Webloc Ad-Based Surveillance: How Law Enforcement Tracks 500M Devices

A recent investigation by Citizen Lab has uncovered the extensive use of Webloc, an advertising-based global geolocation surveillance system. This platform, originally developed by the Israeli firm Cobwebs Technologies and now managed by Penlink after a 2023 merger, enables law enforcement agencies to monitor hundreds of millions of mobile devices. Unlike traditional interception tools, this system relies on the vast ecosystem of digital advertising to extract sensitive telemetry from unsuspecting users.

Cobwebs Technologies Webloc Technical Analysis

Webloc operates by harvesting data from the real-time bidding (RTB) ecosystem. RTB is a sub-millisecond process where advertising space on websites and mobile apps is auctioned off to advertisers. During this auction, a vast amount of metadata is shared between publishers and bidders, including GPS coordinates, IP addresses, unique device identifiers, and granular user interests.

While this data is intended for targeted advertising, Webloc ingests and indexes this information to create a searchable database of physical movements. This allows an analyst in a SOC or intelligence unit to perform retrospective tracking of a specific target over long periods. The platform reportedly tracks over 500 million devices globally, providing a persistent window into user behavior without necessitating the direct compromise of a device or a service provider. Because the data is purchased or harvested from the commercial market, it often skirts the legal requirements typically associated with location tracking.

Detecting Ad-Based Geolocation Surveillance

The scale of this operation highlights a significant blind spot in traditional EDR and SIEM monitoring. Because the tracking occurs via legitimate advertising traffic, detecting ad-based geolocation surveillance requires a focus on the egress traffic of mobile applications and browser-based scripts. Security professionals must recognize that the threat originates from the supply chain of advertising data itself.

According to Citizen Lab, the users of this technology include Hungarian domestic intelligence, the national police in El Salvador, and multiple local and federal law enforcement agencies within the United States. This broad adoption suggests that Webloc has become a standardized tool for an APT or state-aligned entity seeking to monitor political dissidents, journalists, or specific demographic groups. The investigation identified specific instances where Webloc was deployed to monitor high-interest targets during periods of civil unrest or political transition.

Recommendations for Mitigating Real-Time Bidding Data Leaks

For defenders, the primary challenge is that this surveillance relies on the “gray data” market. Unlike a CVE that can be patched, this is a systemic vulnerability in mobile operating systems and the global advertising industry. To counter this, organizations should adopt several defensive measures:

• DNS Filtering: Implement network-level blocking of known advertising and tracking domains. Tools like Pi-hole or enterprise-grade DNS filtering can prevent devices from participating in RTB auctions.
• Mobile Device Management (MDM): Use MDM policies to restrict the installation of applications known for excessive data harvesting and prevent apps from accessing location services unnecessarily.
• Privacy-Hardened Browsers: Encourage the use of browsers that block cross-site tracking and obfuscate device identifiers by default to limit the metadata available to bidders.
• Network Monitoring: Analyze outbound traffic for connections to known data brokers or ad-tech endpoints associated with the surveillance supply chain.

By focusing on mitigating real-time bidding data leaks, organizations can reduce the footprint their mobile fleets leave within these surveillance databases and protect personnel from global geolocation tracking.