Webloc surveillance system tracks millions using mobile ad data

A little-known surveillance platform called Webloc can track hundreds of millions of people worldwide by repurposing data harvested from mobile apps and digital advertising ecosystems.

A related investigation confirms that government agencies across multiple countries, including Hungary, the United States, and El Salvador, have deployed the system for intelligence and law enforcement operations.

The report was authored by researchers at CitizenLab, working with investigative journalists from VSquare, and combined technical analysis, procurement records, leaked documents, and 96 freedom-of-information requests to map the capabilities, infrastructure, and global usage of Webloc.

Webloc is a geolocation intelligence system originally developed by Israeli firm Cobwebs Technologies and now sold by US-based surveillance vendor Penlink following a 2023 merger. Cobwebs, founded in 2015 by former Israeli intelligence personnel, built tools for web and social media intelligence gathering, while Penlink has long supplied lawful interception and data analysis tools to US law enforcement agencies.

According to Citizen Lab, Webloc ingests vast streams of data sourced from mobile apps and real-time advertising exchanges, commonly referred to as RTB (real-time bidding) and SDK-based tracking ecosystems. These data flows include mobile advertising IDs (MAIDs), GPS and Wi-Fi-derived location coordinates, IP addresses, device details, and behavioral profiles such as interests and habits. The system reportedly processes billions of location signals daily from up to 500 million devices, allowing users to track movements, build profiles, and reconstruct location histories for up to three years.

Leaked technical documents reviewed by researchers show that Webloc supports geofencing queries, enabling analysts to identify all devices present in a specific area or those that traveled between locations. The platform can also infer sensitive personal details, such as home and workplace, from repeated location patterns, and correlate devices based on shared movement data.

Citizen Lab’s findings indicate that Webloc is widely used across government sectors. Confirmed US customers include Immigration and Customs Enforcement (ICE), the US military, the Texas Department of Public Safety, and multiple local police departments in cities such as Los Angeles, Dallas, and Baltimore. The system has also been used by El Salvador’s National Civil Police since at least 2021.

In Europe, the report documents the first confirmed case of ad-based mass surveillance deployment: Hungarian domestic intelligence agencies have reportedly used Webloc since 2022. VSquare reveals that Hungary’s Special Service for National Security (NBSZ) renewed Webloc licenses in March 2026, just weeks before national elections.

The Hungarian deployment raises particular concerns due to the European Union’s strict data protection framework under the General Data Protection Regulation (GDPR). Repurposing advertising data for surveillance likely violates the principle of purpose limitation, which restricts how personal data can be reused.

Penlink disputed aspects of the report, claiming inaccuracies and stating that some of the products described “no longer exist,” but did not provide detailed clarifications. The company maintains that its tools are used for legitimate purposes such as combating crime and locating missing persons, and that it complies with applicable privacy laws.

To reduce exposure to such tracking, users are recommended to limit app permissions, disable or reset advertising IDs, and restrict location access on mobile devices. However, it’s important to understand that these measures only partially mitigate the issue, as data collection practices remain deeply embedded in the mobile app and advertising ecosystem.