The Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) canceled a contract with Penlink that used ad-surveillance technologies to track the location of Americans.

The contract was canceled a little more than a month after ATF Director Robert Cekada acknowledged under questioning from Rep. Michael Cloud, R-Texas, in a congressional hearing that the agency was purchasing the geolocation data of Americans through a contract for “an ad-tech type thing” that would provide the agency with geolocation data “based on the ads that go through.”

 “We have purchased access to that system but we have not used it for a criminal case because we have not established any policies yet on how we would do it,” Cekada said.

He described that system and data as novel and said ATF was still determining how to craft official guidance for how agents would use it in investigative work.

In an email, an ATF spokesperson confirmed to CyberScoop that the contract had been canceled, describing it as a limited pilot project for capabilities the agency was no longer seeking.

”ATF continually evaluates tools and techniques to enhance our investigations and ultimately reduce violent crime in American communities,” the spokesperson wrote. “We did conduct a pilot with Webloc to determine if it could improve our investigative capabilities. After completing our review, we determined the tool does not meet our needs and cancelled the contract. ATF is not currently using any other ad-tech-sourced services.”

According to Sen. Ron Wyden, D-Ore., he requested and his staff received a briefing from ATF on the matter on June 12. In the meeting, Cekada identified purchasing licenses for Penlink’s Webloc commercial location surveillance tool as the contract in question.

Further he said the ATF had already conducted more than 340 searches using the system, including more than 222 that were directly tied to active ATF case numbers.

On its website, Penlink describes itself as an open-source intelligence analysis platform that provides real time data collection, forensic and web analysis and digital evidence collection. The firm touts its use of “AI-driven analysis” to increase case resolution rates by 80% as well as the ability to “tie disparate data together to one subject, place, or group using comprehensive identity resolution capabilities.”

Wyden, who earlier this year led a group of 70 congressional Democrats calling for an investigation into the purchase of commercial location data by Immigration and Customs Enforcement, said that ATF ultimately did “the right thing” but called for Congress to pass his legislation that would change the practice throughout the federal government.

“After Representative Cloud and my staff informed the ATF about the legal and privacy quagmire surrounding adtech data,  the agency did the right thing,” Wyden said in a statement. “Canceling this contract is a victory for Americans’ constitutional rights, but Americans’ privacy shouldn’t depend on ad hoc congressional interventions. Congress must pass the Government Surveillance Reform Act to close the data broker loophole once and for all.”

Wyden’s office noted that the purchase of ad-tech geolocation data is illegal in some states, and that the Federal Trade Commission has already established that selling sensitive location data to government agencies and contractors falls under deceptive and unfair practices under the FTC Act.

The use of ad-tech to surveil and geolocate targets online is a growing problem. While such tools are commonly used by marketing and advertising agencies to send targeted ads based on geography or region, bad actors can also use use to unmask the identities or locations of individuals, or combine them with other public data in ways that worry privacy advocates. A University of Tennessee student is suing a company based in the Virgin Islands for pulling videos from her social media, turning them into nonconsensual ads for their dating service and then using ad-tech geolocation to serve the ads to men online near her.

Wyden’s office said in one instance, the tool was used to get location data for devices associated with a defense contractor at the same time as a suspected arson incident, but that the ATF later backed off from using it in court after both the prosecutor and judge expressed “serious discomfort with the use of warrantless adtech data.” The ATF ultimately opted to seek a court order for bulk cell phone tower data instead.

The post ATF cancels controversial commercial geolocation contract appeared first on CyberScoop.

Congress extended a controversial surveillance law for 45 days on Thursday, hours before its latest expiration following an earlier extension.

The Senate passed — then the House cleared — a 45-day extension of Section 702 of the Foreign Intelligence Surveillance Act, which authorizes warrantless surveillance of foreign targets. But those targets are sometimes communicating electronically with Americans, and intelligence officials can search the database using their identifying information, which has long given privacy groups and privacy-minded lawmakers heartburn.

The 45-day reprieve gives lawmakers more time to hammer out a lasting deal, and comes after the leaders of the Senate Intelligence Committee agreed to send a letter to the Director of National Intelligence and attorney general, seeking swift declassification of a letter on a classified ruling from the Foreign Intelligence Surveillance Court.

Sen. Ron Wyden, D-Ore., had sought release of that opinion, and had resisted giving unanimous consent for the latest short-term extension to move forward until Senate Intelligence Chairman Tom Cotton, R-Ark., and top panel Democrat Mark Warner of Virginia agreed to send the letter.

A declassification review was already underway, but the Cotton-Warner letter states that “We expect that this declassification review will be completed and the FISC opinion released publicly within 15 days,” according to Wyden, speaking on the Senate floor.

