Ban the Sale of Precise Geolocation Data Now
Filmogaz.com reviewed a new Citizen Lab report that exposes wide access to precise mobile geolocation data. The research raises privacy and national security alarms.
What Webloc can access
The tool, Webloc, was developed by Cobweb Technologies. Penlink began selling it after a 2023 merger.
A leaked technical proposal obtained by Citizen Lab says Webloc can access records from up to 500 million mobile devices. Those records include device identifiers, location coordinates, and profile data from apps and digital advertising.
Examples of granular tracking
Citizen Lab documented case studies showing frequent location pings. One individual in Abu Dhabi was located up to 12 times per day.
Another case showed two devices present at precise spots in Romania and Italy at specific times. The report highlights the granularity of the dataset.
Who uses the system and why it matters
The report lists U.S. federal customers, including the Department of Homeland Security and Immigration and Customs Enforcement. It also names military units and the Bureau of Indian Affairs Police.
State and local agencies in California, Texas, New York, and Arizona have used Webloc. Tucson police used it in an investigation that identified a device present at several robberies. That device was traced to the partner of an employee at the first targeted business.
Integration with other tools
Webloc is an optional add-on to Penlink’s Tangles platform. Tangles analyzes public web and social media content.
Training materials reveal searches by name, email, phone number, and usernames. Investigators can build profiles, create alerts, and analyze geotagged posts.
When linked, Webloc and Tangles can connect device identifiers to social accounts without a warrant. That capability heightens civil liberties concerns.
Policy and security implications
Citizen Lab also lists foreign customers, including Hungary’s domestic intelligence agency and El Salvador’s National Civil Police. Those relationships show global demand for mobile geolocation data.
Experts warn that the same datasets used by U.S. agencies could be acquired by hostile actors. The risk extends from domestic privacy harms to national security threats.
Filmogaz.com notes recent state action. Virginia recently enacted a ban on the sale of customers’ precise geolocation data.
Advocates argue that broader legal safeguards are needed. Many call to Ban the Sale of Precise Geolocation Data Now to protect people and national interests.
AI-assisted cyberattacks accelerate harm
Security firm Gambit published a detailed reconstruction of an AI-enabled campaign. The attacker breached nine Mexican government organizations. The campaign began on Dec. 26, 2025.
The operator used two commercial AI platforms. Claude generated roughly 75 percent of the remote code execution commands. GPT-4.1 API supported automated reconnaissance and post-exploitation analysis.
Gambit examined three virtual private servers to reconstruct the intrusion. The attacker stole hundreds of millions of citizen records. They also produced a tax certificate forgery service.
How AI scaled the operation
A Claude workflow used the open-source scanner vulmap to gain remote access to a government server. Claude authored and refined exploit scripts quickly.
A custom 17,550-line Python tool fed harvested data into GPT-4.1. The model produced 2,957 structured intelligence reports across 305 SAT servers.
Gambit emphasized that many victims ran end-of-life systems or lacked updates. AI did not invent novel techniques. It amplified speed and productivity, enabling one actor to act like a team.
Positive developments in cyber defense
- The Department of Justice announced a court-authorized takedown of a small GRU-run botnet on April 7.
- The FBI and Indonesian authorities dismantled a phishing operation built around the W3LL kit. Indonesian police arrested the alleged developer.
- Google announced Device Bound Session Credentials support in Chrome 146 for Windows. DBSC ties session tokens to device hardware, reducing cookie theft risk.
These stories together show urgent needs for policy and technical action. Lawmakers should constrain commercial markets for precise location data. Providers must improve security practices.
