Citizen Lab Exposes Webloc: Ad-Tech Data Repurposed to Track 500M Devices

Citizen Lab researchers have documented how law enforcement agencies tapped a commercial location-intelligence platform called Webloc to surveil roughly 500 million devices, sourcing the underlying signals from the real-time bidding (RTB) ecosystem that powers programmatic advertising. The data — precise GPS coordinates, mobile advertising IDs, and device metadata — flows out of ad exchanges as a side effect of bid requests, where any participating buyer can quietly siphon and warehouse it instead of using it to serve ads.

The finding reinforces a structural problem the ad-tech industry has long minimized: bid-stream data is effectively a global, near-real-time location feed that operates outside the warrant process and the consent frameworks users assume apply to their phones. Brokers package and resell that feed to government customers, sidestepping legal scrutiny that would attach to compelling the data directly from a carrier or platform.

The disclosure adds weight to ongoing regulatory pressure on data brokers and the RTB pipeline itself, and it highlights why mobile advertising IDs, app-level location permissions, and unconstrained bid-request distribution remain a privacy attack surface no individual user setting can fully close.