NestBrowser NestBrowser

Battery Information Fingerprinting: Principles, Risks, and Protection

By NestBrowser Team · ·
fingerprint browserBattery APIanti-fingerprintingprivacy protectionaccount securitymulti-account management

1. What is Battery Information Fingerprinting?

When you browse the web, your browser exposes a wealth of device information to websites, such as screen resolution, operating system version, time zone, GPU model, and more. Combined, this data can generate a unique “digital fingerprint” used to identify and track users. In 2016, researchers from Princeton University and KU Leuven discovered that the HTML5 Battery Status API could be used to obtain real-time battery status—whether it’s charging, the remaining battery percentage, and the estimated time until fully charged or depleted. These seemingly innocuous data points, when sampled sufficiently, can form a unique “battery fingerprint.”

The core principle of battery fingerprinting lies in the dynamic changes of battery status over time. Each user’s charging habits differ: some like to charge while using, with battery levels fluctuating between 20% and 80%; others charge at a fixed time daily; still others rarely charge, letting the battery drain slowly. Browsers can read the battery status at multiple moments during a user’s visit and, combined with timestamps and charging status, construct a nearly unique charging pattern. Research shows that with just 30 samples, combined with other silent device information, over 99% of individual users can be distinguished. This makes battery information yet another dangerous passive tracking technique, following Canvas fingerprinting and WebGL fingerprinting.

2. How is Battery Data Collected? — Technical Details

To understand the power of battery fingerprinting, you need to know how the Battery Status API works. This API was first implemented in Chrome, Firefox, and Opera to help developers optimize energy consumption (e.g., automatically lowering video quality when the battery is low). JavaScript code can call it like this:

navigator.getBattery().then(function(battery) {
    console.log('Charging status:', battery.charging);
    console.log('Battery percentage:', battery.level);
    console.log('Remaining time (charging/discharging):', battery.chargingTime, battery.dischargingTime);
});

Websites can set timers (e.g., reading every 10 seconds) or listen for chargingchange and levelchange events to continuously collect battery data while the user stays. Since battery percentage is typically returned with a precision of 0.01 (e.g., 0.87 means 87%), charging status is a boolean (true/false), and charging/discharging times are integers in seconds, the possible combinations of these four fields can yield hundreds of different states within a single session.

More importantly, battery fingerprints can be correlated with other existing fingerprinting data. For example, combining Canvas fingerprinting and WebRTC local IP leaks allows attackers to significantly narrow down the user pool. In a real-world operation in 2018, researchers implanted a script on an actual website and collected battery data for only 30 seconds. They successfully increased the identification rate from 80% to 94% — a rate that previously required dozens of features.

3. Real-World Applications of Battery Fingerprinting

3.1 Cross-Site User Tracking

Ad networks and data analytics companies use battery fingerprints as “auxiliary anchors.” Even if cookies are cleared or IPs are changed, as long as the user’s battery charging pattern remains consistent (e.g., charging every day between 5 PM and 6 PM), multiple sites can correlate the same user by matching the time series of battery states. The French privacy regulator (CNIL) once reported that over 1% of popular European websites have direct or indirect calls to the Battery API, mostly from third-party tracking scripts.

3.2 Anti-Fraud and Account Risk Control

On e-commerce, financial, and social platforms, risk control systems collect device fingerprints. If the same account or device exhibits drastically different battery change curves within a short period (e.g., 30% battery and charging during the last transaction, 80% and not charging during the next), the system may flag it as “inconsistent device environment,” triggering secondary verification or direct account suspension. This has little impact on normal multi-device users, but is devastating for sellers or ad managers who need to operate multiple accounts — when you log into several store accounts in the same browser, each tab shares identical battery information, making it easy for the platform to determine they come from the same device.

3.3 Proxy and Virtual Machine Detection

Many anti-crawler and non-human detection systems check whether the Battery API returns fixed values. Virtual machines or cloud servers typically lack a physical battery, so battery.charging will always be true, level will be 1.0 (100%), and dischargingTime will be Infinity. Attackers can easily identify non-real user environments this way. More advanced detection also compares battery fields with other system metrics (e.g., CPU frequency, network latency) for consistency: does CPU frequency drop when battery is at 20%? If not, it likely indicates a simulated environment.

4. Privacy and Security Challenges Posed by Battery Fingerprinting

4.1 Undetectable User Tracking

Battery data collection is completely silent — users receive no pop-ups or notifications. Even if JavaScript is disabled, some browser extensions or scripts can still execute in the background via Web Workers. Moreover, battery status changes are beyond user control (unless they deliberately unplug the charger), making it very difficult for users to actively deceive tracking systems.

