experiment 33 · battery api · no permissions
your battery level
was a tracking tool.
The W3C Battery Status API exposed your exact battery charge level, charging state, and
estimated drain time to every website you visited. No permission. No dialog. Firefox removed
it in 2016 after researchers proved it was being used to track users after cookie deletion.
Firefox removed this API in 2016.
Researchers proved the battery drain rate was being used to re-identify users who cleared all cookies.
Chrome kept a limited version. Safari never implemented it.
—level
—charging
—time remaining
live updates active
discharging
—
time to full
—
time remaining
Battery Status API — removed / unavailable
This browser does not expose battery data.
This is intentional — the API was removed or restricted after its tracking potential was documented.
2012
W3C Battery Status API published. Designed for web apps to adapt behavior to low-power conditions.
2015
Olejnik, Acar, Castelluccia & Juels publish "The leaking battery" — demonstrating that exact battery level + drain rate creates a short-lived but precise cross-site identifier, usable even after cookie deletion.
2016
Firefox removes the Battery Status API entirely (Bug 1313580). Mozilla cites the privacy research directly in the decision.
2019
Chrome restricts the API to HTTPS origins and removes it from workers. Safari never shipped it.
2023+
The Battery Status API remains in the W3C spec but is considered deprecated for privacy-sensitive contexts. The episode became a canonical example of how "helpful" APIs become tracking tools.
▶ how was battery level used for tracking?
The Battery Status API reported battery level as a floating-point number between 0 and 1 (e.g. 0.83), plus the estimated charging and discharging times in seconds. The precision of these values, combined with their slow decay rate, created a fingerprint that persisted for hours — long enough to re-identify a user who had cleared cookies, switched to private browsing, or enabled a VPN.
The tracking technique worked across websites within the same browsing session. As the battery level decayed by small increments, the combination of (level, chargingTime, dischargingTime) remained unique to one device. An ad network could record this tuple on site A, then re-identify the same device on unrelated site B — even with no shared cookies, storage, or network identifiers.
This case became important in privacy regulation. The GDPR's data minimization principle is now interpreted to prohibit APIs like this even when labeled as "functional." The W3C Privacy Interest Group (PING) now reviews all new browser APIs for fingerprinting surface before publication — a process directly inspired by the battery API incident.