The March 17 opinion reportedly came with annual recertification of the warrantless surveillance program. The Justice Department is appealing that ruling because it blocked them from using certain tools to analyze communications.

“A few weeks ago, the Foreign Intelligence Surveillance Court found major compliance problems related to the surveillance law known as section 702,” Wyden said earlier this month. “These compliance problems are directly related to Americans’ Constitutional rights.”

Senate Majority Leader John Thune, R-S.D., said the extension will give lawmakers additional room to hold “discussion on reforms.”

The House this week had passed a 3-year reauthorization with some changes to the surveillance program, but key to doing so was leadership’s agreement to attach legislative language on a separate matter that would ban a central bank digital currency. Thune had said that language was going nowhere in the Senate.

On Thursday, the House voted 261-111 to extend the law for 45 days. President Donald Trump has sought a “clean” 18-month reauthorization of the surveillance powers.

The extension continues a perennial ritual for the Hill when it comes to Section 702: A deadline looms, and Congress kicks the can down the road repeatedly.

The post Congress kicks the can down the road on surveillance law (again) appeared first on CyberScoop.

Campaigns employing commercial surveillance vendors tracked targets by exploiting mobile phone network vulnerabilities in what researchers said Thursday was the first-ever linking of “real-world attack traffic to mobile operator signalling infrastructure.”

The two unknown parties behind the campaigns mimicked the identities of mobile phone operators with customized surveillance tools, and manipulated signaling protocols and steered traffic through network pathways to hide, according to research from the University of Toronto’s Citizen Lab.

“Our findings highlight a systemic issue at the core of global telecommunications: operator infrastructure designed to enable seamless international connectivity is being leveraged to support covert surveillance operations that are difficult to monitor, attribute, and regulate,” a report published Thursday reads.

“Despite repeated public reporting, this activity continues unabated and without consequence,” Gary Miller and Swantje Lange wrote for Citizen Lab. “The continued use of mobile networks, built on a close inter-operator trust model and relied upon by users worldwide, raises broader questions for national regulators, policymakers, and the telecom industry about accountability, oversight, and global security.”

The attackers relied on identifiers and infrastructure associated with operators around the world, including networks based in Cambodia, China, the self-governing Island of Jersey, Israel, Italy, Lesotho, Liechtenstein, Morocco, Mozambique, Namibia, Poland, Rwanda, Sweden, Switzerland, Thailand, Uganda and the United Kingdom.

They shifted between SS7 and Diameter protocols, the signalling protocols known for 3G and 4G/most of 5G, respectively, according to the report. While Diameter was meant to be more secure than SS7, the Federal Communications Commission in 2024 opened a probe into both its vulnerabilities and SS7’s, and Sen. Ron Wyden, D-Ore., has asked for a Cybersecurity and Information Security Agency report about telecommunications vulnerabilities rooted in both protocols.

But identifying the vendors used in the two surveillance campaigns, or who was behind them, was beyond the researchers’ reach.

“The reality is that there are a number of known surveillance vendors and bad actors in this space, but given the opaque nature of telecommunications signalling protocols, those vendors are able to operate without revealing exactly who they really are,” Ron Deibert, director of Citizen Lab, wrote in his newsletter. “Much of the malicious things they are doing blend into the otherwise voluminous flow of billions of normal messages and roaming signals. They are ‘ghost operators’ within the global telecom ecosystem.”

One of the operators mentioned in Citizen Lab’s report, Israel-based 019 Mobile, wrote back that it didn’t recognize the hostnames referenced in the report as 019 Mobile’s network nodes, and couldn’t attribute the signaling activity it represents to 019 Mobile-operated infrastructure.

Another operator, Sure, said it has taken preventative measures to defend against misuse.

“Sure acknowledges that digital services can be misused, which is why we take a number of
steps to mitigate this risk,” CEO Alistair Beak said in a statement to CyberScoop. “Sure has implemented several protective measures to prevent the misuse of signalling services, including monitoring and blocking inappropriate signalling. Any evidence or valid complaint relating to the misuse of Sure’s network results in the service being immediately suspended and, where malicious or inappropriate activity is confirmed following investigation, permanently terminated.”

019 Mobile and a third operator, Tango Networks UK, didn’t respond to requests for comment from CyberScoop. The Citizen Lab report afforded some grace to the operators.

“It is important to note that the operator signalling addresses observed in the attacks do not necessarily imply direct operator involvement,” it states. “In some cases, access to the signalling ecosystem can be obtained through third-party providers, commercial leasing arrangements, or other intermediary services that allow actors to send messages using operator identifiers from legitimate networks.”

Updated 4/24/26: to include quote from Alistair Beak.

The post Surveillance campaigns use commercial surveillance tools to exploit long-known telecom vulnerabilities appeared first on CyberScoop.