A new Citizen Lab investigation found that governments around the world are using a service called Webloc, a geolocation surveillance system. The technology, developed by Cobwebs Technology and sold by its successor Penlink, uses the data of millions of people purchased from consumer apps and the digital advertising and data broker world.
From the public outrage that this type of Big Brother investigation sparks (governments using public data to spy on individuals) to the legality and the push of legislators and privacy advocates, there is a lot to unpack in this story. However, in this report, we will focus on 3 questions: Where are Webloc ads found? How does the technology work? And what can you do to keep your private data private?
Hackers are after your data, too
Where are Webloc ads found?
Citizen Lab reported that the data Webloc uses comes from different sources. And all of them are linked to the world of digital advertising and the data broker universe.
Webloc is not actually generating ads that collect and track your data. Rather, it buys that data from different vendors. These ads can be found in a wide range of places, including websites that display ads, social media, messaging platforms, and free apps that have ads. Additionally, there are other sources of data that this surveillance vendor uses. Let’s dive in.
Meet RTB: A global ad broadcast of users’ data, online behavior, recent purchases, and interests that is constantly transmitting
The technologies of Cobwebs Technology, including Webloc, use purchased RTB-based data. RTB data, which stands for real-time bidding, is data that is broadcast among advertisers. They bid in an auction for a place on your screen. Basically, most ad systems work in the same way. Every time you use a mobile app or website that displays ads, an auction takes place in real time. The highest bidder for that ad placement wins a spot on your screen.
While the data is not public, it is accessible to a lot of industry players. This real-time bidding data, Citizen Lab reports, is broadcast and shared with hundreds of digital marketing firms who participate in the bidding process. Citizen Lab reported that the data is broadcast without any security measures. Data brokers regularly access this data and can sell it to services like Webloc.
Some law enforcement agencies argue that RTB data is effectively public data and can be obtained without a warrant. Others, like 70 Democratic United States Senators, believe otherwise and called for an investigation into this issue. They say buying this data represents a “warrantless purchase of Americans’ location data.”
Software development kits (SDKs): Software-level trackers that gather your data
Citizen Lab explained that apps not only have tracking ads but also software-level third-party software that is tracking your data.
Another place where Webloc gets its data from is software development kits (SDKs), Citizen Lab reported. This data is tracked by software-level code embedded by design into apps that you may install on your iPhone or Android. If you have a mobile device emulator on your desktop, SDKs are also there.
Other sources of public data
Webloc also uses raw data from data brokers, collected from different types of sources. This data may include a device identifier, a timestamp, and other attributes that describe a person’s behavior or characteristics, such as their current geolocation, Citizen Lab said.
It is highly likely that Webloc also obtains data from other points.
To summarize, ads and trackers that gather your data may deliver them into the hands of data brokers. They, in turn, sell them to systems like Webloc. The data can be found on:
- All types of apps at the software level
- All types of websites and platforms
- Ads within apps
- Links with sponsored content
- Social media messages and posts.
If ads reach AI chatbots and AI apps, we might have to add those to this list in the future.
Data that feeds systems like Webloc also comes from:
- Public databases
- Real-time bidding broadcasts
- Other public sources
As an important note, Citizen Lab reported that the data used by these technologies is not just live data. It can be traced back through up to 3 years of historical data.
How does Webloc technology work?
The true capabilities of Webloc and similar software aren’t just their raw data feed points but what the software can actually do with that data. Let’s look at some basic tech concepts and how the tech works.
The use of publicly accessible data and open-source data is known as OSINT or open-source intelligence. When you combine OSINT with the data broker ecosystem, you get something like Webloc, a company that uses public data broker data for intelligence and surveillance.
Before we dive into how exactly these technical features work, it is important to note that the developer offers a suite of interconnected tools. These tools include premium AI add-ons, Tangles for social media, and a trapdoor for targeting. For the sake of clarity, and so as not to confuse the reader with a plethora of names, we will refer to the entire ecosystem of capabilities as Webloc technologies.
Heat maps, “trapdoors,” and “one-click dossiers”: It’s not just about the data, but how it’s used
It’s nothing new for the data of billions of people to be streamed, bought, and sold online, in bulk and in select groups, every day. This is how digital advertising and the broader data broker world work. However, the true question is how capable a technology is in generating insights from the raw data it gathers.
For example, a spreadsheet of live coordinates showing the real-time locations of a couple thousand people isn’t very insightful. It may even appear harmless. However, if a vendor develops a software feature that can use that data to create live heatmaps of how those thousands of people move in real time, things get interesting (for lack of better word).
Similarly, a pure text file containing raw text data of real-time bidding systems, by itself, doesn’t look like much. But consider what happens if a software feature allows users to search those databases for specific data points. An example could be, “List all individual devices in Orange County that recently purchased a specific brand and color vehicle, and have an interest in traveling.” At this point, the tech becomes a tracker or “trapdoor.”
Citizen Lab reported that the “trapdoor” can be used to track specific individuals. And they believe it can be used to install malware or additional tracking software on the targeted device.
Both examples given above, the heatmap and the trapdoor, are actual features that Citizen Lab reports Webloc and other Cobweb Technologies products have.
