Penlink Webloc Surveillance Tool Tracks 500 Million Mobile Devices Using Ad Networks, Citizen Lab Finds

Penlink Webloc surveillance tool tracking mobile devices through ad networks

A Citizen Lab investigation has exposed Webloc, a commercial surveillance system operated by U.S.-based Penlink that harvests real-time location data from up to 500 million mobile devices by tapping into digital advertising networks — without requiring a warrant. The report, published April 9, documents how law enforcement agencies across the United States, Hungary, and El Salvador have used the tool to monitor phones at a neighborhood scale, raising serious constitutional concerns about warrantless mass surveillance. The findings follow a broader pattern of growing government scrutiny of digital infrastructure vulnerabilities and the tools available to both protect and exploit them.

How Webloc Harvests Location Data Without Warrants

Webloc operates through two channels. The first is real-time bidding (RTB): every time a user opens an app or website containing advertisements, their device data — including precise GPS coordinates — is broadcast in milliseconds to marketing firms bidding for the ad slot. Penlink intercepts this data stream. The second channel is software development kits (SDKs) embedded in consumer apps such as games, weather tools, and fitness applications, which continuously transmit location data to third-party vendors. Penlink purchases this data through intermediaries.

The system accesses device identifiers, timestamps, precise geolocation coordinates, home and workplace addresses, app usage patterns, and inferred personal attributes including age, gender, income, and health conditions. It stores up to three years of historical location data per device. According to the Citizen Lab report, one procurement document describes the capability to "automate and continuously monitor unique mobile advertising IDs, geolocated IP addresses, and connected devices" — a level of persistent surveillance that would otherwise require a court order under traditional wiretap law.

Who Is Using It and Where

Immigration and Customs Enforcement (ICE) contracted Penlink for over $5 million in September 2025. Other confirmed U.S. users include the U.S. military, the Texas Department of Public Safety, DHS West Virginia, and police departments in Los Angeles, Dallas, Baltimore, Tucson, and Durham. ICE has used the tool to monitor all phones present in entire neighborhoods simultaneously — a capability that civil liberties advocates argue constitutes unconstitutional mass surveillance.

Outside the U.S., Hungarian domestic intelligence agencies have used Webloc since at least 2022, likely in violation of EU GDPR regulations. El Salvador's national police have also been documented customers since 2021. Penlink itself was founded in 1987 as a traditional wiretap software vendor; Webloc expanded its product line into warrantless mass surveillance following its merger with Israeli firm Cobwebs Technologies in July 2023.

Why This Changes the Surveillance Debate

The legal framework governing law enforcement surveillance was built around the premise that bulk location tracking requires a warrant. Webloc circumvents this entirely by purchasing commercially available advertising data — data that individuals unknowingly generate simply by using free apps. The Citizen Lab finding is significant not only for what it reveals about Penlink, but for what it confirms about the broader ad-data ecosystem: the same infrastructure that powers targeted advertising has become a plug-and-play surveillance tool for governments worldwide. This mirrors concerns raised about supply chain vulnerabilities in developer tools — where trusted infrastructure is exploited in ways users never anticipated.

Frequently Asked Questions

What is Webloc and how does it track phones?

Webloc is a surveillance system operated by Penlink that collects real-time location data from up to 500 million mobile devices using digital advertising networks and SDK data from consumer apps — without requiring a warrant. It gives law enforcement persistent access to device location, home address, workplace, and up to three years of historical movement data.

Is Webloc legal in the United States?

Penlink argues the data is legally obtained as commercially available advertising data. Critics and civil liberties advocates counter that purchasing location data to conduct warrantless surveillance circumvents Fourth Amendment protections. No court has definitively ruled on whether ad-data-based mass surveillance requires a warrant.

Which US agencies use Penlink's Webloc?

Confirmed US users include ICE (which signed a $5M+ contract in September 2025), the U.S. military, Texas Department of Public Safety, DHS West Virginia, and police departments in Los Angeles, Dallas, Baltimore, Tucson, and Durham, among others.

The Bottom Line

Webloc is the clearest documented example yet of commercial advertising infrastructure being repurposed as a mass surveillance tool for governments. The Citizen Lab report demonstrates that 500 million people's precise location data — their homes, workplaces, places of worship, and daily routines — is being sold to law enforcement without their knowledge or consent, and without a warrant. The question of whether purchasing data constitutes surveillance that requires judicial oversight is now squarely before policymakers and courts.