Battery status API explained
It is a HTML5 specification that’s supposed to help websites conserve energy for those users that have minimal battery life remaining. Basically, the website can read the battery state of any device, such as how much life remains in terms of both minutes and percentage. Based on these results, the website can automatically disable power hungry features on webpages to conserve energy.
How is your privacy compromised?
So far so good right? Unfortunately the main problem with the API is that websites can gather this information without permission from visitors. The researchers concluded that websites can piece together the information from multiple visits through a third-party script, thus creating a fingerprint for each user. This could theoretically happen across different sites and even affect users who constantly delete cookies or are behind a VPN or corporate firewall.
The potential issue was raised back in 2012 and referred to in the W3C specification of the API. The “Security and privacy considerations” section has the following statement: “The information disclosed has minimal impact on privacy or fingerprinting, and therefore is exposed without permission grants.”
Are you at risk?
The study seems to be stirring up some technopanic in the tech world, but the potential danger appears to be very limited. The study was only conducted with the Firefox browser in Linux using the UPower tool. The researchers concluded the information gathered from Firefox in Windows, Mac OS X, and Android was too significant to create a fingerprint.
Furthermore, the researchers filed a bug report for the exploit with Firefox in Linux, and it was fixed in June 2015. The study never demonstrates a similar exploit in either the Chrome or Opera browsers, or even a mobile device.
The report demonstrates an issue that was already fixed, but its intent is to “draw attention to this privacy issue by demonstrating the ways to abuse the API for fingerprinting and tracking.” In other words … create buzz among tech sites, which leads to more technopanic.
No exploit should be taken lightly, but further evidence needs to be demonstrated before we start panicking on this one. And even if this evidence does surface, the API can be updated to include user permissions or whatever is necessary to thwart any potential privacy issues.
