Webloc: when digital advertising is transformed into large-scale surveillance

A recent report by the Citizen Lab research group has focused on a little-known tool outside security circles: a global surveillance system based on advertising data that allows for triangular location and movement of large-scale mobile devices. According to this research, the technology, known as Webloc, was created by the Israeli Cobwebs Technologies and is now part of the Penlink company's catalogue following the merger announced in 2023. What is relevant is not only technical capacity, but who is using it and what controls (or without them). You can consult Citizen Lab's work on his website for more context: citizen.

In essence, Webloc exploits the prints we leave when using mobile applications and advertising services: advertising identifiers, geolocalized coordinates, IP addresses and other metadata that many SDK and ad networks collect and sell. With these ingredients, the tool rebuilds routes, life patterns and affinities during periods that, according to commercial documentation, can cover years. The result is a layer of intelligence that connects the digital and the physical and allows people to follow without having to access the mobile network operator directly.

Citizen Lab's report and news reports have identified government and police clients who have acquired access to this type of capacity. These include United States agencies and police departments in different cities, as well as international forces. The possibility of consulting and automating searches on millions of different identifiers raises an obvious issue: what is the guarantee that such consultations are conducted in an appropriate judicial order or supervision? Means such as Forbes, local organizations such as Texas Observer and specialized spaces in technological research have documented how these tools can be used without the intervention of the courts.

The technology in question was born as a commercial product: Cobwebs publicly presented it as a location intelligence platform that combines web data and geospatial points to offer "interactive maps" and analytical layers. Following the agreement with Penlink, the offer was integrated into a software ecosystem that, according to the company itself, is directed to the collection and analysis of digital evidence for security cases. On the official Penlink site there is information about your product portfolio and corporate statements: penlink.com. The company has publicly responded to the report's findings, indicating that some interpretations are inaccurate and underlining its compliance with US privacy laws.

In addition to the purchase and aggregation of third-party data, Webloc incorporates techniques to infer locations from IP addresses and to associate devices with homes or workplaces, which facilitates the identification of people behind mobile phones. This type of methods is not new: many reports have explained for years how the location data traded by intermediaries allow to rebuild movements and habits in a detail that surprises those who are not familiar with the data business. A recommended journalistic approach to the location collection ecosystem can be found in the New York Times article on the theme: Your Apps Know Where You Were Last Night, and They're Not Keeping It Secret.

The corporate trajectory of suppliers also raises concerns. Cobwebs was noted long ago in platform moderation movements: Meta included the company among seven suppliers that it blocked in December 2021 for operating accounts for information collection and handling. Meta's own note explained that these operations had served to monitor and collect intelligence about communities, activists and public figures in different countries; the official statement can be consulted here: about.fb.com.

Another aspect of the report is technical infrastructure: hundreds of servers linked to product deployments were identified in multiple countries, with a significant concentration in the United States and presence in Europe, Asia and other regions. This suggests that, although technology is marketed from a given source, its operational footprint is global. From a legal point of view, the geographical dispersion of servers and data providers complicates traceability and judicial control over potentially invasive uses.

In view of this scenario, the criticism focuses on two areas: the technical capacity to carry out massive and retroactive monitoring, and the absence of solid monitoring frameworks to ensure that these capacities are used with clear limits. For organizations such as Citizen Lab, the combination of these factors is equivalent to a form of intrusive monitoring that, in many cases, is exercised without the usual due process. The report itself and the accompanying research articles stress the need for more transparency on the part of suppliers and buyers, and accountability mechanisms for the agencies that hire these services.

The civil implications are serious: from the erosion of individual privacy to specific risks for activists, journalists and political opponents in contexts where institutions do not protect basic rights. At the same time, law enforcement officials argue that sophisticated geospatial intelligence tools can be useful in complex criminal investigations. The dilemma is, therefore, how to balance security and rights. Public and legislative discussion on access and control of location data continues to advance, but more slowly than technological adoption.

As journalists and citizens, three fronts should be monitored: which companies market follow-up capabilities, who their clients are and under what rules they operate, and what monitoring and transparency mechanisms exist to audit uses and abuses. Recent developments show that trade in advertising data is no longer an abstract problem for specialists: has acquired the technical capacity to convert commercial tracks into large-scale surveillance tools with palpable consequences for rights and freedoms.

If you want to deepen, in addition to Citizen Lab's research, the media coverage and notes of the companies themselves are useful starting points. Discussions on personal data regulation and control will be intensified in the coming years; in the meantime, it is appropriate to demand clarity on how and why these technologies are used, especially when their use may affect innocent people who have never been under suspicion.