Webloc is a surveillance tool, originally developed by Israeli firm Cobwebs Technologies, that allows government agencies to track the location of mobile devices. It works by exploiting the data generated by the online advertising industry.

How does Webloc track people without hacking their phones?

It doesn't use malware or exploits. Instead, it taps into the "bidstream" data from the Real-Time Bidding (RTB) ad system. When an app on your phone requests an ad, it broadcasts your precise location, device ID, and IP address. Webloc's operator collects this broadcast data to build a location history.

The Citizen Lab report identified users including Hungarian domestic intelligence, the national police in El Salvador, and multiple U.S. law enforcement and police departments.

What is Real-Time Bidding (RTB)?

RTB is the automated process where digital ad space is bought and sold in milliseconds. When you load a webpage or app, your data (including location) is sent to an ad exchange, which then broadcasts it to potential advertisers who bid to show you an ad.

How can I reduce my exposure to this type of tracking?

You can take several steps: limit ad tracking in your phone's privacy settings, carefully manage app permissions (especially for location), use privacy-focused browsers, and be selective about the apps you install.

Is this type of surveillance legal?

It operates in a legal gray area. By purchasing commercially available data, agencies can often bypass the traditional warrant requirements needed for direct surveillance, creating a significant oversight loophole that privacy advocates are challenging.

Citizen Lab: How law enforcement used ad data to track millions of devices

Introduction: The shadow surveillance economy

A groundbreaking report from the University of Toronto's Citizen Lab has pulled back the curtain on a form of mass surveillance that operates not through sophisticated malware, but through the mundane mechanics of the online advertising industry. The investigation, titled "Tracking the Trackers," details a system called Webloc, which has allegedly been used by government intelligence and law enforcement agencies in Hungary, El Salvador, and the United States to conduct global geolocation tracking on a massive scale.

Developed by the Israeli company Cobwebs Technologies and now sold by its successor Penlink, Webloc represents a concerning fusion of commercial data collection and state surveillance. It bypasses the need for device exploits or traditional warrants by simply purchasing access to a torrent of personal data that our mobile devices leak every second of the day. This analysis delves into the technical underpinnings of Webloc, its profound impact on privacy, and the steps individuals can take to mitigate their exposure.

Technical breakdown: Weaponizing the ad auction

Unlike infamous spyware like Pegasus, which relies on exploiting software vulnerabilities to compromise a device, Webloc’s power comes from exploiting the inherent design of the digital advertising ecosystem. The mechanism at its core is Real-Time Bidding (RTB), the automated process that determines which ads you see in your apps and on websites.

Here’s how it facilitates surveillance:

The Ad Request: When you open an app or visit a website with ad space, the application sends out an ad request to an ad exchange. This isn't just a simple request for a picture; it's a data packet rich with personal information.
The Bidstream: This data packet, known as "bidstream data," is broadcast to thousands of potential advertisers (Demand-Side Platforms or DSPs) in milliseconds. The packet often contains highly sensitive information, including your device's unique advertising ID (Google's GAID or Apple's IDFA), your IP address, device model, and, most critically, your precise GPS coordinates (latitude and longitude).
Webloc's Role: Surveillance systems like Webloc operate by gaining access to this bidstream. They can pose as a legitimate advertiser or partner with a company that already has access. Instead of bidding to show you an ad, the system simply ingests the torrent of location and device data from millions of users. By correlating a specific advertising ID over time, an operator can build a detailed history of a person's movements, revealing where they live, work, and who they associate with.

Because this method doesn't involve hacking a phone, there are no traditional Indicators of Compromise (IOCs) for a user to find. The surveillance happens on industry servers, completely invisible to the target. The data leakage is a feature of the ad-tech system, not a bug, and Webloc was built to weaponize it.

Impact assessment: Warrantless tracking on a global scale

The implications of this technology are far-reaching and deeply troubling. The ease with which Webloc allows for location tracking effectively creates a loophole that bypasses established legal processes for surveillance, such as obtaining a warrant.

Who is affected?
The potential victim pool includes hundreds of millions of people worldwide who use smartphones with apps supported by advertising. While the surveillance may be targeted at specific individuals of interest, the data collection is indiscriminate, scooping up information on countless innocent civilians in the process.

The Citizen Lab report specifically identified several state actors as clients of Cobwebs/Penlink:

Hungarian Domestic Intelligence: Raising concerns about its use against political opposition, journalists, and civil society in a nation that has seen a steady erosion of democratic norms.
National Police of El Salvador: A country whose government has been widely criticized for human rights abuses and the suppression of dissent.
U.S. Law Enforcement: The report notes use by various U.S. police departments, highlighting the domestic proliferation of powerful surveillance tools that often operate with minimal public transparency or oversight.

The severity of this threat cannot be overstated. Persistent location data can reveal intimate details of a person's life, including visits to medical clinics, places of worship, or participation in political protests. For journalists, activists, and lawyers, such tracking can expose their sources, compromise their safety, and create a chilling effect on their work. It provides authoritarian regimes with a powerful tool for social control and repression, funded by the very ad-tech industry that powers much of the modern internet.

How to protect yourself

While completely escaping the ad-tech data dragnet is difficult, you can take concrete steps to significantly reduce your data footprint and make yourself a harder target for this type of tracking.

Reset Your Advertising ID: Both iOS and Android allow you to reset your device's advertising ID and opt out of ad personalization. This breaks the link between your past activity and your new ID, making historical tracking more difficult. On iOS, go to Settings > Privacy & Security > Tracking and ensure "Allow Apps to Request to Track" is off. On Android, go to Settings > Google > Ads and select "Delete advertising ID."
Manage App Permissions: Be ruthless with app permissions. If an app doesn't need your location to function (like a simple game or calculator), do not grant it. For apps that do require it (like maps or weather), set the permission to "While Using the App" or "Ask Next Time" instead of "Always."
Use a VPN service: A Virtual Private Network masks your true IP address, which is one of the key data points included in the RTB bidstream. While it doesn't hide your GPS location or advertising ID, it removes a critical piece of the puzzle used to identify and track you.
Choose Your Apps Wisely: Be mindful that many "free" applications are funded by aggressive data collection for advertising. Consider paid alternatives for essential apps, as they often have better privacy policies. Before installing any app, review its requested permissions and privacy policy.
Use Privacy-Focused Browsers: On your mobile device, use browsers like Brave or Firefox Focus that have built-in tracker blocking. This can help reduce the amount of data shared with third parties as you browse the web.

The revelations about Webloc are a stark reminder that the commercial surveillance industry operates in a legal and ethical gray zone. This system thrives on the data we freely give away, transforming our daily digital exhaust into a tool for state power. It underscores the urgent need for stronger regulations governing both the ad-tech industry and the sale of surveillance technologies to government agencies.