The advertising ecosystem was built to sell products. The infrastructure it created now also runs mass government surveillance. Every mobile app that displays ads participates in a real-time bidding system that broadcasts your device's location, identifiers, and behavioural data to dozens of third parties per ad impression. Penlink, through its Webloc product, taps that stream and turns it into a surveillance database covering hundreds of millions of devices globally.
Citizen Lab published a full technical breakdown on April 9, 2026. The analysis documents how Webloc collects location data through SDK-based tracking software embedded in mobile apps and through the real-time bidding infrastructure that underpins digital advertising. From those two pipelines, Webloc builds location histories tied to Mobile Advertising IDs, cross-referenced with GPS coordinates, Wi-Fi networks, and IP addresses. It retains three years of historical records and updates device locations every four to twenty-four hours. The system tracks hundreds of millions of devices and logs device characteristics including age, gender, language, and the full list of installed apps.
The customer list is long and specific. In the United States it includes ICE, the US Navy Office of Naval Intelligence, the US Army Space and Missile Defense Command, the Bureau of Indian Affairs Police, and state and local agencies in West Virginia, Texas, California, Maryland, Arizona, North Carolina, and New York. Tucson PD purchased access through a border security grant and expanded use to routine cases involving cigarette thefts and protest surveillance. Texas agencies tracked individuals at immigration checkpoints and retail locations, with no record of warrants appearing in court documents. No warrant is required because no warrant triggers when a government agency buys data a commercial broker already holds. The purchase is legal. The gap in privacy law is structural.
In March 2026, Hungarian domestic intelligence acquired six Webloc licences through a local broker. Citizen Lab confirmed this is the first documented deployment of ad-based geolocation surveillance in Europe. Ninety-six freedom of information requests sent to European governments produced few useful responses. Most were rejected. The technology moved into Europe with no transparency, no public debate, and no legal challenge on record.
Cobwebs Technologies, the Israeli company that built Webloc, merged with Penlink in 2023. Meta banned Cobwebs in 2021 for running fake account operations targeting activists, opposition politicians, and government officials. Cobwebs' founder holds indirect interests in spyware vendor Quadream. The infrastructure now deployed across US federal agencies and European intelligence services was built by a company banned from the world's largest social network for targeted harassment. None of that disqualified it from government contracts.
Every app that runs ads is a sensor. It reads your location and sells access to it continuously. The ad ecosystem was designed for that, and Penlink is one of dozens of companies buying what that ecosystem produces. You cannot opt out by reading a privacy policy or adjusting a single app setting. The data leaves the moment ads load. Webloc just happens to be the product that turned mass ad data into a named government surveillance service. There are others.
Blackout VPN exists because privacy is a right. Your first name is too much information for us.
Keep learning
FAQ
What is Webloc and how does it collect location data?
Webloc is a geolocation surveillance product sold by Penlink. It collects data from SDK-based tracking software embedded in mobile apps and from the real-time bidding system that runs digital advertising. Both systems broadcast device identifiers and location data continuously. Webloc aggregates that stream into three years of historical movement records per device.
Do government agencies need a warrant to buy this data?
No. Buying commercially held data does not trigger the warrant requirements that apply to direct government surveillance. Agencies purchase what brokers already hold. The gap is a known feature of current US privacy law, not a loophole.
Which government agencies are confirmed Webloc customers?
ICE, the US Navy Office of Naval Intelligence, the US Army Space and Missile Defense Command, the Bureau of Indian Affairs Police, and multiple state and local agencies including Tucson PD, Texas DPS, Los Angeles PD, Dallas PD, and NYC District Attorneys.
Does a VPN prevent this kind of tracking?
A VPN masks your IP address and prevents your ISP from seeing your traffic, but it does not stop apps from reading your GPS location and sending it to ad networks. Reducing this exposure requires limiting ad-enabled apps, disabling location permissions, or using a device with no advertising ID. A VPN is one layer of a broader reduction strategy.
Is this happening outside the United States?
Yes. In March 2026, Hungarian domestic intelligence acquired Webloc licences. Citizen Lab confirmed this is the first documented deployment of ad-based geolocation surveillance in Europe. Ninety-six freedom of information requests to European governments produced few useful responses.