implemented soon. If not, at least the EFF is working on a new and improved Do Not Track for us.
No comments:
Post a Comment