Aimed at Protests, Surveillance Contractor’s New Owners Expand Spy Tech Portfolio
In 2020, while protests raged in nearly every city in the United States, a privately owned Israeli spyware firm helped the Department of Homeland Security monitor the online presences of Americans—including protesters and journalists. That company is now set to join forces with competitors, creating a private social media surveillance apparatus unlike anything previously known.
On June 3, 2020, Department of Homeland Security Acting Undersecretary of Intelligence and Analysis Brian Murphy ordered DHS’s Office of Intelligence and Analysis to begin assembling intelligence dossiers on Americans attending then-widespread demonstrations protesting the murder of Minneapolis resident George Floyd. Murphy believed that the protests were being infiltrated by “violent opportunists,” a phrase used by DHS to identify what it believed were organized groups, like Antifa.
June 2024 Update: Cobwebs Spy Software Locks Onto Protesters: Israeli Social Media Mining Contract with Homeland Security Revealed
These dossiers, officially known as Operational Background Reports, or OBRs, compiled “derogatory information, travel history … and immigration status,” along with information taken from social media profiles, according to an internal report published by DHS in 2021.
That DHS report, titled “Office of Intelligence and Analysis Operations in Portland” and made public by Oregon Senator Ron Wyden in October 2022, details a troubling pattern of actions taken by government officials, employees, and contractors.
The OBRs, called “baseball cards” internally by DHS I&A, were allegedly created to identify threat actors at protests, but initial drafts included lists of a subject’s friends and social media followers. Although these lists were removed from completed OBRs, the information was retained by DHS I&A, raising questions over who was targeted for OBRs and if this process was, in some cases, motivated solely by association.
In a July 25th memo, Murphy confirmed the political nature of the OBRs.
“Starting now for Portland replace the [violent opportunists] definition accompanying our [field intelligence reports] and [open-source intelligence reports] to VIOLENT ANTIFA ANARCHISTS INSPIRED,” he wrote to DHS employees via email.
“Why? Myself and I&A leaders have been reviewing the Portland FIRS, OSIRS, Baseball cards of the arrested and [financial intelligence] as well as Ops info. The individuals are violently attacking the Federal facilities based on those ideologies. We can’t say any longer that this violent situation is opportunistic. Additionally, we have overwhelmingly [sic] intelligence regarding the ideologies driving individuals towards violence and why the violence has continued. A core set of Threat actors are organized, show up night after night, share common [tactics, techniques, or procedures] and draw on like minded individuals to their cause.“
–Department of Homeland Security Acting Undersecretary of Intelligence and Analysis Brian Murphy
Journalists were also targeted in the OBRs, per the DHS report released by Senator Wyden, even though on one occasion a subject’s social media profile identified their status as a member of the media. Surveillance of reporters was not uncommon at the time, especially by DHS I&A, which separately created and disseminated intelligence reports on at least two journalists – New York Times reporter Mike Baker and Lawfare editor Benjamin Wittes.
What makes the OBRs unusual, beyond the targeting of Americans not charged with crimes, was that they incorporated intelligence compiled using a third-party web-based intelligence tool known as “Tangles.” The DHS report offers only a vague reference to Tangles as a “social media aggregation tool that compiled information from the subject’s available social media profiles,” but its creator has an online presence which highlights a history of targeting activists and political figures and calls into question the true function of its services.
Cobwebs Technologies
Founded in 2015 in Herzliya, Israel by former members of Israel Defense Forces (IDF) intelligence and special forces units, Cobwebs Technologies boasts a mission of “OSINT for good” on its website, claiming to use open-source intelligence to benefit society.
Yet Cobwebs’ tangled web of government contacts, along with the company’s recent sale to an equity firm connected to another surveillance company, suggests that rather than a force for good, the company and its new owner are vying to become shadow brokers in a growing underground information economy.
