Citizen Lab report reveals how law enforcement agencies worldwide used Webloc, an ad-based surveillance system, to track 500 million mobile devices through data harvested from apps and digital advertising.
A new report from Citizen Lab has exposed how law enforcement agencies across multiple countries have been using an advertising-based surveillance system called Webloc to track the location and movements of up to 500 million mobile devices worldwide. The tool, developed by Israeli company Cobwebs Technologies and now sold by its successor Penlink, harvests data from mobile apps and digital advertising to monitor entire populations.
Global Law Enforcement Adoption
The surveillance system has been adopted by a wide range of law enforcement and intelligence agencies. In the United States, customers include Immigration and Customs Enforcement (ICE), the U.S. military, Texas Department of Public Safety, DHS West Virginia, NYC district attorneys, and police departments in major cities like Los Angeles, Dallas, Baltimore, Tucson, and Durham. The tool is also used by Hungarian domestic intelligence and the national police in El Salvador.
How Webloc Works
Webloc operates by purchasing data from mobile apps and digital advertising networks to analyze the behaviors and movements of hundreds of millions of people. The system provides access to a constantly updated stream of records containing device identifiers, location coordinates, and profile data. Users can monitor the location, movements, and personal characteristics of entire populations going back up to three years.
The tool also has the capability to infer location from IP addresses and identify the persons behind devices by gathering their home addresses and workplaces. This makes it particularly powerful for surveillance operations that would typically require warrants under traditional investigative methods.
Corporate Connections and Controversy
Cobwebs Technologies, the original developer of Webloc, was among seven cyber mercenary companies deplatformed by Meta in December 2021 for operating fake accounts to conduct reconnaissance on targets. Meta found Cobwebs Technologies customers in Bangladesh, Hong Kong, the United States, New Zealand, Mexico, Saudi Arabia, and Poland, with frequent targeting of activists, opposition politicians, and government officials.
Corporate records reveal that Cobwebs Technologies shares links to Israeli spyware vendor Quadream through Omri Timianker, the founder and former president who now oversees Penlink's international operations. The company is suspected to have shuttered operations in 2023.
Technical Infrastructure
Analysis of corporate records has identified 219 active servers associated with Cobwebs product deployments. The majority are located in the United States (126), Netherlands (32), Singapore (17), Germany (8), Hong Kong (8), and the U.K. (7). Additional servers have been detected across Africa, Asia, and Europe, indicating the global reach of the surveillance infrastructure.
Privacy and Legal Concerns
The Citizen Lab report raises serious questions about the legality and ethics of using advertising data for law enforcement surveillance. The system appears to operate without warrants or adequate oversight, potentially violating privacy laws and civil liberties protections.
Responding to the findings, Penlink stated that the report "appears to rely on either inaccurate information or a misunderstanding about how we operate" and claimed compliance with U.S. state privacy laws. However, the scale and scope of the surveillance revealed in the report suggest significant privacy implications for millions of people worldwide.
Broader Implications
The use of advertising data for surveillance represents a concerning trend in law enforcement capabilities. As mobile apps increasingly collect and share user data for advertising purposes, this information becomes available for surveillance operations that may bypass traditional legal protections.
The case of Webloc demonstrates how commercial data collection practices can be repurposed for government surveillance, creating a surveillance ecosystem that operates largely outside public oversight. This raises fundamental questions about the balance between law enforcement needs and individual privacy rights in the digital age.
Related Security News
- Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass
- China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
- BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks
- New GPUBreach Attack Enables Full CPU Privilege Escalation via GDDR6 Bit-Flips
Comments
Please log in or register to join the discussion