HTML5 is an exciting technology with lots of potential. But one potentially insidious use has surfaced, and one group of privacy experts isn't taking it lightly.
Wired's Threat Level blog reports that a group of individuals has filed a lawsuit against Ringleader Digital, claiming that the company is abusing HTML5's local storage feature, using it to store a tracking "cookie" that can't be deleted when you delete your broser's cookies.
The HTML5 local storage feature lets sites store certain types of data on your hard drive for quicker access later on. For example, a Webmail service could use this feature to store some of your inbox data on your hard drive, so that when you visit your Webmail inbox, it'll load more quickly.
According to the Wired report, the offending ads have appeared on the mobile versions of several popular sites, including CNN Money, The Travel Channel, WhitePages.com, among others. Wired also reports that the local-storage database will appear as "RLDGUID" on your smartphone.
I headed over to one of the sites in question using my iPhone to see what would happen for myself, and sure enough, there's RLDGUID. If you have an iPhone, you can check to see if you have this HTML5 "cookie" by going to Settings, then Safari, then Databases. From there, you can remove any unwanted HTML5 databases--including these cookie databases--by tapping the Edit button in the upper-right, then tapping the red circular button next to the database name. Unfortunately, the databases will reappear the next time you visit these sites.
(I don't have an Android or BlackBerry phone handy as I write this, but if you do, leave a comment below or shoot an email to geektips <at> pcworld <dot> com if you've figured out how to find and remove these databases from one of those devices.)
While this may be a new and novel way of tracking users without using browser cookies, it's not the only way. Flash cookies--bits of cached data stored by your Adobe Flash plugin--can also be used to track your surfing habits, and like this HTML5 trick, they don't go away when you delete your cookies. And browser fingerprints--an emerging tracking method--doesn't require cookies of any kind at all.
More security nerdery from PCWorld's GeekTech blog...
- Adobe Warns Acrobat Users: Don't Install Third-Party Security Patch
- Trojan Monitors Your Porn Surfing Habits, Threatens to Blackmail You
- Another SMS Trojan Appears on Android Phones