How a Global Ad System Turns Everyday Ads into Government Surveillance

Citizen Lab’s latest report uncovers a system called Webloc that leverages everyday shopping ads to provide real‑time location tracking for at least four national law‑enforcement agencies, covering roughly 500 million devices worldwide.

Core Data Overview

Monitoring devices total: 500 million

Daily location signals processed: tens of billions

Historical data retention: up to 3 years

Research methods: technical analysis, procurement records, leaked documents, and 96 Freedom‑of‑Information requests.

Active servers: 219 (126 in the US, 32 in the Netherlands, 17 in Singapore, 8 in Germany, 8 in Hong Kong, 28 elsewhere).

Technical Vulnerabilities: How Ad Data Fuels Surveillance

When a user receives a targeted shopping ad, the data flow mirrors a global supply chain: cheap user data is purchased, passed through ad‑exchange platforms, and ultimately reaches an intelligence‑agency endpoint that the user never authorized.

1. Mobile Advertising ID (MAID) – a Never‑Changing “Room Key”

Advertising IDs (GAID/AAID on Android, IDFA on iOS) are meant to be resettable, yet most users never do so. Analysis of over 5 billion ad events shows only about 0.18 % of Android users delete their Google advertising ID; even in privacy‑conscious countries the rates are low (Germany 3.14 %, France 3 %, US 2.3 %). Webloc exploits this persistence by continuously reading the ID’s associated location signals (GPS, Wi‑Fi triangulation, IP), effectively inserting a 24‑hour surveillance camera into the user’s pocket.

Technical note: The advertising ID is not stored in ROM, but its longevity combined with the openness of the ad supply chain forms the foundation of surveillance.

2. Real‑Time Bidding (RTB) – An Open Marketplace Hijacked for Intelligence

RTB is the core of programmatic advertising. When an app opens, it sends a bid request containing device ID, GPS, IP, and interest tags, which is broadcast to dozens of demand‑side platforms (DSPs) within milliseconds.

User opens App → App sends ad request (MAID, GPS, IP, device info) → SSP packages more data → Ad exchange broadcasts to many DSPs → Data broker intercepts and resells → Monitoring company (e.g., Penlink) purchases → Enters Webloc system

Webloc’s operator Penlink does not hack the system; it legally joins the RTB ecosystem as a data broker, collecting the broadcast data and selling it to government clients.

3. Geofencing – A “Time Machine” for Three‑Year Historical Tracks

Leaked technical documents show Webloc supports geofencing queries: law‑enforcement can draw shapes on a map and instantly receive all device IDs that have ever entered the area, along with up to three years of historical trajectories. The platform can infer home addresses from night‑time locations, workplaces from daytime clusters, and even detect devices that frequently travel together.

Global Customer Map: Who Uses Webloc?

Citizen Lab mapped Webloc’s users using technical analysis, procurement records, leaked documents, and 96 FOIA requests.

United States

Federal law‑enforcement: ICE (contract signed in 2025 without competition), West Virginia Department of Homeland Security.

Military intelligence: US Navy Intelligence, US Army Space and Missile Defense Command, Indian Affairs Police.

State law‑enforcement: Texas Department of Public Safety.

Local police: Los Angeles, Dallas, Baltimore, Tucson, Durham, Elk Grove, Pinel County.

European Union – Hungary (First Confirmed EU User)

Hungary’s National Security Office (NBSZ) began using Webloc in 2022 and quietly renewed the license in March 2026, weeks before the April 12 parliamentary election. Procurement was handled by SCI‑Network Ltd., a middle‑man with a 300 % markup, linked to former intelligence personnel and the Orbán administration.

El Salvador – Seven‑Year Customer

Salvadoran National Police have used Webloc since 2021, expanding surveillance powers under the pretext of combating gangs, drawing criticism from human‑rights groups.

Infrastructure: The Digital Heart of Imperialism

219 active servers host Webloc, with the United States holding more than half (126). Europe (Netherlands, Germany) and Asia (Singapore, Hong Kong) act as regional relay nodes, illustrating a topology where the core resides in the US and the tentacles reach globally.

Developer Background

Webloc was developed by Israeli company Cobwebs Technologies (founded in 2015 by former Israeli intelligence personnel) and merged with US monitoring supplier Penlink in 2023, after which Penlink handled sales.

Cobwebs was previously banned by Meta in December 2021 for operating ~200 fake accounts used for reconnaissance and social‑engineering against activists and opposition politicians across multiple countries.

Security Framework Behind the Imperial Logic

“Humanitarian” Rhetoric as Cover

Penlink claims the tool is only for “crime fighting” and “finding missing persons,” yet its configuration includes 24/7 data collection, three‑year historical back‑fills, and client‑controlled access without independent oversight.

Economic Scale of Monitoring Data

Location‑Data‑as‑a‑Service market size: US$2.82 billion in 2025, US$3.39 billion in 2026, projected US$7.06 billion by 2030 (CAGR 20.4 %). Webloc represents a slice of this rapidly growing industry.

Privacy Awareness Gap

Most users are unaware of advertising IDs. Key statistics:

Global Android ad‑ID deletion rate: ~0.18 %.

US ad‑ID opt‑out: ~2.3 %.

Germany: ~3.14 %.

France: ~3 %.

India: ~1.4 %.

iOS ATT opt‑in (post‑iOS 14): ~25 %.

Simple fact: In a group of 100 Android users, fewer than one actively deletes the ad ID; the rest broadcast their identifier continuously, making them vulnerable to inclusion in Webloc’s database.

Technical Countermeasures for Individuals

iOS Users

Turn off ad tracking: Settings → Privacy & Security → Tracking → disable “Allow Apps to Request Tracking.”

Restrict location permissions: Settings → Privacy & Security → Location Services → set most apps to “Never” or “While Using.”

Reset advertising ID: Settings → Privacy & Security → Apple Advertising → view and reset identifier.

Android Users

Delete or reset ad ID: Settings → Privacy → Ads → delete or reset advertising ID.

Restrict location permissions: Settings → Location → App permissions → deny background location per app.

Turn off ad personalization: Settings → Google → Ads → disable “Opt out of ad personalization.”

These steps cannot fully block Webloc—some location data may still leak via IP or Wi‑Fi—but they significantly raise the cost and reduce the precision of surveillance. Resetting the ad ID breaks the three‑year historical link, effectively giving the user a new “face” in the monitoring system.

Conclusion

Webloc is not a sophisticated nation‑state hacking tool; its danger lies in its normalcy—leveraging the massive, publicly broadcast ad data stream and selling it to governments.

This model exemplifies modern digital imperialism: no need for territorial occupation, only control of data pipelines, RTB protocols, and a “service agreement” with a clause limiting use to law‑enforcement purposes.

Citizen Lab does not call for an outright ban on advertising technology but raises a fundamental question: when commercial data can be used by governments without judicial review or expiration, what remains of privacy law?

The answer may be hidden in the next weather‑app ad that pinpoints your exact location.