Citizen Lab Uncovers 'Webloc' - A Global Surveillance Tool Using Ad Data to Track Phones

Executive Summary

Researchers at the University of Toronto's Citizen Lab have uncovered a global surveillance system called Webloc, which exploits the real-time bidding data from the digital advertising industry to track the physical location of hundreds of millions of mobile devices. The report attributes the development of Webloc to the Israeli firm Cobwebs Technologies, which has since merged with and now sells the tool through its successor, Penlink. The investigation found evidence of Webloc's use by government clients, including domestic intelligence in Hungary, national police in El Salvador, and various law enforcement departments within the United States. This revelation highlights the burgeoning and opaque market for commercial surveillance tools that provide powerful tracking capabilities to government agencies with little to no public oversight, posing a significant threat to individual privacy and civil liberties.

Regulatory Details

What is Webloc: Webloc is a surveillance tool that allows an operator to query a vast database of location data harvested from the digital advertising ecosystem. When a user uses an app with ads, their phone's unique advertising ID and precise location data are broadcast to ad exchanges in a 'bid request.' Webloc appears to aggregate this data, allowing its users to track a target's location history and real-time movements by querying their advertising ID or other identifiers.

The Vendor:

• Developer: Cobwebs Technologies, an Israeli company specializing in web intelligence (WEBINT).
• Current Seller: Penlink, which acquired Cobwebs Technologies in July 2023.

Known Users:

• Hungarian domestic intelligence.
• El Salvador national police.
• Various U.S. law enforcement and police departments.

Capabilities: The system reportedly provides access to a database of up to 500 million devices globally, enabling powerful geolocation tracking capabilities.

Affected Organizations

The primary 'affected' parties are not organizations, but rather the individuals being tracked by this system. The use of such a tool by government agencies raises profound questions about privacy, due process, and the potential for abuse.

• Jurisdictions: The confirmed use in Hungary, El Salvador, and the United States indicates a global market for this technology.
• Industries: The tool is marketed to law enforcement, intelligence, and national security agencies.

Impact Assessment

The existence and use of Webloc have significant societal and privacy implications. It allows governments to engage in mass surveillance with minimal cost and effort, bypassing traditional legal safeguards like warrants that are typically required for location tracking. For individuals, this means their movements can be monitored without their knowledge or consent, creating a chilling effect on freedom of speech, association, and protest. The commercialization of such powerful surveillance tools creates a marketplace where they can be sold to authoritarian regimes or be used for purposes beyond their stated intent, such as monitoring political opponents, journalists, and activists.

Compliance Guidance

For individuals, mitigating this type of tracking is difficult but not impossible.

Individual Mitigation Steps:

1. Reset Advertising ID: Both iOS and Android allow you to reset your device's advertising ID. This breaks the link between your old ID and the new one, making it harder to track you over time. This should be done regularly.
2. Limit Ad Tracking: On iOS, you can turn off 'Allow Apps to Request to Track.' On Android, you can 'Delete advertising ID.'
3. Control Location Permissions: Be mindful of which apps you grant location permissions to. Set permissions to 'While Using the App' or 'Ask Next Time' instead of 'Always.' For apps that don't need your location, deny permission entirely.
4. Use Privacy-Focused Browsers/VPNs: While this won't stop app-based tracking, using privacy-focused tools for web browsing can reduce your overall digital footprint.

Regulatory Perspective: This report will likely fuel calls for greater regulation of the data broker and digital advertising industries. Lawmakers may be pressured to pass legislation that:

• Bans or severely restricts the sale of location data.
• Requires law enforcement to obtain a warrant to access this type of data.
• Increases transparency and oversight of the commercial surveillance industry.