HIGH: Your Phone Ads Are Snitching on You: Inside the 500-Million-Device Surveillance Machine

Every time you see a targeted ad on your phone, your device is participating in an auction. Advertisers bid to show you that shoe ad or that suspicious supplement, and in return they get data about where you are, what apps you use, and when you use them. It sounds creepy but mostly harmless, right? Citizen Lab just revealed that law enforcement agencies across the globe have been weaponizing that exact advertising ecosystem to track half a billion devices without ever bothering with a warrant.

The tool is called Webloc, and it was built by Israeli intelligence company Cobwebs Technologies before being folded into Penlink, an American digital forensics vendor, following a 2023 merger. According to Citizen Lab's research published this week, Webloc's customer list reads like a who's who of surveillance heavyweights. U.S. Immigration and Customs Enforcement uses it. So does the U.S. military, the Texas Department of Public Safety, the West Virginia Department of Homeland Security, and police departments in Los Angeles, Dallas, Baltimore, Tucson, and Durham. International clients include Hungarian domestic intelligence and El Salvador's national police.

The system works by purchasing the exact same location data that mobile apps harvest for advertisers. When you grant an app permission to access your location for legitimate reasons, that data often flows through advertising exchanges where it becomes available to anyone willing to pay. Webloc simply plugs into that ecosystem and aggregates records from up to 500 million mobile devices worldwide. The database contains device identifiers, precise GPS coordinates, timestamps, and profile information that can paint a disturbingly complete picture of anyone's daily life.

What makes Webloc particularly powerful is its temporal depth. The system maintains location records going back three years, meaning investigators can reconstruct someone's movements long after the fact without ever having them under active surveillance. Want to know where a person was on a random Tuesday two years ago? Webloc can probably tell you. The tool can also infer home addresses and workplaces by analyzing patterns in the data, essentially building a profile that reveals where someone lives and works just by watching their device move through the day.

The warrantless nature of this surveillance is what has privacy advocates alarmed. Traditional location tracking through cell towers requires a court order, and installing GPS trackers on vehicles demands a warrant under the Supreme Court's ruling in United States v. Jones. But because this data is technically available for commercial purchase, law enforcement has argued it falls outside Fourth Amendment protections. Citizens have no meaningful way to opt out short of abandoning their smartphones entirely or refusing location permissions for every app they install, which would render many applications useless.

Penlink markets the capability with corporate euphemism, describing Webloc as a tool for "investigating and interpreting location-based data to support your cases." The company's website positions Tangles, its broader intelligence platform, as essential for social media and web investigations with Webloc serving as an add-on for geographic analysis. According to procurement documents reviewed by 404 Media, one government notice specifically highlighted Webloc's "ability to automate and continuously monitor unique mobile advertising IDs, geolocated IP addresses, and connected devices analysis."

The corporate history here is worth examining. Cobwebs Technologies was one of seven cyber mercenary companies that Meta banned from Facebook and Instagram in December 2021. Meta's investigation found Cobwebs operating roughly 200 accounts to conduct reconnaissance on targets and trick people into revealing personal information through social engineering. The company's customers at the time spanned Bangladesh, Hong Kong, Mexico, Saudi Arabia, Poland, New Zealand, and the United States. Meta noted that beyond legitimate law enforcement activities, it observed "frequent targeting of activists, opposition politicians, and government officials" in Hong Kong and Mexico.

The connection to Israeli spyware extends further. Citizen Lab researchers identified corporate links between Cobwebs Technologies and Quadream, a less famous but equally controversial spyware vendor that reportedly sold zero-click iPhone exploits to governments before shuttering operations in 2023. Omri Timianker, who founded and formerly led Cobwebs Technologies, now oversees Penlink's international operations. The company maintains 219 active servers worldwide, with concentrations in the United States, Netherlands, Singapore, Germany, Hong Kong, and the United Kingdom.

Responding to the research, Penlink issued a carefully worded statement claiming the findings "appear to rely on either inaccurate information or a misunderstanding about how we operate." The company asserted that it complies with U.S. state privacy laws and suggested that certain practices described occurred before its acquisition of Cobwebs Technologies. Citizen Lab stands by its research, noting that the fundamental model of warrantless ad-based surveillance continues regardless of corporate rebranding.

For businesses and security professionals, this revelation carries implications beyond privacy concerns. Any organization with employees carrying mobile devices should recognize that their collective movement patterns may already exist in databases accessible to government agencies worldwide. Sensitive operations, whether legal strategy sessions or competitive intelligence activities, leave digital breadcrumbs that can be reconstructed years after the fact. The advertising ecosystem that funds free apps has become a parallel surveillance infrastructure that makes traditional operational security measures increasingly inadequate.

The Citizen Lab researchers summarized their findings bluntly: "Intrusive and legally questionable ad-based surveillance is being used by military, intelligence, and law enforcement agencies down to local police units in several countries across the globe." When the targeted ads know where you sleep, where you work, and everywhere you go in between, the question stops being whether you have something to hide and starts being whether the Fourth Amendment still means anything in a world where your data is always for sale.