Firefox to prevent sites from tracking users by checking their battery status

Version 52 of the popular Firefox browser will no longer allow websites to access the Battery Status API and the information it can provide about the visitor’s device.

battery status tracking users

As you may or may not know, the information this particular API provides when queried can be used, in conjunction with other techniques, to “fingerprint” Internet users (i.e. their browsers and devices), and to recreate deleted tracking cookies.

“Users who try to re-visit a website with a new identity may use browsers’ private mode or clear cookies and other client side identifiers. When consecutive visits are made within a short interval, the website can link users’ new and old identities by exploiting battery level and charge/discharge times,” researchers have found.

“The website can then reinstantiate users’ cookies and other client side identifiers, a method known as respawning. Note that, although this method of exploiting battery data as a linking identifier would only work for short time intervals, it may be used against power users who can not only clear their cookies but can go to great lenghts to clear their evercookies.”

According to another recent study by Princeton University researchers, fingerprinting by abusing the Battery Status API is definitely used, along with other new techniques like font fingerprinting and fingerprinting by querying the AudioContext API and the WebRTC API.

Engineering program manager at Mozilla Chris Peterson raised the question about removing web content access to the Battery API, and implemented the change in the Firefox 52 Nightly version (a test build).

“The battery code and tests remain, available to Gecko code and Firefox add-ons,” he added, and noted that they “always have the option to make the API available to web content again if a website or app demonstrates an interesting use case using Chrome’s Battery API.” (Chrome added support for it in 2014.)

The question of whether the Battery Status API should be removed completely is still being discussed.