Mastodawn

We publish a major Citizen Lab report on Webloc, an ad-based mass surveillance system that monitors the movements and personal characteristics of hundreds of millions people globally based on data obtained from mobile apps and digital advertising.

Customers include ICE, El Salvador and Hungary.

Our research shows that ad-based surveillance is now used by military, intelligence and law enforcement agencies down to local police in several countries.

Full report here:
https://citizenlab.ca/research/analysis-of-penlinks-ad-based-geolocation-surveillance-tech/

Wolfie Christl 12h ago

Alongside our report, Hungarian journalist Szabolcs Panyi publishes a VSquare investigation which reveals that Hungarian domestic intelligence has used Webloc since at least 2022, and still does today.

This is the first confirmation of the use of ad-based surveillance technology in Europe:
https://vsquare.org/orban-spying-toolkit-cobwebs-webloc-hungary-spyware-citizen-lab

Orbán’s Spying Kit Revealed: Israeli Surveillance Tool Combined with Hungarian Technology - VSquare.org

Intelligence agencies of Viktor Orbán's government have been secretly using Webloc — a mass surveillance tool that tracks hundreds of millions of people via smartphone advertising data — making Hungary the first confirmed EU country to deploy it, in likely violation of GDPR. Moreover, our investigation confirms the existence of "homegrown" OSINT and spyware tools.

VSquare.org

Wolfie Christl 12h ago

i and my colleagues at the University of Toronto's Citizen Lab spent months investigating Webloc, its capabilities and customers, based on public records, leaked docs, freedom of information requests and technical analysis.

Webloc is an add-on to the social media and web intelligence system Tangles, both developed by Israeli Cobwebs Technologies and since 2023 sold by US-based vendor Penlink.

Wolfie Christl 12h ago

This screen, from a leaked 2021 document, shows how Webloc tracked a person travelling from Germany via Austria to Hungary.

The system obtains the data from everyday consumer apps installed on phones. The data is tied to mobile device IDs typically used for ad targeting, which identify a phone and its owner.

The systematic misuse of this data for tracking and profiling in digital marketing is already highly problematic. Misusing it for government surveillance is another level of disastrous.

Wolfie Christl 10h ago

Another screen from the same 2021 doc shows how Webloc tracked a male person in Abu Dhabi, who has 141 apps installed on his phone, some of which sent 81 GPS location records to the system over the past 5 days.

He was also located based on Wi-Fi access points nearby his phone 110 times.

The activity graph on the right bottom indicates that the system tracked his location up to 12 times a day.

The code shown at the right top is the so-called 'Advertising ID' that identifies his mobile device.

Wolfie Christl 10h ago

Here's how Webloc displayed a targeted person's profile information in 2021, in this example a Hungarian who used a Samsung S8 phone with the language set to English.

The profile also lists “user segments” typically used in digital advertising, which can be much more sensitive than the ones shown here.

Wolfie Christl 10h ago

Penlink claims that Webloc doesn't process age, gender & ad targeting categories anymore today but 'merely' location records tied to device identifiers.

Location data can reveal a person's home, workplace, family, friends, habits, interests and more. Misusing it for government surveillance is highly problematic.

Another 2021 screen shows how Webloc displays location records in Street View, all of them possibly associated with a person who was frequently located in front of a certain house.

Wolfie Christl 10h ago

Our research shows that Webloc was used by El Salvador National Civil Police.

In the US, it is or was used by ICE, the US military, Texas Department of Public Safety, DHS West Virginia and several police departments in Los Angeles, Dallas, Baltimore, Tucson, Durham down to smaller cities/counties like City of Elk Grove and Pinal County.

Public records indicate that an even larger number of US federal, state and local agencies bought Tangles. Some of them might also use the Webloc add-on.

Wolfie Christl 9h ago

There might be other Webloc customers.

In Europe and the UK, we sent 96 freedom of information requests to law enforcement agencies in 14 countries and to 6 EU bodies. Many were rejected or received no response.

Some responses are interesting, including those from Europol, the UK Home Office and the Swedish Police Authority.

We believe that further research would also be fruitful with respect to potential Webloc purchases in Italy, Netherlands, Austria, Israel, Mexico, Vietnam and Singapore.

Wolfie Christl 8h ago

We also did some technical research. After receiving a tip from Amnesty Security Lab's @DonnchaC, we identified 219 active servers located in at least 21 countries that we consider to be associated with deployments of Tangles, Webloc or other products developed by Cobwebs Technologies.

Those servers are located in the US, UK, NL, DE, FR, SE, NO, IE, CY, AU, SP, MX, CO, SG, HK, ID, IN, IL, AE, IQ, KE, many of them hosted via MS Azure.

115 of them displayed a Tangles login page in the browser.

Wolfie Christl 7h ago

We briefly investigated two other Cobwebs products:

- Lynx, which helps facilitate undercover ops on the web and manage fake accounts

- Trapdoor, which appears to help trick people into revealing information. Our analysis leads us to believe that it can help facilitate the deployment of malware on devices

We do not know whether Trapdoor and Lynx are still being sold by Penlink.

Wolfie Christl 6h ago

Trapdoor has rarely been reported or mentioned anywhere.

We discovered a Vietnamese requirements doc and servers located in Kenya and Indonesia that display Trapdoor login pages, which contain publicly available Javascript code for its admin interface.

The source code and the doc suggest that Trapdoor can help send phishing links that lead to fake web pages, which can open hidden tabs in the browser, extract passwords, access camera and microphone, and even deliver "files or payloads".

Wolfie Christl 6h ago

We also investigate corporate networks.

Cobwebs Technologies, founded in 2015 by former members of IDF special forces and intel units, merged with Penlink in 2023/24.

Cobwebs' founder and long-term president, who now oversees Penlink's global operations, holds an indirect interest in the spyware vendor Quadream.

A former Cobwebs exec and investor is a key investor in Quadream, whose spyware was used to target civil society, journalists and political opposition figures:
https://citizenlab.ca/research/spyware-vendor-quadream-exploits-victims-customers/

@wchr Wow. Shouldn’t this be illegal according to EU regs? Or is this fair use / otherwise ok with GDPR?

@wchr wann wird Ungarn aus der EU geworfen?

Petr Skála 9h ago

thriftwicker 8h ago

@wchr Ad based surveillance. Now there is a fun little twist on the dystopian hellhole.