Besides trapdoors and live heat maps, Cobweb Technologies products reportedly have AI-powered features, including facial and image recognition, the ability to infer home and work addresses, relationship mapping between devices, blockchain analysis tools to deanonymize cryptocurrency transactions, and AI predictive analysis based on an individual’s patterns.
Another feature reported by Citizen Lab of these Webloc technologies is the ability to generate “one-click dossiers.” When tracking a person, these technologies do more than just show a dot on a map. Through the Tangles interface, for example, an operator can click on a location data point to instantly cross-reference it with scraped social media profiles and facial recognition. This process results in the creation of a “Target Card” or, as we call it, a “one-click dossier.”
How do digital trackers, tracking pixels, and SDKs collect your data?
As mentioned, not all apps, websites, social media, and software-level features can gather, track, and exfiltrate your data, but many do. Here’s a look at how this is done.
Digital trackers, such as tracking pixels and SDKs, collect data by embedding a tiny, invisible 1×1 pixel image or a snippet of code into an advertisement, email, or webpage.
When the content loads, the pixel sends a “ping” back to the advertiser’s server. This transmits a wealth of information, including your IP address, device type, operating system, and precise timestamps.
This process allows companies to bridge the gap between your browsing habits and your real-world identity. It enables them to track your movements across different platforms, monitor which ads you interact with, and even determine your physical location without you ever clicking a link.
What can you do to keep your data private and avoid Webloc, data brokers, or other data trackers?
The digital advertising ecosystem and its data—as well as the broader global data broker industry, which feeds a wide range of sectors, including commercial spyware and surveillance services—is not going anywhere. Despite laws breaking ground to protect user data privacy, like the GDPR, or the California Privacy Act (both replicated in countries, states, and regions across the world), this ecosystem is something users have to deal with.
This means that a lot of the responsibility for what happens to your data, unfortunately, falls on your end. However, this is not necessarily bad news. There is a lot you can do, if you want to, about your data privacy.
Use safe private browsers and ad blockers
Using a safe, private-by-design browser like Duck Duck Go or Safari with its privacy configurations set at the max level will naturally and significantly reduce how much data you share with online sites you visit. To go even further, consider a respected and trusted ad blocker browser extension. Combining these 2 technologies will improve your privacy.
Get Moonlock. It has built-in encryption tunneling for safe browsing and can block servers in specific countries.
In addition to checking every file you interact with on your Mac, including emails and Terminal commands, for malware signatures and suspicious behavior, the Moonlock antivirus provides a secure, encrypted tunnel via its built-in VPN. This protects your browsing data from external surveillance. It also makes your browsing invisible to snoopers and data brokers.
Additionally, the Moonlock app comes with a dedicated user-centered feature designed to help you develop good digital practices. This will help you better protect your online privacy. Finally, if you are worried about how your data is being handled in some countries, you can use the Moonlock app to block specific locations.
You can check out the Moonlock app for free with a free trial.
Read privacy policies before checking the “Agree to Terms” box
A lot of the data being used by the data broker industry is information that you, likely without being fully aware of it, gave consent to use. When you download an app or use new software, always read the privacy policy.
Privacy policies will detail what an app is doing with your data and whether it collects it and sells it. Remember, when you click on that small box that says “Agree to Our Terms,” you are agreeing to a legal contract between you and the app developer or manager. If the privacy policy clearly states that your data will be sold, you agree to that when you check the box.
Reduce your digital surface: Apps, online sites, and software. Keep only what you need.
Besides the above, a good way to increase your privacy is to reduce your digital surface (or footprint). This means keeping only the basic, truly essential apps, software, and sites you actually use and need. This will not only increase your privacy but also your security.
Is my country using Webloc?
Citizen Lab’s investigation found that Webloc servers are located around the world. They are found in the United States, the United Kingdom, Israel, the Netherlands, Germany, Sweden, Norway, Italy, France, Ireland, Hungary, Poland, Cyprus, Mexico, Colombia, Brazil, Australia, Japan, Singapore, Hong Kong, India, Indonesia, the United Arab Emirates, Iraq, and Kenya.
While these servers do not represent customers, known clients of Webloc include the Hungarian domestic intelligence, the national police in El Salvador, ICE, the U.S. military, the Texas Department of Public Safety, DHS West Virginia, NYC district attorneys, and several police departments in Los Angeles, Dallas, Baltimore, Tucson, and Durham, and smaller cities and counties like the City of Elk Grove and Pinal County.
The technology might also be in use in Europe and the U.K., which Citizen Lab reported were “highly non-transparent about their potential use of ad-based surveillance.” Citizen Lab’s analysis of corporate records and other public information indicates that Cobwebs Technologies is linked to the spyware vendor Quadream.
Final thoughts
While not all apps, nor all ads, are designed and coded to track and extract your data, some are. In this report, we briefly laid out the more technical issues involved in this story. We also outlined the digital ecosystem that makes these technologies possible. We asked and answered 3 simple questions: Where are ads that track your data found? How does the technology work? And what can you do about it?
The full Citizen Lab report, which deserves a careful read and will likely trigger a great number of breaking news reports and investigations, can be found here.
