Citizen Lab: Law Enforcement Used Webloc to Track 500 Million Devices via Ad Data

Summary

Citizen Lab researchers documented widespread use of Webloc, an advertising-based geolocation surveillance system, by law enforcement agencies including US ICE, military, and local police departments across multiple jurisdictions. The tool, developed by Israeli firm Cobwebs Technologies and now sold by Penlink, tracks up to 500 million mobile devices globally using harvested app and ad data, enabling warrant-free location monitoring up to three years in the past. The analysis raises concerns about intrusive, legally questionable surveillance practices operating without adequate oversight or warrants.

Full text

Citizen Lab: Law Enforcement Used Webloc to Track 500 Million Devices via Ad Data Ravie LakshmananApr 11, 2026Surveillance / Digital Advertising Hungarian domestic intelligence, the national police in El Salvador, and several U.S. law enforcement and police departments have been attributed to the use of an advertising-based global geolocation surveillance system called Webloc. The tool was developed by Israeli company Cobwebs Technologies and is now sold by its successor Penlink after the two firms merged in July 2023, according to a report published by the Citizen Lab. Penlink, founded in 1986, is a provider of "mission-critical communications and digital evidence collection and analysis software" to law enforcement agencies in the U.S. and across the world. U.S. customers of the Webloc include Immigration and Customs Enforcement (ICE), the U.S. military, Texas Department of Public Safety, DHS West Virginia, NYC district attorneys, and various police departments in Los Angeles, Dallas, Baltimore, Tucson, Durham, and in smaller cities and counties like the City of Elk Grove and Pinal County. "Webloc is sold as an add-on product to the social media and web intelligence system Tangles," Citizen Lab researchers Wolfie Christl, Astrid Perry, Luis Fernando Garcia, Siena Anstis, and Ron Deibert said. "Webloc provides access to a constantly updated stream of records from up to 500 million mobile devices across the globe that contain device identifiers, location coordinates, and profile data harvested from mobile apps and digital advertising." The ad-based surveillance system, in a nutshell, makes use of data purchased from mobile apps and digital advertising to analyze the behaviours and movements of hundreds of millions of people. It was officially announced by Cobwebs Technologies in October 2020, describing it as a "cutting-edge location intelligence platform that gathers and analyzes web data fused with geospatial data points, using interactive layered maps to connect the digital world with physical data." Customers of the tool can use it to monitor the location, movements, and personal characteristics of entire populations up to three years in the past. According to information available on Penlink's website, Webloc can be used for "investigating and interpreting location-based data to support your cases." Webloc also has the capability to infer location from IP addresses and identify the persons behind the devices by gathering their home addresses and workplaces. Interestingly, Cobwebs Technologies was among the seven cyber mercenaries that were deplatformed by Meta in December 2021 for operating about 200 accounts to conduct reconnaissance on targets and even engage in social engineering to join closed communities and forums and trick people into revealing personal information. The social media giant revealed at the time that it had identified Cobwebs Technologies customers in Bangladesh, Hong Kong, the United States, New Zealand, Mexico, Saudi Arabia, and Poland. "In addition to targeting related to law enforcement activities, we also observed frequent targeting of activists, opposition politicians, and government officials in Hong Kong and Mexico," Meta noted. Reports from 404 Media, Forbes, and Texas Observer have revealed that Webloc can be used to track phones without a warrant, with one procurement notice highlighting the tool's "ability to automate and continuously monitor unique mobile advertising IDs, geolocated IP addresses, and connected devices analysis." An analysis of corporate records and other public information has revealed that Cobwebs Technologies shares links to Israeli spyware vendor Quadream through Omri Timianker, the founder and former president of Cobwebs Technologies, who now oversees Penlink's international operations. The company is suspected to have shuttered its operations in 2023. As many as 219 active servers associated with Cobwebs product deployments have been identified, most of which are located in the U.S. (126), Netherlands (32), Singapore (17), Germany (8), Hong Kong (8), and the U.K. (7). Potential product servers have also been detected in various countries across Africa, Asia, and Europe. Responding to the report, Penlink said the findings "appear to rely on either inaccurate information or a misunderstanding about how we operate, including practices that Penlink does not engage in following our acquisition of Cobwebs Technologies in 2023." It also said it complies with U.S. state privacy laws. "Our research shows that intrusive and legally questionable ad-based surveillance (i.e., without a warrant or adequate oversight) is being used by military, intelligence, and law enforcement agencies down to local police units in several countries across the globe," the Citizen Lab said. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  cybersecurity, data collection, Digital Advertising, Intelligence, law enforcement, Penlink, Privacy, spyware, surveillance Trending News Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released Apple Expands iOS 18.7.7 Update to More Devices to Block DarkSword Exploit Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS Block the Prompt, Not the Work: The End of "Doctor No" BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware New GPUBreach Attack Enables Full CPU Privilege Escalation via GDDR6 Bit-Flips Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access Anthropic's Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems AI Will Change Cybersecurity. Humans Will Define Its Success. A Lesson No Algorithm Can Teach The AI Arms Race – Why Unified Exposure Management Is Becoming a Boardroom Priority Popular Resources Learn How to Block Breached Passwords in Active Directory Before Attacks Get Full Visibility into Vendor and Internal Risk in One Platform [Guide] Get Practical Steps to Govern AI Agents with Runtime Controls Secure Your AI Systems Across the Full Lifecycle of Risks

Entities