The Shadow Stream: Inside WebLoc, the Ad-Based Surveillance System Tracking 500M Devices

A joint investigation by Citizen Lab and several news outlets has pulled back the curtain on WebLoc, an Israeli-developed geo-surveillance tool that transforms the global real-time bidding (RTB) ad ecosystem into a high-resolution tracking network for law enforcement.

BUDAPEST, HU — While the cybersecurity world has been focused on high-profile spyware like Pegasus, a more pervasive form of surveillance has quietly integrated into the arsenals of global law enforcement. WebLoc, a sophisticated system developed in Israel, is reportedly providing government agencies — including the Hungarian government — unprecedented access to the movements of up to 500 million mobile devices globally.

Unlike traditional spyware that requires infecting a target’s phone, WebLoc operates by harvesting data from the "Real-Time Bidding" (RTB) ecosystem — the lightning-fast process that determines which digital ads appear on your screen. This creates a "shadow stream" of location data that is constantly updated, often without the user ever clicking a link or downloading a malicious file.

From ICE to Hungary: The Expansion of Ad-Tech Intelligence

The recent findings from Citizen Lab highlight a significant shift in the proliferation of this technology. While U.S. Immigration and Customs Enforcement (ICE) has previously been documented using similar ad-based surveillance tools to monitor entire neighborhoods and track individuals, the deployment of WebLoc by the Hungarian government marks a new escalation within the European Union.

According to the investigation, the system allows users to:

• Query by Location: Draw a "geofence" around any building or city square and see every device that has entered that area.
• Historical Patterning: Trace a specific device's movements back weeks or months to identify home addresses, workplaces, and social circles.
• Identity Mapping: Cross-reference device IDs with other data points to unmask anonymous users.

Privacy Violations and the EU Regulatory Gap

The use of WebLoc in Hungary is raising immediate alarms regarding Compliance with EU privacy regulations. Under the GDPR, the collection of precise location data requires explicit, informed consent — something that is fundamentally missing from the opaque ad-tech bidding process.

"WebLoc represents a 'backdoor' to the human right to privacy," noted a recent report from United24 Media. By utilizing commercial ad data, governments can bypass the traditional legal hurdles required for a wiretap or a search warrant, essentially purchasing surveillance as a service (SaaS).

The "Anodot" Parallel: Why Data Aggregation is the New Perimeter

The WebLoc revelation mirrors the broader trend seen in recent enterprise breaches: the vulnerability lies in the Third-Party Risk of data aggregators. Just as threat actors targeted Snowflake's ecosystem to exfiltrate corporate data, law enforcement agencies are targeting the ad-tech ecosystem to exfiltrate behavioral data.

The CyberSignal Analysis

Signal 01 — Surveillance as a Commodity

The era of "Spyware" is giving way to "Surveillance Data Brokerage." WebLoc proves that you don't need to hack a phone if you can simply buy the data from the apps already on it. For our B2B audience, this highlights the extreme Third Party Risk of SDKs (Software Development Kits) within company-issued mobile apps. If your employee’s weather app is leaking coordinates to an RTB stream, your corporate security is effectively compromised.

Signal 02 — The Compliance Vacuum

Hungary’s use of WebLoc exposes the "gray zone" between commercial advertising and national security. While IAM (Identity & Access Management) protects your internal systems, there is currently no enterprise-level defense against ad-based tracking of your executives or field staff. This is a massive "blind spot" in modern Security Operations.

Sources