Slashdot Mirror
Firefox Disables Loophole that Allows Sites To Track Users Via Battery Status (theguardian.com)
New submitter xogg writes: Battery Status API allows web sites to read the battery level of user's system. The API was found to bring privacy risks and abuse potential and a number of implementation bugs. Now with apparent no legitimate use cases, Mozilla is taking the unprecedented decision to vaporize a browser API due to privacy concerns. And apparently, WebKit, powering Apple's Safari follows. Is that the first time a browser reduces functionality following research reports warning of privacy risks?
I would hardly call this reducing functionality. Technically, sure. But a web browser is supposed to browse the web, and this API wasn't helping any.
... there will be far more egregious privacy-risking APIs in web browsers in the future....
Stop introspecting the device within the browser framework. Browse the web, run sandboxed script code, but stop digging into the device. Leave the other information mining to apps with appropriate user controls to say fuck off when appropriate.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
So it can avoid loading video ads on mobile when you have low battery :D
Make the site request permission, like it would for the camera or GPS location.
I don't see this is as some big thing, but just because I can't think of an important use case doesn't mean there isn't a good one somewhere. Surely somebody wanted this for some reason? Anyway, it seems weird to introduce it then take it back over concerns that seem pretty mild, and also pretty easy to address the same way other concerns have been addressed in the past.
Let's not stir that bag of worms...
So let's have a fake 'low battery status' tool to inhibit ads. I'm setting mine at 5% for the rest of my life.
Have gnu, will travel.
It isn't the first time browsers reduced functionality for security. It used to be you could use a url such as http: //username:password@hostname/ but that was abused and eliminated from all major browsers. (space added after http so slashdot reformatter doesn't break comment).
Just replace the battery percentage value, if that's what the API was returning with an BatteryIsLow() boolean, which could be set at something arbitrary, like 30%.
This way, the valid use cases, like control of video serving or "intensity", could still work, but the privacy concern would be gone. You can't effectively track someone in general just by knowing the times when they transition around 30%. That would be too rare to be a useful tracking data point.
Where are we going and why are we in a handbasket?
"apparent no", according to the summary.
Sheesh, evil *and* a jerk. -- Jade
You really think that websites would not send you an ad if your battery was low?
The real "Libtards" are the Libertarians!
There were many promising use cases for this functionality, which now have gone into the shitter.
There wasn't a single valid use case for third parties being able to monitor your battery through a general purpose web browser. It just gives another way for advertisers to try to keep tabs on you without your permission. There is nothing useful about this "feature" to me as an end user and as such it should go away.
A website could serve up fewer video intensive ads if it detected a low battery status, for example, or even pop up an alert window and offer to sell the user a new battery
I have an easier solution. I just block the ads and then there is no problem with them draining my battery. Here's a clue - anything that increases the ability of advertisers to track me is a Bad Thing. Here's another clue. Advertisers don't give a shit about saving your battery. You are nothing more than $$$ to be harvested to them. The notion that advertisers would altruistically do things to save your battery life is unbelievably naive.
It could go ahead and save the user's status or input if it thought that the battery was about to die.
This can be done without worrying about the state of the battery and in fact doing so is often a good idea. Being able to monitor my battery improves nothing.
We've tried the global experiment of browser-as-platform, and it has failed miserably from a security, usability and consumer-rights perspective.
The browser as a platform has definitely not failed, 90% of all computer time is probably in the browser. It has taken over almost all general computing task and more is coming. Look at the R&D invested in web technologies versus your favorite desktop OS. The desktop OS as we know it are going to die, it's already minuscule compared to the web.
I doubt this is the first time, seeing as how computer science is now a 70 year old field.
But that's not even the correction question. The real question is, "Did they do the right thing?" IMO, yes, yes they did. A website has zero legitimate reason to track battery status, and as we've already discovered, the API is nothing more than another avenue for abuse.
The whole bluetooth web API nonsense falls into the same category. The level and likelihood of abuse is countless orders of magnitude more likely than any legitimate use case the budding Einstein inventor can come up with.
There were many promising use cases for this functionality, which now have gone into the shitter.
Horseshit. No website has *any fucking business whatsoever* accessing my hardware in such a fashion, period.
And I am perfectly capable of reading my device's battery monitor on my own, thanks very much.
And if websites didn't on serving up "video intensive" ads, ad blockers might not be in such high demand.
And you're a complete asshole for wanting to be an enabler of this shit.
Go die in a fire.
Il n'y a pas de Planet B.