Mozilla cuts website access to Battery API in Firefox 52
Battery Status API was introduced back in 2012 to allow sites, apps and extensions to retrieve information about the device's battery charge and discharge time, and batter level.
You can check out this test site to see this in action. Please note that the API is only supported in Firefox (prior to version 52), Chrome and several Chromium-based browsers such as Opera currently, but not in Edge, Internet Explorer or Safari.
Sites can access the information directly, there is no permission request that prevents them from doing so as per the Battery API specifications:
The API defined in this specification is used to determine the battery status of the hosting device. The information disclosed has minimal impact on privacy or fingerprinting, and therefore is exposed without permission grants. For example, authors cannot directly know if there is a battery or not in the hosting device.
The research paper "The leaking battery. A privacy analysis of the HTML5 Battery Status API" indicates however that the API can be abused for fingerprinting and thus online tracking (PDF version)
In short time intervals, Battery Status API can be used to reinstantiate tracking identifiers of users, similar to evercookies. Moreover, battery information can be used in cases where a user can go to great lenghts to clear her evercookies. In a corporate setting, where devices share similar characteristics and IP addresses, the battery information can be used to distinguish devices behind a NAT, of traditional tracking mechanisms do not work.
Firefox users can disable the Battery Status API in the browser by flipping the Boolean value of dom.battery.enabled to false on about:config (this is one of then many privacy and security preferences of Firefox covered here)
- Type about:config in the Firefox address bar.
- Confirm that you will be careful if the warning prompt appears.
- Search for dom.battery.enabled.
- Double-click the preference to set it to false.
Starting with Firefox 52, websites may no longer access the API so that it can no longer be used for tracking purposes. Mozilla will keep the API open to extensions and Firefox itself however.
The change affects desktop and Android versions of the Firefox web browser. This means that only Chrome and Chromium-based browsers may be tracked using the API.
It is rather interesting to note that Mozilla is not aware of a legitimate use case of the API on Internet sites. (via SÃ¶ren Hentzschel)