Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Apr 12, 2026 · 6 min read

Police Are Tracking 500 Million Phones Through the Ads on Your Screen—No Warrant Required

A Citizen Lab investigation exposed Webloc, a surveillance system that turns the advertising ecosystem into a real time tracking network for law enforcement across 30 countries.

Crowded city street at night with subtle location tracking indicators above pedestrians illustrating mass surveillance

What Citizen Lab Found

A new investigation from Citizen Lab, the University of Toronto's digital surveillance research group, has exposed a system called Webloc that turns the commercial advertising ecosystem into a real time surveillance network. Built by Israeli firm Cobwebs Technologies and now sold by its successor Penlink after the two companies merged in 2023, Webloc provides law enforcement agencies with access to location data from up to 500 million mobile devices across more than 30 countries.

The system does not exploit any vulnerability. It simply purchases the same data that advertisers use to target you with relevant ads, then repurposes it for tracking individuals, mapping their movements, and building behavioral profiles. No warrant is required because the data is commercially available.

How Advertising Data Becomes Surveillance

Every time your phone displays an ad, a process called real time bidding broadcasts your data to dozens of companies within milliseconds. That data includes your device's mobile advertising ID, GPS coordinates, timestamp, the app you are using, your device model, operating system, language settings, and behavioral attributes like inferred age, gender, and purchase history.

According to the Citizen Lab report, an average European's data is transmitted "a few hundred times a day" through this advertising pipeline. Webloc taps into this stream, aggregating billions of daily location signals from hundreds of millions of devices.

The second data source is software development kits, or SDKs, embedded in mobile apps. Games, dating apps, weather tools, and fitness trackers often include third party tracking code that collects location and behavioral data independently of the ad system. Together, these two pipelines create a comprehensive surveillance infrastructure that most people never know exists.

Despite industry claims that mobile advertising IDs are anonymous, the FTC has clarified that they "offer no anonymity" because businesses routinely link them to real names, addresses, and phone numbers. Webloc can track a device's location, movements, and personal characteristics going back up to three years.

Who Is Using It

Citizen Lab identified confirmed Webloc customers across three countries:

  • United States: Immigration and Customs Enforcement (ICE), the U.S. military, Texas Department of Public Safety, DHS West Virginia, New York City district attorneys, and police departments in Los Angeles, Dallas, Baltimore, Durham, Tucson, Pinal County, and Elk Grove.
  • Hungary: Domestic intelligence has used Webloc since at least 2022.
  • El Salvador: The National Civil Police purchased the system in 2021.

The researchers submitted 96 freedom of information requests across 14 European countries and EU bodies. The responses revealed widespread non transparency: Europol refused disclosure, Swedish police neither confirmed nor denied use, and 39 UK police departments gave no answer. This pattern suggests adoption may be far wider than confirmed.

The Supreme Court is now weighing the legality of a related technique: geofence warrants that compel Google to hand over every phone's location near a crime scene. ICE's use of surveillance technology is part of a broader pattern. The agency also recently admitted to using Graphite zero click spyware capable of reading encrypted messages, and the FBI confirmed it buys location data without warrants.

The Company Behind It

Cobwebs Technologies, the Israeli firm that built Webloc, was banned by Meta in its 2021 Threat Report on the Surveillance for Hire Industry after customer accounts were found "frequently targeting activists, opposition politicians and government officials."

Beyond Webloc, Cobwebs developed several other surveillance products: Tangles, a social media investigation platform with facial recognition capabilities that monitors Facebook, Instagram, TikTok, Telegram, and other platforms; Lynx, which facilitates undercover operations and fake social media accounts; and Trapdoor, described as a "social engineering platform" that creates phishing pages and potentially deploys malware. Citizen Lab identified Trapdoor servers across Kenya, Indonesia, Singapore, Hong Kong, the UAE, and Japan.

The company's founder, Omri Timianker, also holds indirect interest in Quadream, a spyware vendor that Citizen Lab previously documented targeting journalists and political opposition figures.

Why This Matters

Location data reveals far more than where someone is standing. As the Citizen Lab report notes, it can "reveal information about a person's home, workplace, family, friends, religion, political views, sexual orientation or health issues." When that data is available to law enforcement without judicial oversight, the surveillance possibilities are essentially unlimited.

The fundamental problem is structural. The advertising ecosystem was designed to maximize data collection for commercial targeting. Webloc simply repurposes that infrastructure for surveillance, and the UK just ruled that even real time facial recognition in public spaces is lawful. Every app that requests location permission, every ad auction that broadcasts your coordinates, and every SDK that phones home with your device ID contributes to a global tracking system that governments can purchase access to without a warrant.

How to Reduce Your Exposure

  • Reset your advertising ID regularly. On iOS, go to Settings, Privacy and Security, Tracking, and disable "Allow Apps to Request to Track." On Android, go to Settings, Privacy, Ads, and delete your advertising ID.
  • Audit app permissions. Remove location access from any app that does not strictly need it. Weather, games, shopping, and social media apps frequently request location data they do not need to function.
  • Use a privacy focused DNS. Services like NextDNS or AdGuard can block many of the ad tracking domains that feed the RTB ecosystem.
  • Avoid free apps that rely on advertising. The "free" business model funds itself by selling your data into exactly the pipeline that Webloc exploits. Paid alternatives with transparent privacy policies are worth the cost.
  • Disable Wi-Fi and Bluetooth scanning. Both can be used to infer your location even when GPS is turned off. Disable these in your device's location settings when not in use.

The Bigger Picture

Webloc is not an anomaly. It is the logical endpoint of an advertising industry that treats personal data as a commodity. When location data from 500 million devices is available for purchase, it is naive to expect that only marketers will buy it. Governments, intelligence agencies, and law enforcement have every incentive to tap into this pipeline, and as Citizen Lab has shown, many already have.

Until advertising data is regulated with the same rigor as wiretaps and search warrants, every app on your phone is a potential surveillance tool. The question is not whether your data is being collected. It is who is buying it and what they are doing with it.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.