Advertisers get hands stuck inside HTML5 database cookie jar

Even casual Internet users know that if you want to hold your privacy in check, it's good practice to clear out your browser cookies every once in a while. Our recent coverage about "zombie" Flash cookies has shown us, however, that simply clearing your browser cookies the old fashioned way isn't always enough. As highlighted by a study out of UC Berkeley, some companies have begun using Flash-based cookies that not only recreate themselves when deleted without the user's knowledge, they reach into the Flash storage bin for the just-deleted user info so that they can keep tracking you and your stored history instead of starting anew.

It's because of this behavior that some of our readers drew our attention to something called RLDGUID, a Safari database that has been popping up more and more on iOS devices. What is it, who put it there, and what purpose does it serve? The company behind this database, Ringleader Digital, is basically using some of the modern HTML5 capabilities of mobile browsers to perform the same tasks as a traditional cookie, but out of sight of most users. We decided to dig in and see what RLDGUID is all about, and what we found was sometimes confusing. More importantly, however, it highlights why users should be made more aware of what their browsers are storing about them. 

What is Ringleader Digital?

Ringleader Digital is a mobile advertising company that serves websites that want to offer targeted advertising to users. RLDGUID stands for Ring Leader Digital Globally Unique ID, which is how Ringleader Digital identifies your mobile device when tracking you. The company claims on its privacy page that it only collects "non-personally identifiable information, such as browser identifiers, session information, device type, carrier provider, IP addresses, unique device ID, carrier user ID and web sites visited."

(Whether that amount of information is truly "non-personally identifiable" when pieced together is one of those topics that is constantly up for debate. A device ID and type, combined with IP address and sites visited could be combined to finger users for all manner of embarrassing things. Regardless, you'll soon find out why what the company says should, at the very least, be suspect.)

In order to target ads to your specific tastes, of course, some sort of tracking must be involved. This is why most websites use browser cookies. Ringleader Digital uses cookies too, but goes a step further and makes use of Safari databases under iOS in order to ensure that users can be tracked—forever.

What are Safari databases?

Safari's databases—both on the desktop and mobile—are just another name for some of the client-side database storage capabilities of HTML5. This allows websites to store a certain amount of data locally on your machine via Web SQL for use later, and are beneficial for things like offline Web app usage. It's not just a Safari feature; Opera and Chrome also support HTML5's Web SQL database storage.

(There's another HTML5 storage capability called LocalStorage/Web Storage that is used by other browsers, such as Internet Explorer 8 and 9. As of publication, Ringleader Digital does not make use of this particular implementation of local storage, but that doesn't mean it—and other companies—can't in the future.)

Getting back to RLDGUID: what does it do?

A quick search for "RLDGUID" on your favorite search engine will turn up a handful of queries, mostly on the Apple discussion boards but also on blogs, about what it is. Users began finding it when digging through their databases on their iPhones (by going to Settings > Safari > Databases). This is the locally stored database used by Ringleader Digital in order to track you all over the Web, and inside of it is a unique identifier string assigned to just your device.

When we deleted the RLDGUID databases on our phones, we found that it would instantly re-spawn with the same unique identifier we were previously assigned. It's pulling that ID from somewhere—likely a different Safari database generated by another Ringleader Digital partner site, or a traditional cookie working in conjunction with the database. We found that clearing cookies and the Safari databases still resulted in a recreation of the database with the same ID.

Why should you care? Targeted advertising isn't anything new, nor is it inherently evil. Companies are trying to serve you ads that might be more relevant to your interests, as opposed to whatever random thing they have in the queue. However, if you're clearing out your cookies and databases, you're likely doing so because you're trying to burn your digital paper trail and you don't want these companies tracking you. And, while you can turn off Safari databases altogether on the desktop by setting the file size drop-down to "none," you can't...