browser data , according to privacy expert Lukasz Olejnik . Over the past decade , ambient light sensors have become quite common in smartphones , tablets , and laptops , where they are used to detect the level of surrounding light and automatically adjust a screen 's intensity to optimize battery consumption ... and other stuff . The sensors have become so prevalent , that the World Wide Web Consortium ( W3C ) has developed a special API that allows websites ( through a browser ) to interact with a device 's ambient light sensors . Browsers such as Chrome and Firefox have already shipped versions of this API with their products . Last month , in a discussion of the W3C Generic Sensor specification , the Google team proposed that ambient light sensors ( ALS ) , together with gyroscope , magnetometer , and accelerometer sensors , should be exempt from the browser permissions system . In other words , websites using these sensors wo n't have to ask users for explicit permission before accessing the any of these four sensors . Google 's opinion is that by removing this permission requirement , browsers will be on par with mobile applications , which also do n't have to ask the user for permission before accessing these sensors . This proposal did n't go well with Olejnik and fellow researcher Artur Janc , who in a series of demos , have proved that light radiating from the device 's screen , is often picked up by the ambient light sensors . A determined attacker that can lureAttack.Phishingvictims to his site , or one that can insert malicious code on another site , can determine which URLs a user has visited in the past . The whole attack relies on using different colors for normal and previously visited links , which produce a small light variation that ambient light sensors can pick up . Furthermore , Olejnik and Janc also proved that ambient light sensors can stealAttack.DatabreachQR codes , albeit this attack takes longer to perform . Right now , ambient light sensors readings are blocked in Chrome behind settings flags , as the API is experimental , but they 're supported in Firefox via DeviceLight events . According to Olejnik , mitigating this attack is simple , as it only requires browser makers and the W3C to adjust the default frequency at which the sensors report their readings . Furthermore , the researcher also recommends that browser makers quantize the result by limiting the precision of the sensor output to only a few values in a preset range . Both attacks Olejnik and Janc devised take from seconds to minutes to execute . With these mitigations in place , the attacks would n't be stopped , but they would take even longer to perform , making any of them impractical in the real world . In the long run , Olejnik and Janc hope to see access to these sensors behind a dedicated browser permission . The two researchers filedVulnerability-related.DiscoverVulnerabilitybug reports with both Chrome and Firefox in the hopes their recommendations will be followed . Olejnik has previously showed how battery readouts can allow advertisers to track users online , how the new W3C Web Bluetooth API is riddled with privacy holes , and how the new W3C Proximity Sensor API allows websites and advertisers to query the position of nearby objects .