International Professional Fora:

A study of civil society organisation participation in internet governance

International Professional Fora:

A study of civil society organisation participation in internet governance

Battery Status API

On 7th July 2016, the W3C’s Device and Sensors Working Group returned the specification of the Battery Status API, previously published as a Proposed Recommendation in March 2016, to the status of Candidate Recommendation. The document referred to concerns that have been raised for ‘possible privacy-invasive usage of the Battery Status API’.

The cited privacy concerns were raised by a group of privacy researchers. In a report that came out in 2015, Lukasz Olejnik, Gunes Acar, Claude Castelluccia, and Claudia Diaz’s analysis of the implementation of the API in Mozilla’s Firefox found that the high precision read-outs provided by the browser could reveal the capacity of the user’s batteries, which as a result, ‘expose[d] a fingerprintable surface that [could] be used to track web users in short time intervals’. They concluded that the capacity of the battery could potentially serve as a tracking identifier. The researchers then reported their findings to Firefox. Lukasz Olejnik has subsequently joined the W3C as an Invited Expert and contributed to its work in terms of privacy.

More recently, two other researchers at Princeton University, Steven Englehardt and Arvind Narayanan, revealed that fingerprinting scripts have used, among others, the Battery Status API. Following the researchers’ reports as well as revelations by companies such as Uber for the amount of data they could access and potentially benefit by detecting a lower battery status, browser vendors decided to withdraw their support for the API. In a blog post, Olejnik highlighted this as ‘an unprecedented event in the Web’s history’. According to the researcher, this demonstrated going ‘a long way since 2000s, when privacy wasn’t treated that seriously’ by vendors. At the end of October 2016, Mozilla’s engineers confirmed that contrary to the intentions of developers that the API would be used ‘to save document data before the battery dies, to easy off heavy computation when the battery is low, or to implement the Firefox OS settings app’, the real uses of the specification has resulted in fingerprinting users and tracking consumer behaviour. A few days later, the WebKit team, that has powered Apple’s Safari browser, announced that it abandoned the API for the same reasons. While Safari and Internet Explorer had never implemented the API in their browsers, Chrome has supported it since 2014 and its final decision given the current circumstances remains to be seen.

Speaking on behalf of the privacy advocates community, Joseph Lorenzo Hall, Chief Technologist at the Centre for Democracy and Technology, thanked the undertaken decisions of browser vendors. The W3C had announced that once privacy concerns are ‘sufficiently’ addressed the specification would resume its status of a Proposed Recommendation. The original deadline set for that – no later than 1st September 2016 – has now passed with no resumption.