Firefox Disables Loophole that Allows Sites To Track Users Via Battery Status (theguardian.com)

← Back to Stories (view on slashdot.org)

Firefox Disables Loophole that Allows Sites To Track Users Via Battery Status (theguardian.com)

Posted by msmash on Tuesday November 1, 2016 @08:00AM from the fixing-things dept.

New submitter xogg writes: Battery Status API allows web sites to read the battery level of user's system. The API was found to bring privacy risks and abuse potential and a number of implementation bugs. Now with apparent no legitimate use cases, Mozilla is taking the unprecedented decision to vaporize a browser API due to privacy concerns. And apparently, WebKit, powering Apple's Safari follows. Is that the first time a browser reduces functionality following research reports warning of privacy risks?

10 of 104 comments (clear)

Min score:

Reason:

Sort:

Reducing Functionality? by iYk6 · 2016-11-01 08:05 · Score: 5, Insightful

I would hardly call this reducing functionality. Technically, sure. But a web browser is supposed to browse the web, and this API wasn't helping any.
1. Re:Reducing Functionality? by Anonymous Coward · 2016-11-01 08:23 · Score: 3, Informative
  
  A website could serve up fewer video intensive ads if it detected a low battery status
  Maybe...
  
  even pop up an alert window and offer to sell the user a new battery
  Don't want
  
  It could go ahead and save the user's status or input if it thought that the battery was about to die.
  
  I'll hit save before I put it to sleep, no worries.
  Honestly this is a tempest in a teapot. Couldn't it just be reduced to:
  Battery level low: True/False
  Heck let the user set what level it shows low as at well.
2. Re:Reducing Functionality? by bondsbw · 2016-11-01 08:58 · Score: 3, Interesting
  
  This API never needed to provide battery level as a double value. An enumeration such as { Full | Sufficient | Low | Critical } would have solved the privacy issue while providing useful information.
  
  --
  All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
Not to worry... by QuietLagoon · 2016-11-01 08:06 · Score: 3, Insightful

... there will be far more egregious privacy-risking APIs in web browsers in the future....
1. Re:Not to worry... by Anonymous Coward · 2016-11-01 08:54 · Score: 3, Informative
  
  ... there will be far more egregious privacy-risking APIs in web browsers in the future....
  Indeed. I don't even want a site to know whether I'm on a "mobile" device. All I want is standards compliant HTTP, HTML, CSS, and JS. I don't want ANYTHING else in my browser - if I did want those things, I would put them there myself. The remote site should neither know nor care what system is implementing the standards-compliant browser I use. All the remote site really needs to know is that my user agent speaks HTTP. Nothing else, including OS/platform, user-agent, etc is any of its damn business.
We've gone too far by Virtucon · 2016-11-01 08:12 · Score: 4, Insightful

Stop introspecting the device within the browser framework. Browse the web, run sandboxed script code, but stop digging into the device. Leave the other information mining to apps with appropriate user controls to say fuck off when appropriate.

--
Harrison's Postulate - "For every action there is an equal and opposite criticism"
Reduce functionality for security by SeriousTube · 2016-11-01 08:31 · Score: 3, Informative

It isn't the first time browsers reduced functionality for security. It used to be you could use a url such as http: //username:password@hostname/ but that was abused and eliminated from all major browsers. (space added after http so slashdot reformatter doesn't break comment).
Better solution by presidenteloco · 2016-11-01 08:32 · Score: 4, Interesting

Just replace the battery percentage value, if that's what the API was returning with an BatteryIsLow() boolean, which could be set at something arbitrary, like 30%.
This way, the valid use cases, like control of video serving or "intensity", could still work, but the privacy concern would be gone. You can't effectively track someone in general just by knowing the times when they transition around 30%. That would be too rare to be a useful tracking data point.

--

Where are we going and why are we in a handbasket?
1. Re:Better solution by wonkey_monkey · 2016-11-01 08:59 · Score: 4, Interesting
  
  How about just "on battery power" or "plugged in"?
  
  --
  systemd is Roko's Basilisk.
Fuck you (-10000 Flaimbate) by Zontar+The+Mindless · 2016-11-01 12:14 · Score: 5, Insightful

There were many promising use cases for this functionality, which now have gone into the shitter.
Horseshit. No website has *any fucking business whatsoever* accessing my hardware in such a fashion, period.
And I am perfectly capable of reading my device's battery monitor on my own, thanks very much.
And if websites didn't on serving up "video intensive" ads, ad blockers might not be in such high demand.
And you're a complete asshole for wanting to be an enabler of this shit.
Go die in a fire.

--
Il n'y a pas de Planet B.