Tucson cops cracked a cigarette case using a tool tracking 500M phones

The ads on your phone aren't just selling you sneakers. They're a feed for anyone with a budget.

Tucson cops wanted to nail a suspected cigarette-store thief who had been hitting the same chain. So they pulled up the location pings of every phone near each robbery, noticed one device that kept showing up, and followed it home. That phone belonged to someone who was dating an employee at the store that was robbed first. Catching the guy would normally require a warrant, a wiretap, maybe a subpoena. It required a subscription.

The subscription, writes Joshua Villanueva at Lawfare, is to Webloc, an adtech-surveillance product whose owners claim it pulls data from roughly half a billion phones around the planet. Citizen Lab obtained a leaked technical proposal that shows how Webloc tracked one man in Abu Dhabi as many as 12 times a day — every time his handset phoned home over GPS or brushed a Wi-Fi access point — and pinpointed two other handsets at specific spots in Romania and Italy at specific moments.

Webloc was built by Cobweb Technologies and is now sold as a bolt-on by the American vendor Penlink, which absorbed Cobweb in a 2023 merger. Penlink's main product, Tangles, already scrapes social media and online accounts; Webloc adds the ability to tie those "anonymous" mobile IDs to specific people, at specific places, without a judge ever hearing about it.

The customer list, per Citizen Lab, runs from DHS and ICE to the Bureau of Indian Affairs Police to state and local cops in California, Texas, New York, and Arizona. Overseas, it reaches Hungary's domestic intelligence agency and El Salvador's National Civil Police.

Virginia has already outlawed this kind of location-data commerce. Villanueva argues the rest of the country should follow.

Previously: