Even casual Internet users know that if you want to hold your privacy in check, it's good practice to clear out your browser cookies every once in a while. Our recent coverage about "zombie" Flash cookies has shown us, however, that simply clearing your browser cookies the old fashioned way isn't always enough. As highlighted by a study out of UC Berkeley, some companies have begun using Flash-based cookies that not only recreate themselves when deleted without the user's knowledge, they reach into the Flash storage bin for the just-deleted user info so that they can keep tracking you and your stored history instead of starting anew.

It's because of this behavior that some of our readers drew our attention to something called RLDGUID, a Safari database that has been popping up more and more on iOS devices. What is it, who put it there, and what purpose does it serve? The company behind this database, Ringleader Digital, is basically using some of the modern HTML5 capabilities of mobile browsers to perform the same tasks as a traditional cookie, but out of sight of most users. We decided to dig in and see what RLDGUID is all about, and what we found was sometimes confusing. More importantly, however, it highlights why users should be made more aware of what their browsers are storing about them.

What is Ringleader Digital?

Ringleader Digital is a mobile advertising company that serves websites that want to offer targeted advertising to users. RLDGUID stands for Ring Leader Digital Globally Unique ID, which is how Ringleader Digital identifies your mobile device when tracking you. The company claims on its privacy page that it only collects "non-personally identifiable information, such as browser identifiers, session information, device type, carrier provider, IP addresses, unique device ID, carrier user ID and web sites visited."

(Whether that amount of information is truly "non-personally identifiable" when pieced together is one of those topics that is constantly up for debate. A device ID and type, combined with IP address and sites visited could be combined to finger users for all manner of embarrassing things. Regardless, you'll soon find out why what the company says should, at the very least, be suspect.)

In order to target ads to your specific tastes, of course, some sort of tracking must be involved. This is why most websites use browser cookies. Ringleader Digital uses cookies too, but goes a step further and makes use of Safari databases under iOS in order to ensure that users can be tracked—forever.

What are Safari databases?

Safari's databases—both on the desktop and mobile—are just another name for some of the client-side database storage capabilities of HTML5. This allows websites to store a certain amount of data locally on your machine via Web SQL for use later, and are beneficial for things like offline Web app usage. It's not just a Safari feature; Opera and Chrome also support HTML5's Web SQL database storage.

(There's another HTML5 storage capability called LocalStorage/Web Storage that is used by other browsers, such as Internet Explorer 8 and 9. As of publication, Ringleader Digital does not make use of this particular implementation of local storage, but that doesn't mean it—and other companies—can't in the future.)

Getting back to RLDGUID: what does it do?

A quick search for "RLDGUID" on your favorite search engine will turn up a handful of queries, mostly on the Apple discussion boards but also on blogs, about what it is. Users began finding it when digging through their databases on their iPhones (by going to Settings > Safari > Databases). This is the locally stored database used by Ringleader Digital in order to track you all over the Web, and inside of it is a unique identifier string assigned to just your device.

When we deleted the RLDGUID databases on our phones, we found that it would instantly re-spawn with the same unique identifier we were previously assigned. It's pulling that ID from somewhere—likely a different Safari database generated by another Ringleader Digital partner site, or a traditional cookie working in conjunction with the database. We found that clearing cookies and the Safari databases still resulted in a recreation of the database with the same ID.

Why should you care? Targeted advertising isn't anything new, nor is it inherently evil. Companies are trying to serve you ads that might be more relevant to your interests, as opposed to whatever random thing they have in the queue. However, if you're clearing out your cookies and databases, you're likely doing so because you're trying to burn your digital paper trail and you don't want these companies tracking you. And, while you can turn off Safari databases altogether on the desktop by setting the file size drop-down to "none," you can't turn them off on the iPhone, iPod touch, or iPad.

We asked Ringleader Digital why it goes the database route instead of using cookies. "From an ad perspective, cookies online are widely used for tracking and targeting advertising to measure an ad spend, and to measure the effectiveness of the campaign," Ringleader Digital CEO Bob Walczak told Ars. "Mobile devices typically strip off cookies at the gateway, or browsers don't accept them properly, or some devices are shipped with cookies turned off. There are a wide variety of issues that make them unstable, and agencies haven't been willing to spend a lot of money on mobile because it doesn't deliver the same value or metrics. With this technology, they're able to see what's going on and therefore spend much more, which makes the ecosystem better."

Basically, part of the reason mobile advertising has been so sad up until recently is because agencies can't track a campaign's success as they can on the traditional Web—as someone who came from the agency world, it makes sense. RLDGUID is meant to make things more trackable for the advertiser, and supposedly benefits everyone by feeding the mobile economy.

"The other reason we use it [as opposed to cookies] is because we want to be able to honor consumers' privacy choices persistently," Walczak said.

But is that true?

The opt-out

Ringleader Digital's privacy page says that users can opt out "for life" from the company's tracking if you point your mobile device's Web browser at http://tinyurl.com/RLDOPTOUT. Specifically, "the opt-out will be effective for the life of the device unless you install a new browser, or update your existing browser, in which case you will need to re-implement the opt-out utility in order to maintain your opt-out status." The page says that you'll still get advertising through Ringleader Digital, but that the company won't track you and the ads won't be targeted.

Here's where things get confusing, at least to users trying to get rid of the database. When we deleted the RLDGUID databases, cleared cookies, and then went to the opt-out link, it did indeed eliminate the unique identifier that we had been tracking during our testing up until this point. It did not, however, stop Ringleader Digital's partner sites from recreating the cookies and Safari databases with a new persistent RLDGUID. And this new identifier behaves the same way as the old one—it will track you forever, even when you delete cookies and databases, until you opt out again. At which point you'll get a brand new RLDGUID. Wash, rinse, repeat.

When we discussed this with Walczak, he essentially said we were doing it wrong. "If you clear cookies or clear the database, it's not opting out," Walczak said. "If you opt out with just the link, it will change the ID to an opt-out ID. On the back-end we set a token on our system that says this ID is opted out and we won't send targeted advertising to that device."

What Ringleader Digital's opt-out system comes down to is trust. There is no way for a user to confirm that their ID stored in the Safari database has been opted out from tracking, and Ringleader Digital essentially says that the database must remain on the device if you want to remain opted out. Walczak told us that deleting the database will mean that the servers can't identify you as the same device that they're not supposed to track, so you'll have to take Ringleader Digital's word for it that the company is respecting your privacy.

"Our approach and thinking behind this persistent opt-out is that, if you're gonna have an opt-out, you should be able to actually do it," Walczak said. "Our stance on this is that we had to create proprietary tech to enable the functionality, but our opt-out standards are high. We're trying to stay on top of industry best practices."

Others can do it too

Whether or not you take Walczak's word about the specific behavior of RLDGUID, this isn't the only company that can take advantage of these HTML5 databases for similar purposes. In the past, users have found a similar database to RLDGUID named QWAPI—Quattro Wireless API, the mobile ad company that Apple bought at the beginning of this year. Others may soon creep into this space as well, as mobile devices with rich browser capabilities become more and more popular. And there is no guarantee that they will have working opt-outs when they do appear—or that they won't zombify themselves.

With growing concerns over browser security and user privacy when it comes to new HTML5 features, the case of RLDGUID highlights exactly how little most people know about what their browsers are doing. Any company can do what Ringleader Digital is doing, and those that give into the temptation may do it in more nefarious ways. Users can be tracked in all manner of new ways, and that tracking is likely to go under the radar for the large majority of users who own mobile devices.