Why? Fingerprinting. Rather than these APIs being used for what they are meant for, they end up being used for gross ad tech. As in, “hey, we don’t know exactly who you are, but wait, through a script we can tell your phone stopped being idle from 8:00 am to 8:13 am and were near the Bluetooth device JBL BATHROOM, so it’s probably dad taking his morning poop! Let’s show him some ads for nicer speakers and flannel shirts ASAP.”

I’ll pull the complete list here from Catalin Cimpanu’s article:

• Web Bluetooth – Allows websites to connect to nearby Bluetooth LE devices.
• Web MIDI API – Allows websites to enumerate, manipulate and access MIDI devices.
• Magnetometer API – Allows websites to access data about the local magnetic field around a user, as detected by the device’s primary magnetometer sensor.
• Web NFC API – Allows websites to communicate with NFC tags through a device’s NFC reader.
• Device Memory API – Allows websites to receive the approximate amount of device memory in gigabytes.
• Network Information API – Provides information about the connection a device is using to communicate with the network and provides a means for scripts to be notified if the connection type changes
• Battery Status API – Allows websites to receive information about the battery status of the hosting device.
• Web Bluetooth Scanning – Allows websites to scan for nearby Bluetooth LE devices.
  
• Ambient Light Sensor – Lets websites get the current light level or illuminance of the ambient light around the hosting device via the device’s native sensors.
• HDCP Policy Check extension for EME – Allows websites to check for HDCP policies, used in media streaming/playback.
• Proximity Sensor – Allows websites to retrieve data about the distance between a device and an object, as measured by a proximity sensor.
• WebHID – Allows websites to retrieve information about locally connected Human Interface Device (HID) devices.
• Serial API – Allows websites to write and read data from serial interfaces, used by devices such as microcontrollers, 3D printers, and othes.
• Web USB – Lets websites communicate with devices via USB (Universal Serial Bus).
• Geolocation Sensor (background geolocation) – A more modern version of the older Geolocation API that lets websites access geolocation data.
  
• User Idle Detection – Lets website know when a user is idle.

I’m of mixing feelings. I do like the idea of the web being a competitive platform for building any sort of app and sometimes fancy APIs like this open those doors.

Not to mention that some of these APIs are designed to do responsible things, like knowing connections speeds through the Network Information API and sending less data if you can, and the same for the Battery Status API.

This is all a similar situation to :visited in CSS. Have you ever noticed how there are some CSS declarations you can’t use on visited links? JavaScript APIs will even literally lie about the current styling of visited links to make links always appear unvisited. Because fingerprinting.

Direct Link →