Citizen Lab exposes global ad-data spying network used by governments and police

Your phone can betray you long before you make a call. Citizen Lab says a global surveillance market has turned ad-tech data and telecom weaknesses into a location engine that can follow people across borders without touching the handset.

The newest system, called Webloc, was built by Cobwebs Technologies and is now sold by Penlink after the companies merged in July 2023. Citizen Lab says Webloc monitors hundreds of millions of people using data bought from consumer apps and digital advertising, then sells that access as an add-on to Penlink’s Tangles platform. The lab’s April 9 report says that model gives governments and police a powerful shortcut to sensitive location information that many users assume is protected by their carrier.

The customer list shows how widely the tool has spread. Citizen Lab identified Hungarian domestic intelligence as a user of Webloc since at least 2022 and says it still uses it today. The report also names the national police in El Salvador, plus U.S. customers including Immigration and Customs Enforcement, the U.S. military, the Texas Department of Public Safety, DHS West Virginia, New York City district attorneys, and police departments in Los Angeles, Dallas, Baltimore, Tucson and Durham. Smaller jurisdictions such as the City of Elk Grove and Pinal County also appear in the researchers’ findings. Citizen Lab said the conclusions were based on responses to 96 freedom-of-information requests, and said governments in Europe and the United Kingdom remain highly opaque about possible use of ad-based surveillance.

The scale of the data is what makes the system dangerous. A leaked technical proposal described access to records from up to 500 million mobile devices worldwide. In one example cited by Lawfare, a man in Abu Dhabi was tracked up to 12 times a day. Another case showed two devices pinpointed in exact areas of Romania and Italy at specific times. Citizen Lab warns that location data collected from mobile apps and digital advertising can expose habits, interests and nearly every other part of a person’s life.

The ad-data business sits on top of a wider telecom problem. In its October 26, 2023 report on network-based geolocation surveillance, Citizen Lab said all U.S. wireless networks were vulnerable to the kinds of weaknesses reportedly exploited by Circles, and that a majority of networks around the world were similarly exposed. That earlier work found Circles deployments in at least 25 countries. The lesson is stark: once location data leaks into the commercial and telecom ecosystem, carriers and regulators struggle to seal it back up, and ordinary users are left exposed to tracking that can be bought, not hacked.

Public pressure on that trade is growing. The ACLU said on January 12, 2026 that the Department of Homeland Security, including ICE and Customs and Border Protection, had bought access to highly sensitive phone-location data, even after DHS said in 2024 that it was ending contracts for bulk cell phone location data. Lawfare then argued on April 17, 2026 that the United States should ban the sale of precise geolocation data altogether, warning that the market now poses both a privacy and national-security risk.