When discussing security with the average person I’m usually accused of being paranoid. I carry a gun in case I have to defend myself? I must be paranoid! I only allow guests at my dwelling to use an separate network isolated from my own? I must be paranoid! I encrypt my hard drive? I must be paranoid! It probably doesn’t help that I live by the motto, just because you’re paranoid doesn’t mean they’re not out to get you.
Paranoid people aren’t given enough credit. They see things that others fail to see. Consider all of the application programming interface (API) calls the average browser has available to website developers. To the average person, and even to many engineers, the API calls available to website developers aren’t particularly threatening to user privacy. After all, what does it matter if a website can see how much charge is left in your batter? But a paranoid person would point out that such information is dangerous because it gives website developers more data to uniquely identify users:
The battery status API is currently supported in the Firefox, Opera and Chrome browsers, and was introduced by the World Wide Web Consortium (W3C, the organisation that oversees the development of the web’s standards) in 2012, with the aim of helping websites conserve users’ energy. Ideally, a website or web-app can notice when the visitor has little battery power left, and switch to a low-power mode by disabling extraneous features to eke out the most usage.
W3C’s specification explicitly frees sites from needing to ask user permission to discover they remaining battery life, arguing that “the information disclosed has minimal impact on privacy or fingerprinting, and therefore is exposed without permission grants”. But in a new paper from four French and Belgian security researchers, that assertion is questioned.
The researchers point out that the information a website receives is surprisingly specific, containing the estimated time in seconds that the battery will take to fully discharge, as well the remaining battery capacity expressed as a percentage. Those two numbers, taken together, can be in any one of around 14 million combinations, meaning that they operate as a potential ID number. What’s more, those values only update around every 30 seconds, however, meaning that for half a minute, the battery status API can be used to identify users across websites.
The people who developed the W3C specification weren’t paranoid enough. It was ignorant to claim that reporting battery information to websites would have only a minimal impact on private, especially when you combine it with all of the other uniquely identifiable data websites can obtain about users.
Uniquely identifying users becomes easier with each piece of data you can obtain. Being able to obtain battery information alone may not be terribly useful but combining it with other seemingly harmless data can quickly give a website enough data points to identify a specific user. Although that alone may not be enough to reveal their real identity it is enough to start following them around on the web until enough personal information has been tied to them to reveal who they are.
The moral of this story is paranoia isn’t properly appreciated.