20 comments

[ 3.1 ms ] story [ 56.6 ms ] thread
AdTech firms have been tracking you for a long time and in some pretty ingenious ways. One of the most recent was using the Battery Status API. Just imagine if they focused their efforts on something useful.

As a side note DoubleClick has been own by Google since 2007.

Can you share more details about the battery status API tracking? Would love to see how that correlates to a unique user.
Just a guess... your battery level isn't going to change dramatically from second to second. If its provided with a high degree of precision, it would be a pretty good short term key.
It's all about adding bits of information to improve confidence in tracking users across pages.

Lets assume that in page visits <10 minutes apart, a users battery won't change by more than 10%.

So say I go to volvo.com and then reddit.com - and my battery changes from 10% to 8%. When I request reddit.com - the user is clearly not a visitor who has had >20% battery. We also know the resolution of the phone. We know the user agent. And many other factors. Combining all of these means that you approach 100% certainty that it's the same user. No information on it's own is identifiable - but by combining enough sources - no two machines or phones are identical (at least that's what advertisers hope)

This is scarily close to how intelligence agencies infer information. If you ever wonder why government is so clandestine about even unclassified bits of data, consider how they could be used when combined. As someone else said, just imagine if they focused their efforts on something useful. Intelligence agencies basically are focusing on "something useful".
(comment deleted)
I see the relation - but it's also how nearly all information is gathered and infered - even at a human level. You take incomplete information, look at the landscape, and try to fill in the blanks.

A friend you're meeting tells you he's in the starbucks with a red shirt. That's not enough information to know his exact coordinates. But you combine and infer - you know how many starbucks there are in the vicinity, and which one he's likely to be at. You know he's in a red shirt - but there's several people. Luckily you already know his height well enough to filter out false positives within milliseconds.

The method I don't find intrinsically scary - but perhaps the scale and depth at which it happens, and for what motives.

Battery status API support is pretty bad on mobile, but you could look at the rate of battery discharge which would probably be slightly different between devices etc.

Similar to how time skew is used for tracking as clocks go off sync.

It comes [this paper](https://eprint.iacr.org/2015/616.pdf) which made the HN front page at its time. The battery API exposes information about the current charge of the battery and its full charge capacity that is apparently a non-negligible fingerprinting vector for short-term tracking.
and chromium, which should be renamed chrome beta, since a few years ago when all maintainers are Google employers, even went so far as rolling back all the privacy contributions such as options to disabled/disable 3rd party cookie and referrer. both of which are crucial aspects on how Google/doubleclick get paid by after showing you ads.
Could you give us more info about this?

I for one always run Chromium with third-party cookies disabled. Yesterday I went to try the new Firefox that everyone is going crazy about, and I couldn't find the option to disable third-party cookies.

It's a bit obscure in Firefox 57 beta and newer. Open Preferences then click on Privacy & Security, then go to the "History" section. Select Firefox will "use custom settings for history" and you'll see the option to refuse third-party cookies.
Note that this is all a single screen. Just preferences > privacy. No extra navigation required.

It's is under the history sub-title, but you can see all the options in the screen at once. Not as hidden as in chrome.

Yeah, firefox after 56 is garbage on this front too.

but that is mostly trying to please sponsors, like google.

But do me a favour, try to find any setting, command line flag, developer setting, anything, to disable or limit referrer to the domain, on chromium/chrome. All three times i counted, the features were removed by google employees after added by outsider contributors. And 3rd party cookie is going the same way. Outside contributors add, google employees remove. Until everyone gives up and google has its way.

I don't agree. In Chromium at least the feature to disable third-party cookies is in a very obvious place:

Settings > Advanced > Privacy and security > Content settings > Cookies

Regarding referrer you may be right. However you can change it with extensions. And now that I think about it, the same is true for third-party cookies.

It's so weird to look back on these days when people were struggling with whether advertising was even acceptable on the web. So many of us never agreed to this ad model contract and are still annoyed that everyone forgot there was a battle over it.

I've still never clicked on an ad, any ad, expect by mistake or accident, in 25 years of web browsing. Many others haven't either. Seems like that reality is finally starting to sink in, despite the endless amounts of "analytics" claiming otherwise.

On mobile devices, I can see this API for decent tracking. However, for laptops, it seems easy to have the laptop fully charged and plugged in to defeat it as this is probably a very common state.

It would be fun to alter the API output to randomize the battery data. Even have it be off power, and slowly climb in charge.