Ban the sale of precise geolocation

It Is Time to Ban the Sale of Precise Geolocation

A recent deep dive into the American adtech surveillance system Webloc highlights the national security and privacy risks of pervasive and easily obtainable geolocation data. It brings home, once again, that the U.S. needs to clamp down on the collection and sale of geolocation data.

The report, from Citizen Lab, documents what Webloc says it can do, who uses the product, and its relationship with other commercial intelligence products.

Webloc was developed by Cobweb Technologies but is now sold by the U.S. firm Penlink after the two companies merged in 2023. A leaked technical proposal document, obtained by Citizen Lab, says that Webloc provides access to records from "up to 500 million mobile devices across the globe." These records contain device identifiers, location coordinates, and profile data from mobile apps and digital advertising.

The same document describes, with a striking amount of detail, how Webloc can be used to track individual devices and for target discovery. One man in Abu Dhabi was tracked up to 12 times a day, as his phone reported its location either from GPS or because it was near Wi-Fi access points. Another example pinpointed two devices that had been located in exact areas of both Romania and Italy at specified times. In both of these case studies, Citizen Lab's report describes the granular detail available in Webloc. It is, frankly, creepy.

The report also documents some of Webloc's current and former U.S. federal and state customers. On the list is the Department of Homeland Security, including Immigration and Customs Enforcement, units within the U.S. military, and the Bureau of Indian Affairs Police. At the state level, police departments and law enforcement agencies in California, Texas, New York, and Arizona have also been customers.

Citizen Lab highlights one Tucson police internal quarterly report that describes how Webloc was used to assist investigators. In one case it was used to locate a suspected serial cigarette thief by first identifying a single device that was nearby during every robbery. After each incident, the device would end up at the same address. As it turned out, the suspect was the partner of an employee at the first business to be hit.

It is worth noting that Webloc is not Penlink's flagship product. It is an optional add-on for their main tool, Tangles, a web and social media investigations platform. Per Citizen Lab:

According to leaked training manuals, government and commercial customers can search for keywords and personal identifiers like names, email addresses, phone numbers, and usernames to identify online accounts and then analyze what they post, their interactions, relationships, activities, event attendances, and interests. They can monitor and profile individuals, create "target cards," receive alerts, analyze geolocation information extracted from posts and photos, and perform network analyses, for example, to identify groups based on their mutual friends or workplaces.

As the information analyzed by Tangles is notionally publicly available, it does not present quite the same civil liberties concerns as Webloc does. Its integration with Webloc, however, is concerning. In some cases it will be possible to link theoretically anonymous mobile device identifiers to social media accounts, without requiring a warrant.

Each use described in this newsletter is a valuable investigative capability. But they should not be freely available to any old organization that decides to purchase the tool. These are intrusive capabilities and should have strong authorization and oversight procedures. The Tucson Police Department procedures were not described in its report.

From a domestic perspective, legislation placing guardrails around how these tools are used by authorities is needed to protect the civil liberties of Americans. But there is a national security concern here, too.

If data can be used by American law enforcement agencies for their investigations, then that exact same data can be used by foreign intelligence services to target U.S. interests.

Citizen Lab reports that Penlink's overseas customers include Hungary's domestic intelligence agency and El Salvador's National Civil Police, so foreign authorities are making use of mobile geolocation data for their own domestic purposes. These organizations are internally focused, and we think it unlikely that Penlink's customers are targeting U.S. interests. But the point is that mobile geolocation data is available and can be used for intelligence purposes by organizations globally. It's naive to think capable adversaries won't acquire the data and build their own intelligence platforms (looking at you, China!).

The U.S. doesn't just need to stamp out unconstrained use of this data domestically. It needs to clamp down on the creation and sale of geolocation data itself.

There is some good news here. Just this week, the state of Virginia enacted a ban on the sale of customers' precise geolocation data. Proposed American privacy laws have not progressed in recent years, so this strikes us as a practical measure to begin addressing the problem. Of course, state-level bans are just a start. Let's hope a more comprehensive solution isn't too far behind.

AI Is Your Helpful Hacker Team

A new in-depth report, from security firm Gambit, details exactly how threat actors can leverage AI models to upskill and accelerate criminal activities.

The report has plenty of nitty-gritty technical detail about how a single hacker used two commercial AI platforms to breach nine Mexican government organizations. Within a matter of weeks, the individual was able to steal hundreds of millions of citizen records and build a tax certificate forgery service.

Gambit was able to reconstruct what happened by examining three virtual private servers the threat actor used. The campaign was human-directed, but Claude Code generated and ran about 75 percent of the remote code execution commands. Once networks were breached, OpenAI's GPT-4.1 API was used to help plan post-exploitation activities by analyzing data collected by automated reconnaissance.