Citizen Lab has identified Webloc, operated by Penlink (originally Cobwebs Technologies), as a commercial surveillance platform used by U.S. federal agencies to passively track up to 500 million mobile devices via real-time bidding ad infrastructure without warrants, covering up to three years of historical location data. This is not a patchable software vulnerability but a structural data exposure risk for any organization whose mobile apps or third-party SDKs participate in RTB ad auctions. Security teams should audit mobile app SDK inventories for RTB participation, enforce advertising identifier restrictions on corporate devices via MDM, and brief leadership and legal counsel on passive collection risks to high-value personnel (T1430, T1597).