Researchers at The Citizen Lab have uncovered Webloc, a geo surveillance system that provides real-time access to location records from up to 500 million mobile devices. The system exploits location data collected through mobile apps and digital advertising networks.
What is Webloc?
Webloc operates as an ad-based surveillance infrastructure that aggregates location data from mobile devices at scale. The system provides subscribers with constantly updated streams of geolocation records, enabling tracking of device movements across vast populations.
How it works
The system collects location information primarily through two channels: mobile applications and digital advertising ecosystems. Apps and ad networks routinely gather precise location data from users' devices, often with limited transparency about how that information will be used or shared.
Scale and implications
With potential access to 500 million devices, Webloc represents one of the largest documented location surveillance operations. Location data of this granularity can reveal detailed patterns about individuals' lives—where they work, worship, seek medical treatment, spend leisure time, and associate with others.
Privacy concerns
The investigation raises significant questions about data broker practices and the lack of oversight in location data markets. Users typically provide location permissions for specific app functions, unaware their data feeds into broader surveillance infrastructure.
Location tracking at this scale enables various harms: discriminatory targeting, stalking, political profiling, and law enforcement abuse. The system's integration with advertising networks suggests commercial motivations drive its operation.
Context
The discovery adds to growing evidence that location data markets operate with minimal regulation. Previous research has documented how data brokers and ad networks monetize location information, often derived from users who have little awareness their data is being aggregated and resold.
The Citizen Lab's findings underscore the tension between mobile app functionality and privacy. Even as regulators worldwide consider stricter data protection measures, surveillance capabilities continue expanding through opaque supply chains.
U.S. federal prosecutors have unsealed charges against three Russian nationals accused of operating a bulletproof hosting service that supported ransomware gangs responsible for over $62 million in damages worldwide.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are actively exploiting three vulnerabilities in Internet-exposed on-premises SharePoint Server instances. Organizations running affected versions must patch immediately.
Tailscale disclosed a critical vulnerability in its SSH implementation that allowed attackers to gain root access through insecure argument handling. The flaw has been patched in recent versions.
A new study found that social media platforms referred over 5.7 million visits to nonconsensual deepfake pornography sites between December 2025 and March 2026, with YouTube and X accounting for the majority of traffic.