Cobwebs, operating under Cobwebs America, Inc., was awarded a $1.5 million contract with DHS I&A in August 2020, two months after DHS I&A had begun using Tangles to compile social media information for its OBRs. The 2021 DHS report does not state if DHS I&A’s use of Tangles was part of a trial or if there was a pre-existing relationship between Cobwebs and DHS.
Shortly after the DHS I&A contract, however, Cobwebs received another federal contract from the Department of the Treasury, for use of a “web intelligence investigation platform” by the Internal Revenue Service. A Freedom of Information act request from Motherboard returned a copy of the contract, which didn’t identify Tangles by name but did contain a quote for a “Gold Subscription WEB Intelligence Platform,” dated June 11, 2020—in the midst of the George Floyd protests, when DHS I&A was using Tangles for its OBRs.
Responding to the Motherboard investigation, a spokesperson from the IRS’s Criminal Investigations unit stated: “In certain circumstances, agents may operate in an undercover capacity and employ certain tools to gather evidence for a criminal case. Obviously, discussing specifics of how a special agent uses various tools in an undercover capacity is viewed as law enforcement sensitive information. In all cases, however, agency personnel must follow all legal and agency policies and procedures in the execution of their duties.”
Location Tracking
Cobwebs advertises a number of web-based intelligence tools, including Tangles, to law enforcement and the intelligence community. These tools offer a range of features which grant these groups—and the government—growing power to monitor the words and actions of private citizens, from social media tracking, which has become highly-valued by law enforcement in recent years as police departments crack down on protected speech, to other more disturbing possibilities.
In 2022, digital privacy rights activist Wolfie Christl reported on a Cobwebs contract posted by Naval Supply Systems Command, a command under the Navy responsible for supply chain management and logistics planning for that branch and the Marine Corps. The contact, labeled “SSA GEOINT WEBLOC SW” on public contracting site GovTribe, is for a geospatial and signals intelligence platform known as WebLoc.
A recent notice of intent for a Cobwebs contract awarded in 2023 by the Bureau of Indian Affairs also mentions the use of “geo-signals” in reference to location data, although the notice stipulates this use is in connection with Tangles.
The Cobwebs procurement record with NAVSUP outlines one of the ways the company might provide its clients with the location data of a subject, stating that the service would require “[t]he ability to automate and continuously monitor unique mobile advertising IDs, Geolocated IP Address, and connected devices analysis.”
Mobile advertising IDs, or MAIDS, are unique identifiers assigned by operating systems like Android and iOS that tie individual phones and mobile devices to specific strings of numbers. This information can be used by law enforcement to track the movements of an individual so long as they are connected to a cell phone or mobile device; MAIDs, for instance, were used by law enforcement agencies to locate participants in the January 6 insurrection.
A recently declassified Federal Bureau of Investigation (FBI) file on NSO Group, another Israeli spy firm that had government contracts for separate spyware known as Pegasus, revealed that the FBI has also used MAIDs in the course of its investigations, and in one instance, on January 5, 2021, the bureau requested tracking data for “several [New York Times] reporters.”
The reach of Cobwebs’ platforms extends well beyond the federal government and the military. In 2021, Cobwebs received a contract for an open-ended amount with the West Virginia Fusion Center, an intelligence-gathering hub that oversees data collection and analysis for the State of West Virginia’s Department of Homeland Security and local police departments, for a Bronze subscription to a “WEB Intelligence Platform” and its WebLoc service, with an additional specification for an “image and face processing module.”
While it’s unclear at this time how many other fusion centers have contracts with Cobwebs, similar programs like the Urban Areas Security Initiative, a joint project of DHS and the Federal Emergency Management Agency that provides funding for preventing terrorist attacks, appear to have been used to secure contracts for Cobwebs’ services.
A 2021 UASI application completed by the Los Angeles Police Department (LAPD), on behalf of the Los Angeles/Long Beach Urban Areas Security Initiative, identifies a project labeled “LAPD Technology Modernization” that would allot $230,000 for a contract with Cobwebs. The project is identified as a joint operation between the LAPD, the FBI’s LA field office, the City of Los Angeles, and the Joint Regional Intelligence Center, a fusion center servicing the Los Angeles area.
