[{"data":1,"prerenderedAt":99},["ShallowReactive",2],{"article-slug-citizen-lab-exposes-global-webloc-surveillance-system":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":34,"sources":35,"events":47,"mitre_techniques":51,"mitre_mitigations":59,"d3fend_countermeasures":65,"iocs":66,"cyber_observables":67,"tags":80,"extract_datetime":86,"article_type":87,"impact_scope":88,"pub_date":39,"reading_time_minutes":98,"createdAt":86,"updatedAt":86},"80d07e14-eeed-466b-8cdb-1c86b14ecc6b","citizen-lab-exposes-global-webloc-surveillance-system","Citizen Lab Uncovers 'Webloc' - A Global Surveillance Tool Using Ad Data to Track Phones","Webloc Surveillance System by Cobwebs Technologies Exposed by Citizen Lab Investigation","A new report from the University of Toronto's Citizen Lab has exposed a global geolocation surveillance system named \"Webloc.\" Developed by the Israeli firm Cobwebs Technologies, the tool leverages data from the digital advertising ecosystem to track the location of up to 500 million devices worldwide. The investigation revealed that Webloc has been used by law enforcement and intelligence agencies in multiple countries, including the United States, Hungary, and El Salvador, raising significant privacy concerns about the government use of commercial surveillance technology.","## Executive Summary\n\nResearchers at the University of Toronto's **[Citizen Lab](https://citizenlab.ca/)** have uncovered a global surveillance system called **Webloc**, which exploits the real-time bidding data from the digital advertising industry to track the physical location of hundreds of millions of mobile devices. The report attributes the development of Webloc to the Israeli firm **Cobwebs Technologies**, which has since merged with and now sells the tool through its successor, **Penlink**. The investigation found evidence of Webloc's use by government clients, including domestic intelligence in Hungary, national police in El Salvador, and various law enforcement departments within the United States. This revelation highlights the burgeoning and opaque market for commercial surveillance tools that provide powerful tracking capabilities to government agencies with little to no public oversight, posing a significant threat to individual privacy and civil liberties.\n\n---\n\n## Regulatory Details\n\n**What is Webloc:** Webloc is a surveillance tool that allows an operator to query a vast database of location data harvested from the digital advertising ecosystem. When a user uses an app with ads, their phone's unique advertising ID and precise location data are broadcast to ad exchanges in a 'bid request.' Webloc appears to aggregate this data, allowing its users to track a target's location history and real-time movements by querying their advertising ID or other identifiers.\n\n**The Vendor:**\n- **Developer:** Cobwebs Technologies, an Israeli company specializing in web intelligence (WEBINT).\n- **Current Seller:** Penlink, which acquired Cobwebs Technologies in July 2023.\n\n**Known Users:**\n- Hungarian domestic intelligence.\n- El Salvador national police.\n- Various U.S. law enforcement and police departments.\n\n**Capabilities:** The system reportedly provides access to a database of up to 500 million devices globally, enabling powerful geolocation tracking capabilities.\n\n---\n\n## Affected Organizations\n\nThe primary 'affected' parties are not organizations, but rather the individuals being tracked by this system. The use of such a tool by government agencies raises profound questions about privacy, due process, and the potential for abuse.\n\n- **Jurisdictions:** The confirmed use in Hungary, El Salvador, and the United States indicates a global market for this technology.\n- **Industries:** The tool is marketed to law enforcement, intelligence, and national security agencies.\n\n---\n\n## Impact Assessment\n\nThe existence and use of Webloc have significant societal and privacy implications. It allows governments to engage in mass surveillance with minimal cost and effort, bypassing traditional legal safeguards like warrants that are typically required for location tracking. For individuals, this means their movements can be monitored without their knowledge or consent, creating a chilling effect on freedom of speech, association, and protest. The commercialization of such powerful surveillance tools creates a marketplace where they can be sold to authoritarian regimes or be used for purposes beyond their stated intent, such as monitoring political opponents, journalists, and activists.