Citizen Lab’s latest report pulls back the curtain on Webloc, a geolocation platform now sold by Penlink after its 2023 merger with Cobweb Technologies. The leaked proposal claims the tool can tap records from up to 500 million devices worldwide, exposing identifiers, GPS coordinates and app‑profile data. Federal agencies in the United States—from DHS to military branches—and several state police forces appear on the customer list.

Citizen Lab documents vivid case studies: a man in Abu Dhabi was located twelve times daily via GPS or Wi‑Fi triangulation, while two devices were traced to precise spots in Romania and Italy. Tucson police used Webloc to pinpoint a serial cigarette thief, matching a single device to every robbery scene. These examples illustrate how granular tracking can bypass traditional warrants.

Beyond domestic abuse, the report warns that foreign services—including Hungary’s intelligence agency and El Salvador’s police—already purchase the data, raising national‑security alarms. Virginia’s recent ban on selling precise geolocation marks the first state‑level restriction, offering a template for broader legislation. The evidence suggests that unchecked geolocation markets threaten both civil liberties and intelligence safety, demanding immediate regulatory action for the United States.