Mozilla cuts website access to Battery API in Firefox 52
Mozilla has made the decision to cut website access to the Battery Status API in Firefox 52 to improve user privacy while using the browser.
Battery Status API was introduced back in 2012 to allow sites, apps and extensions to retrieve information about the device's battery charge and discharge time, and batter level.
You can check out this test site to see this in action. Please note that the API is only supported in Firefox (prior to version 52), Chrome and several Chromium-based browsers such as Opera currently, but not in Edge, Internet Explorer or Safari.
Sites can access the information directly, there is no permission request that prevents them from doing so as per the Battery API specifications:
The API defined in this specification is used to determine the battery status of the hosting device. The information disclosed has minimal impact on privacy or fingerprinting, and therefore is exposed without permission grants. For example, authors cannot directly know if there is a battery or not in the hosting device.
The research paper "The leaking battery. A privacy analysis of the HTML5 Battery Status API" indicates however that the API can be abused for fingerprinting and thus online tracking (PDF version)
In short time intervals, Battery Status API can be used to reinstantiate tracking identifiers of users, similar to evercookies. Moreover, battery information can be used in cases where a user can go to great lenghts to clear her evercookies. In a corporate setting, where devices share similar characteristics and IP addresses, the battery information can be used to distinguish devices behind a NAT, of traditional tracking mechanisms do not work.
Firefox users can disable the Battery Status API in the browser by flipping the Boolean value of dom.battery.enabled to false on about:config (this is one of then many privacy and security preferences of Firefox covered here)
- Type about:config in the Firefox address bar.
- Confirm that you will be careful if the warning prompt appears.
- Search for dom.battery.enabled.
- Double-click the preference to set it to false.
Starting with Firefox 52, websites may no longer access the API so that it can no longer be used for tracking purposes. Mozilla will keep the API open to extensions and Firefox itself however.
The change affects desktop and Android versions of the Firefox web browser. This means that only Chrome and Chromium-based browsers may be tracked using the API.
It is rather interesting to note that Mozilla is not aware of a legitimate use case of the API on Internet sites. (via Sören Hentzschel)
Now Read: The ultimate Online Privacy Test Resource List
Why does Firefox even have access to the battery status?
Firefox gives (gave) battery status because the Battery API is on the verge of becoming a web standard. Now it’s back to “Candidate recommendation” status because of these privacy issues.
So now the question is, who makes web standards exactly ? Whose interests are weighting the most over there ?
Meh. Laptops and cell phones have a battery icon, anyway.
That’s missing the whole point and yet hitting it on the head to begin with: System that ran off of a battery had a battery icon anyways, thus there was no point in creating this API in the first place….except for tracking
Fun fact:
Uber has noticed that people with low battery are much more likely to pay for “surge prices”, which are normal prices increased by a multiplier, like x2 or x3. Surge prices occur when there’s rain or an event or something that makes demand for vehicles too high for the amount of Uber drivers in the area.
How long until Uber indulge in charging people with low battery higher than people with high battery ? :)
I wonder if they also scrape and utilize info on OS/phone specs etc ,, like detecting combustible phones and charging an excess xD
> Now remove Pocket add-on, WebRTC, Network Information API, Navigation Timing API, make WebGL as a click-to-play, trim referer by default […]
WTF? Click-to-Play for using Google Maps? Remove WebRTC so that video chats are no longer possible without Flash? Trim referer by default and make website analytics a lot harder? Remove pocket only because you don’t need it, but don’t remove the features you like, right? Pocket is really easy to disable, so it can’t hurt you. Crazy suggestions… Please Mozilla, don’t do anything of these suggestions!
>Pocket
Why Mozilla started including add-ons to the Firefox by default? Isn’t it against their philosophy? Users should decide what extension to add.
>website analytics
Are you serious?
>video chats
Firefox is web browser, not Skype. Again, this should be handled by add-on that users can install.
>Google Maps
Google uses WebGL for their maps? lol It’s like Facebook still uses Flash for videos. Funny.
Enjoy your bloated slow browser full of security holes.
1/ Weakening referrers by default would likely just push tracking companies to rely more on alternatives that are harder to get rid off. Firefox already gives very granular control over referrers, the only thing that could be improved is access to these controls. (TB’s Privacy slider, will you ever reach Firefox ?)
2/ Google Maps doesn’t need WebGL; it uses it when available but works without. I agree that there should be an option to make WebGL and even Canvas click to play.
3/ WebRTC requires user permission, it doesn’t need to be removed. It needs to be improved privacy wise, and slowly, it is being improved. e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=959893
4/ Pocket I have no opinion since I never bothered evaluating its usefulness to Firefox, I just disable it.
5/ IndexedDB should be deletable under “Offline data” and since it’s permanent storage, I guess only when the time interval is set to “Everything” instead of X hours. Still, IndexedDB can store gigabytes of game assets, along with compiled asm.js code, and so far I’ve never seen it being used for tracking. So users may not want to delete IndexedDB along with regular cookies, cache and history…
Nice move, Mozilla. Now remove Pocket add-on, WebRTC, Network Information API, Navigation Timing API, make WebGL as a click-to-play, trim referer by default and let IndexedDB be emptied with “Clear private data” dialog.
And lose 99% of your income. Good idea.