\n\n---\n\n## Compliance Guidance\n\nFor individuals, mitigating this type of tracking is difficult but not impossible.\n\n**Individual Mitigation Steps:**\n1.  **Reset Advertising ID:** Both iOS and Android allow you to reset your device's advertising ID. This breaks the link between your old ID and the new one, making it harder to track you over time. This should be done regularly.\n2.  **Limit Ad Tracking:** On iOS, you can turn off 'Allow Apps to Request to Track.' On Android, you can 'Delete advertising ID.'\n3.  **Control Location Permissions:** Be mindful of which apps you grant location permissions to. Set permissions to 'While Using the App' or 'Ask Next Time' instead of 'Always.' For apps that don't need your location, deny permission entirely.\n4.  **Use Privacy-Focused Browsers/VPNs:** While this won't stop app-based tracking, using privacy-focused tools for web browsing can reduce your overall digital footprint.\n\n**Regulatory Perspective:**\nThis report will likely fuel calls for greater regulation of the data broker and digital advertising industries. Lawmakers may be pressured to pass legislation that:\n- Bans or severely restricts the sale of location data.\n- Requires law enforcement to obtain a warrant to access this type of data.\n- Increases transparency and oversight of the commercial surveillance industry.","Citizen Lab uncovers 'Webloc,' a global surveillance system using ad data to track millions of phones. Developed by Israeli firm Cobwebs Tech, it's used by police in the US, Hungary & El Salvador. 🕵️‍♂️📍 #Privacy #Surveillance #CitizenLab","A Citizen Lab report exposes 'Webloc,' a global surveillance system from Cobwebs Technologies that uses advertising data to track mobile device locations for law enforcement clients.",[13,14,15],"Policy and Compliance","Threat Intelligence","Regulatory","informational",[18,22,25,27,30,32],{"name":19,"type":20,"url":21},"Citizen Lab","security_organization","https://citizenlab.ca/",{"name":23,"type":24},"Cobwebs Technologies","vendor",{"name":26,"type":24},"Penlink",{"name":28,"type":29},"Hungarian domestic intelligence","government_agency",{"name":31,"type":29},"El Salvador national police",{"name":33,"type":29},"U.S. law enforcement departments",[],[36,42],{"url":37,"title":38,"date":39,"friendly_name":40,"website":41},"https://www.wiu.edu/cbt/cybersecurity_center/cybersecurity_news.php","Cybersecurity News - Western Illinois University","2026-04-11","Western Illinois University","wiu.edu",{"url":43,"title":44,"date":39,"friendly_name":45,"website":46},"https://thehackernews.com/","The Hacker News | #1 Trusted Source for Cybersecurity News (article appears on main page)","The Hacker News","thehackernews.com",[48],{"datetime":49,"summary":50},"2023-07","Cobwebs Technologies merges with and is now sold by its successor, Penlink.",[52,56],{"id":53,"name":54,"tactic":55},"T1591.002","Determine Physical Location","Reconnaissance",{"id":57,"name":58,"tactic":55},"T1590","Gather Victim Network Information",[60],{"id":61,"name":62,"description":63,"domain":64},"M1017","User Training","In this context, 'training' means educating users on how to manage their device's privacy settings, such as resetting their advertising ID and limiting location permissions for apps.","enterprise",[],[],[68,74],{"type":69,"value":70,"description":71,"context":72,"confidence":73},"other","Mobile Advertising ID (MAID)","The key identifier used for tracking. Users can reset this ID in their device's privacy settings to disrupt tracking.","iOS and Android privacy settings.","high",{"type":75,"value":76,"description":77,"context":78,"confidence":79},"network_traffic_pattern","Outbound traffic to ad exchanges from mobile apps","This is the mechanism by which location data is shared with the ad ecosystem. It is generally considered normal traffic but is the source of the data for tools like Webloc.","Mobile device network logs, Pi-hole or other network-level ad blockers.","low",[81,82,19,23,83,84,85],"Surveillance","Privacy","Webloc","Data Broker","Ad Tech","2026-04-11T15:00:00.000Z","Report",{"geographic_scope":89,"countries_affected":90,"governments_affected":94,"other_affected":96},"global",[91,92,93],"United States","Hungary","El Salvador",[28,31,95],"Various U.S. law enforcement departments",[97],"Up to 500 million device users",4,1776260620044]