Apple, Mozilla kill API to deplete W3C battery-snitching standard

Idea for low-powered HTML adjustments abandoned after security implications explored

By Richard Chirgwin

Posted in Security, 7th November 2016 01:55 GMT

Apple and Mozilla are leading the charge away from a W3C standard, because it's too much of a privacy risk.

The Register reported the battery-snitching capability in August 2015.

The W3C's idea was that if HTML included properties to look at the state of user's batteries, it could de-cruft the Web pages it served if your phone was on the last 20 per cent of charge.

However, the 2015 paper (PDF) published at the International Association for Cryptologic Research (IACR) highlighted the privacy implications of battery-snitching. The paper pointed out that the Battery Status API provided an effective way to fingerprint users.

A paper (PDF) presented at late October's Association of Computing Machinery's Conference on Computer and Communications Security conference bore that out, with the authors demonstrating that simple scripts can exploit the API.

One of the authors of the 2015 IACR paper, Lukasz Olejnik (whose work includes highlighting the serious privacy risks posed by the Bluetooth Web API) has now blogged that the Battery Status API is being pulled from Firefox.

The change will be effective as of Firefox 52.

It might not stop there. As Olejnik also notes, it looks like it will be removed from WebKit as well – even before it was fully-implemented in Safari. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Another W3C API exposing users to browser snitching

Web Payments API bugs, or perhaps features, can be abused: Lukasz Olejnik

Unsanitary Firefox gets fix for critical HTML-handling hijack flaw

Versions 56 through 58 need patching, pronto

The Quantum of Firefox: Why is this one unlike any other Firefox?

Interview 57: Mozilla's big bid for relevance

Mozilla and Yahoo! trade sueballs over Firefox-Google search deal

'Your search is trash and you stopped paying ' vs. 'we had a deal you can't walk away from'

It's 2018 and… wow, you're still using Firefox? All right then, patch these horrid bugs

OG open-source darling gets security check-up

NSA had NFI about opsec: 2016 audit found laughably bad security

Unlocked racks. No 2FA. No access control lists. No wonder Snowden got away with it

Mozilla whips out Rusty new Firefox Quantum (and that's a good thing)

Landmark build promises to be faster, slimmer, better at multi-threading

Firefox to emit ‘occasional sponsored story’ in ads test

Privacy preserved, promise, because Mozilla wants to reinvent web ads

Mozilla offers sysadmins a Policy Engine for roll-your-own Firefox installs

And warms to a kind of speculative execution for Tabs, too. Really.

Firefox 57's been quietly delaying tracking scripts

Trying to stop snoops stalling page loads