A surveillance tool called Webloc tracks up to 500 million mobile devices worldwide, and anyone with enough money can buy the data without a warrant.

Citizen Lab exposed the tool in a new report. Now sold by Penlink after a 2023 merger with Cobweb Technologies, Webloc collects device identifiers, location coordinates, and profile data from mobile apps and ad tech infrastructure. One man in Abu Dhabi was located up to 12 times daily through GPS and Wi-Fi access point data. Two devices were pinpointed at specific locations in Romania and Italy at exact times.

DHS, ICE, military units, and police departments across California, Texas, New York, and Arizona have all been customers. Tucson police caught a serial cigarette thief by finding a single device near every crime scene and tracing it to a consistent address.

Webloc plugs into Penlink's main product, Tangles. Tangles lets government and commercial customers search personal identifiers, monitor individuals, create "target cards," and run network analyses on social media data. The integration means theoretically anonymous mobile device identifiers can be linked to social media accounts. No warrant needed.

As Tom Uren notes in Lawfare, if American law enforcement can buy this data, foreign intelligence services can too. And they do. Penlink counts Hungary's domestic intelligence agency and El Salvador's National Civil Police as customers. The supply chain is simple: mobile app developers embed location-tracking SDKs, data brokers like Venntel and Babel Street aggregate it, and government surveillance tools buy it.

The threat is growing faster than regulators can track it. Security firm Gambit documented a single hacker using AI tools like Claude Code and GPT-4.1 to breach nine Mexican government organizations in weeks, stealing hundreds of millions of citizen records. The same commercial accessibility that makes your location data a commodity makes AI-powered attacks cheaper and faster.

Virginia just banned the sale of precise geolocation data. The law prevents data brokers from selling location information that could identify where you live or seek medical care. It's a practical start.

But state laws create a patchwork. A data broker operating from another state can still sell your location. Foreign intelligence services shopping for American phone data won't stop because Virginia passed a law. The only fix is federal legislation that cuts off the supply chain everywhere.

Your phone knows where you sleep. That information shouldn't be for sale to anyone with a credit card.