A new investigation by Citizen Lab has revealed that a global geolocation surveillance system called Webloc, developed by Israeli technology company Cobwebs Technologies, has been used by law enforcement agencies and domestic intelligence services to track the physical location of approximately 500 million devices using data harvested from the digital advertising ecosystem.
The report documents a surveillance operation that turns the commercial advertising infrastructure — the same system that powers targeted ads — into a real-time global tracking tool available to governments with no requirement for a warrant, court order, or cooperation from telecommunications providers.
What Is Webloc?
Webloc is a commercial surveillance platform built by Cobwebs Technologies, an Israeli intelligence technology firm. The platform operates by purchasing location signal data from data brokers who aggregate geolocation signals emitted by mobile apps during normal advertising operations.
When a mobile app serves an ad, it typically broadcasts a Real-Time Bidding (RTB) signal containing:
- The device's precise GPS coordinates
- A unique advertising identifier (IDFA on iOS, GAID on Android)
- Timestamps
- App context (which app, what category)
- Device and OS metadata
These signals are generated billions of times daily across the global ad ecosystem. Most are consumed by ad networks for targeting purposes and discarded. Data brokers in the RTB supply chain retain and aggregate these signals, building rich location histories for individual advertising identifiers.
Webloc purchases access to these aggregated location datasets and provides a search and visualization interface that lets customers — government agencies — query location history and real-time movements for a target device or a population of devices in a given area.
Who Was Using It?
Citizen Lab's investigation attributed Webloc usage to several law enforcement and intelligence clients:
- Hungarian domestic intelligence (Alkotmányvédelmi Hivatal — AH) — Hungary's domestic intelligence service used Webloc for location surveillance. Hungary has been previously linked to the use of Pegasus spyware, and Webloc represents a complementary, lower-profile geolocation capability.
- National police of El Salvador — Salvadoran law enforcement used the system for tracking individuals, reportedly in the context of anti-gang operations, though Citizen Lab notes the platform provides no technical safeguards against targeting journalists or political opponents.
- Multiple U.S. law enforcement and police departments — Several American law enforcement agencies at the local, state, and federal level were identified as Webloc customers. The report does not name all agencies due to ongoing legal and privacy implications.
Why This Is Significant
No Warrant Required
Commercial location data procurement exists in a legal grey zone in most jurisdictions. Because the data technically originates from "consensual" ad ecosystem participation — buried in app permission prompts users rarely read — law enforcement agencies have argued that purchasing pre-aggregated location data from brokers does not constitute a search requiring a warrant.
This interpretation has been contested in U.S. courts following Carpenter v. United States (2018), which established Fourth Amendment protections for historical cell-site location data. However, RTB-derived data occupies an even murkier legal space, and enforcement has been inconsistent.
Scale: 500 Million Devices
Citizen Lab estimates the Webloc dataset covers approximately 500 million unique device identifiers. This represents a substantial fraction of the global smartphone population and effectively means that any individual carrying a smartphone who has at any point used an app with advertising enabled may have a location history queryable by any Webloc customer.
The coverage is not uniform — it reflects the density of ad-supported app usage — but in countries with high smartphone penetration and active app ecosystems (North America, Europe, Southeast Asia), coverage can be near-comprehensive.
The Ad Ecosystem as Surveillance Infrastructure
The Webloc investigation illustrates a structural problem in the digital advertising system: the same RTB signals that enable targeted advertising are surveillance signals by design. They are:
- Persistent — the same advertising identifier accumulates location history over months or years
- Precise — GPS-resolution data, not cell-tower triangulation
- Timestamped — enabling reconstruction of historical movements
- Continuous — emitted every time an ad is served, potentially dozens of times per day
Commercial surveillance vendors like Cobwebs Technologies, Anomaly Six, and others have built entire product lines on purchasing access to this data stream. The advertising industry has created a surveillance apparatus as a side effect of its core business — and governments are the buyer.
Cobwebs Technologies
Cobwebs Technologies is an Israeli intelligence technology company founded by alumni of Israeli intelligence units. The company markets itself as an OSINT and threat intelligence platform. In addition to Webloc, Cobwebs offers web scraping and social media intelligence tools aimed at the law enforcement and national security market.
The company has been covered in prior investigations by OCCRP and others in connection with surveillance contracts in multiple countries. Webloc represents a specific advertising data capability that complements Cobwebs' broader intelligence product portfolio.
Implications for Privacy
For Individuals
The practical implication for individuals is that the advertising permissions they grant to apps on their phones — often without meaningful understanding — can result in their physical movements being recorded in a commercial database that is then sold to governments.
The ability to opt out is limited:
- iOS: Users can reset the IDFA or opt out of ad tracking (App Tracking Transparency)
- Android: Users can opt out of personalized ads and reset the GAID in device settings
- Effectiveness: Even after opt-out or reset, historical data already collected may remain in broker databases
For Organizations
Security teams should be aware that:
- High-value targets (executives, researchers, journalists, activists) may be located via RTB data without any device compromise
- Device management policies should consider advertising identifier settings alongside traditional MDM controls
- Threat models for physical security should incorporate commercial geolocation surveillance as a realistic adversary capability, not merely a theoretical one
What Regulators Are Doing
The use of RTB data for surveillance has attracted attention from data protection regulators:
- EU: The Irish Data Protection Commission has investigated RTB practices under GDPR; enforcement actions have been limited but are accelerating
- US: The Federal Trade Commission reached a landmark settlement with data broker Datastream in 2025 restricting the sale of sensitive location data to government clients without consent; similar enforcement against RTB-derived data is pending
- Norway / Denmark: Nordic DPAs have taken the most aggressive stance in declaring RTB a structural GDPR violation
The Citizen Lab report is expected to amplify pressure on both advertising industry bodies and regulators to address the structural surveillance capability embedded in the RTB ecosystem.
Key Takeaways
- Citizen Lab documented that Israeli surveillance firm Cobwebs Technologies operates Webloc, a platform that tracks ~500 million devices using advertising RTB location data
- Clients include: Hungarian domestic intelligence, El Salvador national police, and multiple U.S. law enforcement departments
- The system requires no warrant and no device compromise — it purchases data from commercial brokers who aggregate signals from the global ad ecosystem
- The RTB advertising infrastructure is structurally a mass surveillance system that governments access commercially
- Individuals can reduce (but not eliminate) exposure by opting out of ad tracking on iOS and Android and resetting advertising identifiers regularly
- Regulators in the EU and US are beginning to address RTB surveillance, but enforcement has been uneven
Source: The Hacker News — based on Citizen Lab investigation