Webloc: How Police Tracked 500M Devices Using Ad Data

Michael Miller · 2026-04-11

Here's something that might make you think twice about those targeted ads you see every day. A recent investigation by Citizen Lab revealed that law enforcement agencies across the globe have been using a surveillance tool called Webloc to track an astonishing 500 million devices. They're doing it through advertising data, which feels like turning our daily digital breadcrumbs into a global tracking system. It's not just one country either. Hungarian domestic intelligence used it. The national police in El Salvador deployed it. And several U.S. law enforcement and police departments have been attributed to using this advertising-based global geolocation surveillance system. That's right—the same ads that show you shoes you looked at once are potentially being used to map movements on a massive scale. ### How Webloc Turns Ads Into Surveillance Webloc works by collecting location data from mobile advertising networks. You know how apps ask for location permissions? Many share that data with ad networks to serve you relevant ads. Webloc taps into that stream, creating what's essentially a global surveillance network built on commercial advertising infrastructure. Think about it like this: every time you see a location-based ad, there's a data point being created about where you are. Webloc aggregates millions of these data points, creating detailed movement patterns. The tool was originally developed by Israeli company Cobwebs Technologies and is now sold by its successor Penlink after the two firms merged in July 2023. ### The Scale Is Staggering 500 million devices. Let that number sink in for a moment. That's nearly two-thirds of the United States population tracked through their digital footprints. The system doesn't just show where you are right now—it can create movement histories, identify patterns, and even predict where you might go next. Here's what makes this particularly concerning: - The data collection happens without most people realizing it - It uses infrastructure that already exists (ad networks) - The scale is global, not limited by national borders - Law enforcement can access this without traditional warrants in many cases As one privacy researcher noted, "We've built the perfect surveillance tool and called it targeted advertising." ### Who's Using This Technology? The list of agencies using Webloc reads like an international security conference roster. Hungarian intelligence services have deployed it for domestic surveillance. El Salvador's national police used it during their crackdown on gang violence. And in the United States, multiple law enforcement agencies have reportedly utilized the system, though specific departments haven't been fully disclosed. What's interesting is how this represents a shift in surveillance methodology. Instead of building expensive, dedicated tracking systems, agencies are leveraging existing commercial infrastructure. It's cheaper, more scalable, and already integrated into our daily digital lives. ### The Privacy Implications Are Huge This raises serious questions about digital privacy in the advertising age. Most people accept location tracking for personalized ads without realizing that data could end up in law enforcement databases. The consent model is fundamentally broken when data collected for commercial purposes gets repurposed for surveillance. Consider these points: - Advertising IDs on your phone become tracking beacons - Location data collected for ads creates movement histories - Aggregated data reveals patterns about communities and individuals - There's often no clear legal framework governing this type of surveillance ### What This Means for Digital Professionals If you work with digital advertising, data analytics, or privacy compliance, this development should be on your radar. The lines between commercial data collection and government surveillance are blurring in ways that could impact how we design systems and implement privacy protections. We need to have honest conversations about: - Data minimization practices - Clear user consent mechanisms - Transparency about data sharing - Legal protections against surveillance repurposing The Webloc case shows how technologies developed for one purpose (targeted advertising) can be adapted for entirely different uses (mass surveillance). As digital professionals, we have a responsibility to consider these potential downstream effects when building systems. ### Looking Ahead: Privacy in the Age of Ad-Based Surveillance This isn't just about one tool or one investigation. It's about a fundamental shift in how surveillance operates in the digital age. When commercial infrastructure becomes surveillance infrastructure, we all need to pay attention. The conversation needs to move beyond whether targeted advertising is annoying to whether the data collection behind it creates surveillance risks. As more agencies discover they can access detailed movement data through ad networks, we'll likely see increased use of these methods. Protecting privacy in this environment requires new approaches—both technical and legal. We need systems that give users real control over their data and clear boundaries about how that data can be used. Otherwise, we risk creating a world where every digital interaction becomes a potential surveillance point. Remember, the ads themselves aren't the problem. It's what happens to the data behind them that matters. And right now, that data is telling stories about 500 million devices that their owners might not want told.