GoKawiilIt Is Time to Ban the Sale of Precise Geolocation
A recent deep dive into the American adtech surveillance system Webloc highlights the national security and privacy risks of pervasive and easily obtainable geolocation data. It brings home, once again, that the U.S. needs to clamp down on the collection and sale of geolocation data.
The report, from Citizen Lab, documents what Webloc says it can do, who uses the product, and its relationship with other commercial intelligence products.
Webloc was developed by Cobweb Technologies but is now sold by the U.S. firm Penlink after the two companies merged in 2023. A leaked technical proposal document, obtained by Citizen Lab, says that Webloc provides access to records from "up to 500 million mobile devices across the globe." These records contain device identifiers, location coordinates, and profile data from mobile apps and digital advertising.
The same document describes, with a striking amount of detail, how Webloc can be used to track individual devices and for target discovery. One man in Abu Dhabi was tracked up to 12 times a day, as his phone reported its location either from GPS or because it was near Wi-Fi access points. Another example pinpointed two devices that had been located in exact areas of both Romania and Italy at specified times. In both of these case studies, Citizen Lab's report describes the granular detail available in Webloc. It is, frankly, creepy.
The report also documents some of Webloc's current and former U.S. federal and state customers. On the list is the Department of Homeland Security, including Immigration and Customs Enforcement, units within the U.S. military, and the Bureau of Indian Affairs Police. At the state level, police departments and law enforcement agencies in California, Texas, New York, and Arizona have also been customers.
Citizen Lab highlights one Tucson police internal quarterly report that describes how Webloc was used to assist investigators. In one case it was used to locate a suspected serial cigarette thief by first identifying a single device that was nearby during every robbery. After each incident, the device would end up at the same address. As it turned out, the suspect was the partner of an employee at the first business to be hit.
It is worth noting that Webloc is not Penlink's flagship product. It is an optional add-on for their main tool, Tangles, a web and social media investigations platform. Per Citizen Lab:
According to leaked training manuals, government and commercial customers can search for keywords and personal identifiers like names, email addresses, phone numbers, and usernames to identify online accounts and then analyze what they post, their interactions, relationships, activities, event attendances, and interests. They can monitor and profile individuals, create "target cards," receive alerts, analyze geolocation information extracted from posts and photos, and perform network analyses, for example, to identify groups based on their mutual friends or workplaces.
As the information analyzed by Tangles is notionally publicly available, it does not present quite the same civil liberties concerns as Webloc does. Its integration with Webloc, however, is concerning. In some cases it will be possible to link theoretically anonymous mobile device identifiers to social media accounts, without requiring a warrant.
... continue reading