Firefox 52 will remove the battery level API to preserve user data privacy

Mozilla will block access to one of the functions of the Firefox browser, known as Battery Status API. With its help, websites could learn about the battery level of a laptop, tablet or smartphone user. The decision was made in order to protect the right of users to privacy. The chronology of events is such that the story began with the suspicion of experts, followed by the implementation and actual use. At the moment it is not clear what other browsers will do with this feature.

The reason for the dramatic changes was that data privacy was at risk. Additional circumstances are an abuse of opportunity and many mistakes in implementation. The decision to remove the function due to privacy concerns is unprecedented after the well-known obvious cases of illegal use.

The purpose of the function is to offer users different versions of the site depending on the remaining charge of the device. If the device is discharged, the user can be offered a version of the site that does not “eat” the battery so much. Behind different versions there is a big work of owners and authors of sites, developers and others. Battery Status API received the status of charging from the network or battery life and how much time was left until the device was turned off. And also, what percentage of the battery remained unspent. The specific application of the function looked like this: social networks turned off automatic video playback, and services with maps displayed fewer details, without which it was possible to do.
')

The potential threat came true when two security researchers from Princeton University discovered tracking scripts that were used in the real world to fingerprint a particular device in order to further monitor it in different situations. This discovery motivated Mozilla’s developers to remove “bad” features from their browser. The function was finally removed on October 27, 2016. 17 months have passed since the discovery of the problem.

In addition to Firefox, two more browsers supported the function: Opera and Google Chrome. Let the Battery Status API be part of the HTML5 specification, IE, Edge browsers never implemented it. In WebKit, there was support for the Battery Status API, but it never appeared in the Safari browser. There are only a few common applications in reality beyond the scope of the user identification task.

About the function itself

Battery Status API was documented in 2012. Mozilla Firefox is the first browser in which it was implemented. The Battery status API adds the navigator.getBattery () method to the window.navigator. In the example below you can see how the charging status (connection to the network) and the charge level in the battery, and the remaining time, change. This is possible using the listen function for events: chargingchange, levelchange, chargingtimechange, dischargingtimechange.

 navigator.getBattery().then(function(battery) { function updateAllBatteryInfo(){ updateChargeInfo(); updateLevelInfo(); updateChargingInfo(); updateDischargingInfo(); } updateAllBatteryInfo(); battery.addEventListener('chargingchange', function(){ updateChargeInfo(); }); function updateChargeInfo(){ console.log("Battery charging? " + (battery.charging ? "Yes" : "No")); } battery.addEventListener('levelchange', function(){ updateLevelInfo(); }); function updateLevelInfo(){ console.log("Battery level: " + battery.level * 100 + "%"); } battery.addEventListener('chargingtimechange', function(){ updateChargingInfo(); }); function updateChargingInfo(){ console.log("Battery charging time: " + battery.chargingTime + " seconds"); } battery.addEventListener('dischargingtimechange', function(){ updateDischargingInfo(); }); function updateDischargingInfo(){ console.log("Battery discharging time: " + battery.dischargingTime + " seconds"); } }); 

The site should not be able to connect the user's identity in incognito mode with different IP with and without VPN. In the case of a quick VPN shutdown, the battery charge level will be about the same. Having considered this information, the browser will transmit it to the site. Two data sets will be matched and it will be possible to conclude that the user is the same.


The Guardian quotes Lukasz Oleynik, a security consultant and researcher at UCL, about what's happening with Firefox. He was one of four people who first discovered the potential threat to the Battery Status API. Of course, he was glad to see how his work bore fruit. The specialist did not expect the development company to completely abandon the use of the API. “This is indeed unprecedented. I do not know about similar developments in the history of development. Regarding the delay in the deletion process: this is not so critical, because we proposed to make changes to the function of the function last year, but in the end we received a complete deletion. The fact that this is for confidentiality emphasizes the importance of the decision. ” Mozilla said in a statement that the feature is now unavailable for web content, but it can still be found in extensions. Battery Status API will be removed in the 52nd version of Firefox.

So far, the function is going to remove only Mozilla. The developers of the Webkit engine, which underlies Apple's Safari, also suggested removing the API code. The Guardian turned to Google and Opera for comment. Apple declined to comment. Confirmation that the function has been removed from access is posted on the official Mozilla website.