Webloc: 500M devices tracked

A phone app can send location data into the ad market, and researchers say Webloc turns that data into a map of about 500 million devices. (citizenlab.ca) Citizen Lab published the report on April 9, 2026. It said Webloc was developed by Cobwebs Technologies, is now sold by Penlink, and draws on data purchased from consumer apps and digital advertising. (citizenlab.ca) The report said Hungarian domestic intelligence has used Webloc since at least 2022 and still uses it, and that customers also include the national police in El Salvador, United States Immigration and Customs Enforcement, the United States military, the Texas Department of Public Safety, New York City district attorneys, and police departments in Los Angeles, Dallas, Baltimore, Tucson, Durham, Elk Grove, and Pinal County. (citizenlab.ca) This data does not come from a cell carrier warrant. It comes from the ad-tech system that buys and sells information collected by apps, including device identifiers and location coordinates, to target ads and measure behavior. (eff.org) The same ad system can expose patterns, not just dots on a map. Citizen Lab said Webloc can monitor locations, movements, and personal characteristics, and the Electronic Frontier Foundation said federal agencies have bought similar app-based location data through brokers instead of going to a judge first. (citizenlab.ca (eff.org)) That matters in the United States because the Supreme Court ruled in Carpenter v. United States in 2018 that police need a warrant to get cell-site location records from phone companies. App-based location data bought from brokers has become a separate route around that rule, according to privacy advocates and public-records reporting. (business-humanrights.org) Public records had already pointed to Webloc before Citizen Lab’s report. In August 2025, the Electronic Frontier Foundation said a California sheriff’s office records settlement described Webloc as a platform that provides access to large amounts of location data in a specified geographic area. (eff.org) A March 2026 Electronic Frontier Foundation post said Customs and Border Protection documents obtained by 404 Media showed the agency used “commercially available marketing location data” drawn from the same real-time bidding machinery that powers targeted ads. The group said Immigration and Customs Enforcement bought Webloc in 2025. (eff.org) Penlink says on its privacy notice that, in most cases, it processes customer data at the direction of its customers. In a 2025 statement quoted by the Texas Observer and republished by the Business and Human Rights Resource Centre, a Penlink spokesperson said its open-source intelligence products give access to data that is “publicly available.” (penlink.com) (business-humanrights.org) Citizen Lab said it sent Penlink a letter on April 3, 2026, laying out its findings before publication. The report’s central claim is simple: a background ad signal from an ordinary app can become a government search tool with years of location history attached. (citizenlab.ca 1) (citizenlab.ca 2)