Webloc: ad networks tracking 500M phones

A phone can become a tracker without malware, a wiretap, or even a text message. Citizen Lab reported on April 9 that a system called Webloc lets government customers search location records from up to 500 million devices using data pulled from ordinary apps and digital advertising feeds. (citizenlab.ca) The trick is simple: many apps ask for location so they can show a forecast, a map, or a nearby deal, and then that same location can travel into the advertising market. The Electronic Frontier Foundation says weather apps, navigation apps, coupon apps, and family safety apps are common sources for this brokered location data. (eff.org) Webloc was developed by the Israeli company Cobwebs Technologies and is now sold by Penlink after the two firms merged in July 2023. Citizen Lab says the product is sold as an add-on to Penlink’s Tangles system, which already organizes social media and web intelligence for investigators. (citizenlab.ca) What buyers get is not a live spy satellite. Citizen Lab says Webloc offers a constantly updated stream of records containing device identifiers, coordinates, and profile data, which means an analyst can start with an anonymous phone and build a map of where it sleeps, works, and travels. (citizenlab.ca; thehackernews.com) That “where it sleeps” part comes from repetition, not magic. If one device appears at the same address night after night and another address every weekday morning, the software can infer a home and a workplace the way a neighbor would after watching the parking lot for a month. (anonymousmedia.org) Citizen Lab says the system has been used by Hungarian domestic intelligence since at least 2022 and is still in use there now. The same report names customers in El Salvador and in the United States, including Immigration and Customs Enforcement, the Texas Department of Public Safety, district attorneys in New York City, and police departments in Los Angeles, Dallas, Baltimore, Tucson, Durham, Elk Grove, and Pinal County. (citizenlab.ca) The United States piece was already starting to surface in January. 404 Media reported on January 8, 2026 that Immigration and Customs Enforcement bought access to Webloc and that internal material described tracking phones across a neighborhood, then following those devices from workplaces to homes, without a warrant. (404media.co) The time machine part is what makes this different from a single location ping. Reporting on the Citizen Lab findings says Webloc customers can look back as far as three years, which turns a pile of ad-tech records into a movement history for whole populations, not just one suspect on one day. (anonymousmedia.org) Even turning off an app does not erase every trail. Phones still talk to cell towers whenever they need service, and that network-level contact can be used for rougher location tracking through cell-tower triangulation, which is less precise than application-based coordinates but does not depend on you opening a weather app at all. (pbs.org) The story here is that the surveillance layer was built for advertising first. Citizen Lab calls this ad-based surveillance technology: consumer data collected at mass scale, traded through opaque markets, and then repurposed by states that can buy the feed instead of going to a judge for a warrant. (citizenlab.ca; stateofsurveillance.org)