Even if you use a private browser and take elaborate precautions to protect your privacy online, websites might still have a way to snoop on your internet activity. According to a recent study [PDF] by two security researchers at Princeton University, many websites are equipped with an API (application program interface) that’s capable of identifying your device’s battery status and using it to track your activity online. The study also notes that battery status tracking isn’t just hypothetically possible—it’s already happening.

The Guardian explains that the battery status API, introduced in HTML5, lets website owners see how much battery power is left in your device. It also tracks how much time it will take for the battery to run out of juice or power up. Websites can theoretically use that information to help you out, for instance by switching to a low-power version of their site if your phone is dying. But the battery status API also makes some seriously disturbing snooping possible.

When taken together, the percent battery power you have left on your device and the amount of time you have until the battery runs out become a unique identifier, researchers explain. For example, if the same web ad appears on two pages you are perusing at once—even if they are open in different browsers with different levels of security—the owners of that ad can identify that your device (with its unique battery signifier) is visiting both places. Researchers also found that some websites have launched tracking scripts that use the battery status API to “fingerprint” devices, allowing them to track internet use across websites.

So far, it’s unclear how widespread battery status tracking is. But researchers worry that the seemingly innocent battery status API could be put to nefarious purposes, allowing companies to sell access to our battery levels. The study serves as yet another reminder of how hard it can be, for even the most diligent, to protect our privacy online.

[h/t The Guardian]