The global digital advertising ecosystem is no longer just about targeting consumers with personalized ads. According to a new report by Citizen Lab, the same infrastructure now powers large-scale, covert geolocation surveillance of mobile users worldwide. At the center of this development is Webloc, a commercial tool that leverages advertising data to track people’s movements for law enforcement and intelligence purposes.
What Is Webloc: Adtech-Powered Geolocation Surveillance
Webloc was originally developed by Cobwebs Technologies, an Israeli company specializing in OSINT (open-source intelligence) and large-scale analysis of online data. Following Cobwebs’ merger with Penlink in July 2023, the product has been integrated into Penlink’s portfolio of surveillance and lawful interception tools sold to government agencies around the world.
Citizen Lab’s analysis indicates that Webloc is marketed as a module within the Tangles digital intelligence platform. The system allegedly provides access to a continuously updated dataset covering up to 500 million mobile devices globally. This dataset typically contains:
- device identifiers, including Mobile Advertising IDs (MAIDs) such as Apple’s IDFA or Google’s GAID;
- high-precision GPS coordinates and time-stamped location points;
- profile attributes collected by mobile apps and advertising networks.
Rather than compromising devices directly, Webloc buys data from commercial data brokers that aggregate information from mobile apps and adtech platforms. This approach repurposes routine advertising telemetry into an intelligence-grade source on the behavior and movements of hundreds of millions of users, often without their clear awareness or consent.
Who Uses Webloc: Law Enforcement and Intelligence Clients
Citizen Lab attributes the use of Webloc to several government and law enforcement entities. Reported customers include Hungary’s internal intelligence service, the national police of El Salvador, and multiple agencies in the United States.
In the U.S., public procurement records and prior media reporting point to the use of Webloc by Immigration and Customs Enforcement (ICE), units of the U.S. Army, the Texas Department of Public Safety, regional components of the Department of Homeland Security (DHS), district attorneys’ offices in New York, and police departments in Los Angeles, Dallas, Baltimore, Tucson, Durham, and a number of smaller jurisdictions.
These deployments show that adtech-based geolocation tracking is not limited to intelligence and military agencies. It has already reached state and local law enforcement, effectively normalizing the use of commercial surveillance data in routine investigations.
How Webloc Tracks Mobile Devices via Advertising Data
According to Penlink’s own marketing materials, Webloc allows investigators to reconstruct the location history and movement patterns of individuals over a period of up to three years, based entirely on advertising telemetry. The system reportedly supports:
- linking devices to home addresses and workplaces by analyzing recurring nighttime and daytime locations;
- supplementing GPS data with IP-based geolocation for additional context or where GPS is sparse;
- automating continuous monitoring of “persons of interest” by tracking specific MAIDs or geographic zones.
From a technical standpoint, a single MAID tied to a smartphone can reveal regular routes, visits to sensitive locations (such as clinics, religious institutions, or political events), and social patterns over time. When law enforcement buys this data instead of obtaining it from telecom providers, it can often bypass traditional warrant processes and judicial oversight designed for more regulated sources, such as cell-site location information.
Technical Infrastructure and Links to Other Surveillance Vendors
Citizen Lab’s network analysis identified at least 219 active servers associated with Cobwebs and Webloc deployments. The majority of these servers are located in the United States (126), followed by the Netherlands (32), Singapore (17), Germany (8), Hong Kong (8), and the United Kingdom (7). Additional infrastructure appears to be present across several countries in Africa, Asia, and Europe, indicating a truly global reach of the surveillance stack.
The report also highlights links between Cobwebs and the Israeli spyware vendor Quadream, through Omri Timianker, founder and former president of Cobwebs and now responsible for Penlink’s international operations. Quadream reportedly ceased operations in 2023 but had been associated with the broader commercial spyware and “cyber mercenary” market.
Privacy, Human Rights, and Legal Risks of Adtech Surveillance
The central concern raised by Webloc and similar systems is the potential for mass surveillance without warrants, transparency, or meaningful oversight. Citizen Lab’s findings, supported by earlier reporting from 404 Media, Forbes, and the Texas Observer, suggest that some agencies have used Webloc to locate devices solely through advertising data, rather than by seeking carrier records or using traditional location-tracking tools subject to stricter legal controls.
Webloc’s developer, Cobwebs Technologies, has already come under scrutiny from major platforms. In 2021, Meta removed roughly 200 accounts linked to Cobwebs and six other surveillance-for-hire firms for conducting covert monitoring, target profiling, and social engineering. According to Meta’s public reporting, some of this activity focused not only on criminal suspects, but also on activists, opposition politicians, and public officials, including in Hong Kong and Mexico, raising serious human rights concerns.
Penlink’s Position and Regulatory Gaps
In response to Citizen Lab, Penlink stated that the report relies on “inaccurate information or misunderstandings” and claimed that certain Cobwebs practices are no longer used following the 2023 acquisition. The company maintains that it complies with applicable U.S. privacy laws. However, in the absence of technical transparency or independent audits, these assurances are difficult to verify.
The Webloc case exposes a broader structural issue: data brokers and adtech platforms now function as de facto surveillance infrastructure that states can access with comparatively weak safeguards. Many jurisdictions, including the United States, still lack comprehensive federal privacy legislation to clearly regulate the sale of precise location data or to impose robust access controls on government use of commercial datasets.
The rapid evolution of tools like Webloc illustrates how quickly “ordinary” advertising analytics can be repurposed into powerful intelligence capabilities. Organizations and individuals can reduce exposure by minimizing unnecessary app permissions, disabling ad tracking where possible (IDFA/GAID), using privacy-preserving tools, and favoring services with strong data protection practices. At the same time, regulators and lawmakers need to establish clear, enforceable rules for data brokers and law enforcement access to commercial location data to ensure that the digital advertising ecosystem does not silently transform into an infrastructure for pervasive, warrantless surveillance.
