Full Report
Citizen Lab director Ron Deibert recently spoke on All Things Considered about the Lab’s new investigation of Webloc, a geolocation surveillance system. The post A New Study Shows How Ad-Based Technology is Used for Surveillance appeared first on The Citizen Lab.
Analysis Summary
# Research: A New Study Shows How Ad-Based Technology is Used for Surveillance
## Metadata
- **Authors:** Ron Deibert (Lead/Principal), in coordination with Citizen Lab researchers.
- **Institution:** The Citizen Lab, Munk School of Global Affairs & Public Policy, University of Toronto.
- **Publication:** Citizen Lab (Summary of investigation/NPR interview).
- **Date:** April 29, 2026.
## Abstract
This research investigates **Webloc**, a geolocation surveillance system that leverages the existing Real-Time Bidding (RTB) advertising ecosystem to track individuals globally. The study highlights how personal data harvesting, originally designed for targeted marketing, has been repurposed into "Advertising Intelligence" (ADINT), allowing government agencies to bypass traditional legal warrants and perform mass or targeted surveillance via mobile device data.
## Research Objective
The research aims to uncover the technical bridge between commercial advertising data and state-sponsored surveillance. Specifically, it seeks to answer:
- How is ad-based geolocation data being packaged into surveillance products?
- To what extent are government agencies (such as ICE) using these secondary data markets to circumvent constitutional or legal protections?
- What are the systemic risks posed by the current "surveillance capitalism" model to individual privacy?
## Methodology
### Approach
The researchers conducted a technical investigation into the "Webloc" platform and the broader "Advertising Intelligence" industry. This included analyzing data supply chains where mobile application data is collected, aggregated by brokers, and eventually sold to surveillance vendors.
### Dataset/Environment
- The global digital advertising ecosystem (Real-Time Bidding platforms).
- Commercial geolocation data streams.
- Publicly available information and interviews regarding agency procurement (e.g., ICE).
### Tools & Technologies
- Network traffic analysis (implied via Citizen Lab’s standard toolkit).
- Interrogation of the Webloc platform’s capabilities.
- Investigation of ADINT (Advertising Intelligence) methodologies.
## Key Findings
### Primary Results
1. **Systemic Exploitation of ADINT:** The internet ecosystem, built on personal data collection for ads, provides a turnkey infrastructure for global surveillance.
2. **Legal Circumvention:** Government agencies are using "Webloc" and similar tools to track individuals without traditional judicial oversight, effectively bypassing the 4th Amendment (or equivalent regional protections).
3. **Data Persistency:** Mobile devices act as passive beacons, constantly broadcasting location data through applications that feed the programmatic advertising market.
### Supporting Evidence
- **Identification of "Webloc":** Direct link discovered between commercial location aggregators and a specific surveillance product used by law enforcement and intelligence agencies.
- **Usage by ICE:** Evidence suggests significant uptake of this technology by immigration authorities to monitor movements without specific warrants.
### Novel Contributions
- **Mapping the ADINT Pipeline:** Explicitly connecting the dots between "harmless" ad-tracking and "harmful" state surveillance.
- **Exposure of Webloc:** Bringing a secretive, high-efficacy geolocation tool into the public discourse for policy scrutiny.
## Technical Details
The research focuses on the **Bidstream Data**—data generated during the millisecond-long auctions that occur when an ad is loaded on a phone. This data often includes a unique device identifier (MAID - Mobile Advertising ID), precise GPS coordinates, and device metadata. Webloc aggregates these "exhaust" data points to build historical movement profiles of nearly any device connected to the internet.
## Practical Implications
### For Security Practitioners
- **Privacy Parity:** Traditional encryption (like Signal or VPNs) does not protect against this; location data is leaked at the OS/App level through advertising SDKs.
- **Data De-identification:** The research proves that "anonymized" location data is a myth, as patterns of life (home/work) easily re-identify individuals.
### For Defenders
- **Hardening Devices:** Users should disable "Personalized Ads" and strictly limit "Location Services" on a per-app basis.
- **Policy Advocacy:** Defense must move beyond technical fixes toward legislative bans on the sale of location data to government entities.
### For Researchers
- This work opens doors to investigating other "grey-zone" surveillance tools that utilize commercial data, such as facial recognition databases built on social media scraping.
## Limitations
- **Opaque Supply Chains:** Because the ad-tech industry is highly fragmented, identifying every intermediary in the data sale is difficult.
- **Mitigation Efficacy:** As Deibert notes, it is "practically impossible" to be 100% protected while remaining a participant in modern digital life.
## Comparison to Prior Work
While previous Citizen Lab research focused on "Active" surveillance (like Pegasus spyware), this study highlights "**Passive/Commercial**" surveillance. It builds on the work of researchers like Shoshana Zuboff but applies a technical forensic lens to the specific vendors (Webloc) selling this data to the state.
## Real-world Applications
- **Law Enforcement:** Used for "geofence" warrants without a judge.
- **Intelligence:** Used for tracking foreign adversaries or dissidents across borders.
- **Implementation:** Highly scalable as it does not require "infecting" a phone with malware; it uses data the phone voluntarily broadcasts.
## Future Work
- **Regulatory Pressure:** Investigating the legality of data brokers under GDPR or CCPA.
- **Global Mapping:** Determining which other countries have procured Webloc or similar ADINT capabilities.
## References
- NPR: *All Things Considered* Interview with Ron Deibert (April 26, 2026).
- Citizen Lab Report: *Uncovering Global Telecom Exploitation* (Related).
- Citizen Lab: *Bad Connection* (ADINT Investigation).
- hxxps[://]citizenlab[.]ca/a-new-study-shows-how-ad-based-technology-is-used-for-surveillance/