4.2 Chain Reaction of Data Leakage

While battery information alone does not contain personal identity, combining it with other data (e.g., location, browsing history) is sufficient for profiling users. For example, knowing that a user charges between 2 AM and 3 AM daily and browses insomnia treatment websites could reveal their health condition. More dangerously, the Battery API once exposed millisecond-precision charging times on iOS and certain Android browsers, theoretically allowing inference of device battery aging, which in turn links to specific brands and models.

According to the General Data Protection Regulation (GDPR), any information that can directly or indirectly identify a user is considered personal data. In 2017, Belgian privacy researchers pointed out that battery fingerprints, due to their “high identification potential,” should be regarded as protected personal data. Any website collecting battery information within the EU must obtain explicit user consent. However, in practice, the vast majority of websites do not mention battery data usage in their cookie banners, operating in a gray zone.

5. How to Effectively Prevent Battery Fingerprinting?

5.1 Browser-Level Approaches

Modern browsers (e.g., latest Firefox, subsequent Chrome versions) have gradually restricted or disabled fine-grained reading of the Battery Status API. For example, in Chrome, chargingTime and dischargingTime fields now return Infinity. However, level and charging remain available with unchanged precision. Users can manually disable JavaScript or use extensions like NoScript to block most fingerprinting, but this severely impacts normal website functionality.

5.2 Use Professional Anti-Fingerprinting Browsers

A more thorough solution is to use a browser environment with fingerprint spoofing capabilities. Such browsers can intercept Battery API calls and return preset random data (e.g., battery level randomly varying between 30% and 80%, charging status randomly switching), making each session’s battery fingerprint unique. For instance, NestBrowser offers complete battery information simulation features:

  • Custom Battery Parameters: Users can manually set initial battery level, charging status, charging time, and discharging time, or configure it to “randomly generate each time a new tab is created.”
  • Multi-Account Isolation: Each independent environment (Profile) has its own battery fingerprint sequence, without interference. Even if 10 accounts are opened simultaneously, each account sees a different battery variation curve.
  • Real Device Simulation: Based on the selected browser kernel (Chromium/Firefox), operating system, and device type, it automatically matches a reasonable range consistent with that device’s battery life (e.g., slower discharge rate when simulating a MacBook).

By using NestBrowser, cross-border e-commerce operators can securely manage multiple stores on the same computer without worrying about being associated and banned due to identical battery fingerprints.

5.3 Best Practices for Multi-Account Management

For users who need to simultaneously manage multiple social media, e-commerce, or advertising accounts, in addition to battery fingerprints, attention must be paid to dozens of other fingerprint features such as Canvas, WebGL, time zone, font list, etc. Manually modifying browser settings is rarely sufficient to cover everything. Recommended practices include:

  1. Assign each account an independent browsing environment (Profile), with each Profile using a different IP and proxy.
  2. Enable fingerprint randomization so that fields like battery, screen resolution, and user agent automatically change per session.
  3. Regularly clear cache and IndexedDB data to prevent leftover tracking fragments.
  4. Use a professional fingerprint browser like NestBrowser, which includes spoofing rules for over 20 fingerprint features and supports team collaboration, API integration, and more, greatly improving operational efficiency.

As privacy regulations tighten and browser vendors impose restrictions, the raw precision of the Battery API is declining. However, trackers are also evolving: they are now beginning to exploit the Web Audio API (inferring CPU load by calculating audio processing latency) and degraded reading of the Battery API (e.g., reading only level but combining it with system clock jitter for modeling). Additionally, some research has proven that even reading only charging status (true/false) and battery level (0.00~1.00), combined with high-precision timestamps, can still generate about 2 bits of entropy, enough as an auxiliary feature.

Therefore, for individuals and teams with strict privacy requirements, proactive defense is more reliable than waiting for browsers to deprecate the API. By using professional tools like NestBrowser, you can block old tracking methods and preemptively adapt to new tracking techniques, ensuring each digital identity has a unique “camouflage.”

Conclusion

Battery information fingerprinting is a new battlefield in the internet privacy war. It exploits the browser’s exposure of dynamic device status to build tracking mechanisms that are difficult to eliminate. Whether you are an ordinary user worried about personal privacy leakage or a professional seeking to safely manage multiple accounts, you should take this threat seriously. From disabling unnecessary APIs to using professional anti-fingerprinting browsers, a progressive protection strategy can effectively reduce the risk of being tracked. Remember: in the online world, every tiny data point can become a bridge connecting to your real identity, and protecting these “digital dust” is the core mission of next-generation privacy tools.

Ready to Get Started?

Try NestBrowser free — 2 profiles, no credit card required.

Start Free Trial
← Back to Blog