In November 2021, the Brennan Center for Justice,which obtained the 2021 UASI application through a FOIA request, found that the LAPD had used at least one other social media spying tool on a trial basis and tested at least nine others. That same month, the LAPD was caught using fake accounts to surveil social media users.
Cyber Mercenaries
Cobwebs’ growing ubiquity in law enforcement and intelligence circles has led to pushback from privacy groups and even some social media platforms, with one tech company describing the group and others like it as “cyber mercenaries.”
Facebook owner Meta removed 200 fake accounts it alleged were being run by Cobwebs and its customers from its platforms in 2021, after it found those accounts had targeted “activists, opposition politicians and government officials in Hong Kong and Mexico” for surveillance and phishing campaigns.
Cobwebs CEO Udi Levy denied the accusation by Meta and stated the report was inaccurate. “It is not relevant to the type of our customers or our field of activity,” Levy said to Israeli business publication Globes in July 2023. “We do not provide avatars (fake accounts that allow users to be tracked on social networks, etc.). Meta also mentioned a list of countries that are not related to us.”
The Globes article does not mention Cobwebs’ relationship with DHS or its possible involvement in surveilling activists during the 2020 George Floyd protests, nor does the Facebook report issued in 2021, but it does allow Levy to elaborate on how the report affected the recent sale of the company to a US-based equity firm, Spire Capital Partners.
“It was a challenging period in which you had to prove that you had nothing to hide, but we successfully passed it and proved that we had nothing to hide,” Levy told Globes. “In the end, the truth wins out and we are happy today to connect with one of the high-quality funds in the US and continue to show growth.“
Enter Spire Capital Partners
The sale to Spiral Capital Partners raises further concerns over the government’s ability to spy on activists and protesters. In April 2022, Spire Capital announced it had purchased a controlling share in a communications firm, PenLink, that has assisted law enforcement in wiretapping and social media surveillance; five months later, PenLink and Spire Capital announced the acquisition of geospatial analysis software, GeoTime, that can identify and track the locations of individuals based on information pulled from their social media feeds.
Spire Capital’s recent acquisitions of Cobwebs’ suite of products and GeoTime would resolve a long-standing problem for PenLink, which has expressed frustration over how quickly it can monitor social feeds.
Jack Poulson, a digital privacy activist who runs the site Tech Inquiry, recorded a presentation from a PenLink employee before the National Sheriff’s Association last year, during which the presenter reported that such monitoring does not occur in real time and there can be delays of up to 15 minutes for Facebook and Instagram.
PenLink CEO Kevin Pope seemingly addressed this in a statement put out by PenLink after Spire Capital’s purchase of Cobwebs. “PenLink is pleased to expand its capabilities to meet the emerging technology demands of modern investigations,” Pope stated. “By combining the power of Cobwebs Technologies’ AI-powered open-source intelligence and our market-leading digital investigation solutions, PenLink will transform the speed and depth of insights developed across complex criminal investigations.”
Any integration of Cobwebs’ and PenLink’s platforms could grant DHS greater power over digital communications in America, as both Cobwebs and PenLink already work with several agencies under DHS.
PenLink has received over $40 million from U.S. Immigration and Customs Enforcement for licenses connected to its software going back to 2007, while Cobwebs was awarded $225,060 for a year-long contract with ICE in August 2022.
Separately, PenLink has a contract with the U.S. Secret Service running through December 2023.
Cobwebs’ contract with DHS I&A for its Tangles platform ends in August 2025.
Correction – June 2024: Cobwebs CEO Udi Levy shares the same name as a former Mossad & Israeli military officer [1] [2], however they are different individuals.
Cover image composition by Dan Feidt; Portland protest photos by Matthew Roth.
Please consider a tax-deductible donation to help sustain our horizontally-organized, non-profit media organization:
Follow us on X (aka Twitter), Facebook, YouTube, Vimeo, Instagram, Mastodon, Threads, BlueSky and Patreon.