Cobwebs Spy Software Locks Onto Protesters: Israeli Social Media Mining Contract with Homeland Security Revealed

Israeli Firm “Cobwebs” Linked to 2020 Protests, Provides Monitoring Services to Homeland Security for Tracking Dissenters

Last year, Unicorn Riot reported on a contract between the Department of Homeland Security (DHS) and Cobwebs, an Israeli tech firm that licenses web surveillance tools to law enforcement and intelligence agencies. We can now provide that contract and details about the software — sensitive technology DHS has used to spy on activists during the last several years.

In August 2020, three months after the murder of George Floyd by then-Minneapolis police officer Derek Chauvin kicked off the largest civil rights protests in the United States since the 1960s, DHS signed a contract with a representative of Cobwebs America Inc., the American arm of Cobwebs Technologies. That contract, obtained via the Freedom of Information Act (FOIA), identifies a “software interface tool” not referred to by name, but since identified in a DHS report published by U.S. Senator Ron Wyden (D-Oregon) as Tangles (PDF), a web-based intelligence tool that collects information on social media users. *

A 1 minute video on Vimeo and YouTube covers the basics of the Cobwebs-DHS contract.

The Cobwebs Homeland Security contract, a Statement of Work (SOW), and additional documents provided as part of the FOIA request (PDF) outline a troubling multi-year collaboration between DHS’s Office of Intelligence and Analysis (I&A) and Cobwebs Technologies that could run through 2025.

This report covers the DHS-Cobwebs contract deal, but before going into the details, we take a broader look at the little-understood I&A office, and how fusion centers and counterintelligence tactics can be abused and misused to harass protesters and other members of the public using powerful tools like Cobwebs products.

Sections: Enter Intelligence & Analysis | From Potential to Abuse | Infiltrating Telegram for Homeland Security | Tangles, Infiltration & Social Engineering | Statement of Work, “Baseball Cards” | Deleted Accounts, Bitcoin & Geo-Tracking | Spire Capital Partners Assembles U.S. Surveillance Empire | Resources


Enter the DHS Office of Intelligence and Analysis (I&A)

Created in 2007 under the long shadow of the 9/11 attacks, I&A’s original mission statement (PDF p.8) claimed its purpose was to facilitate better intelligence sharing between federal agencies and local law enforcement through data analysis, while also “protecting the privacy, civil rights, and civil liberties of the people I&A serves.”

This statement reflected a growing concern among privacy advocates over the rapid expansion of America’s national security apparatus. DHS, itself established only five years prior, was developing a plan for the rollout of fusion centers —  information-sharing hubs that would bridge divides between federal, state, and local agencies and law enforcement, private defense contractors, and the military. But as one DHS report would later observe, the public’s concern for the potential for abuse created the perception of fusion centers as “mini-spy agencies or akin to the [Federal Bureau of Investigation]’s discredited—and long abandoned—COINTELPRO program.”

The notion that a federal agency might abuse the intelligence privileges authorized to it by Congress wasn’t outlandish in 2007, because only three decades earlier, the Federal Bureau of Investigation (FBI) ran covert counterintelligence programs, or COINTELPRO, targeting American anarchists, communists and college students. This involved everything from the use of informants and provocateurs to infiltrate political organizations and protests to manipulating conflict between groups of rival Black militants, culminating in the 1969 shootings of Black Panther Party members Alprentice “Bunchy” Carter and John Huggins by members of a rival group called the US Organization.

DHS, like the FBI, has a domestic mandate for intelligence-gathering and analysis. I&A officers are one of the primary means for accomplishing this and are embedded in 80 DHS-affiliated fusion centers across the United States. At any given time, an I&A officer might conduct intelligence activities ranging from reviewing tips and formatting raw intelligence into actionable information for local partners, to more direct methods of surveillance like monitoring publicly accessible content on social networks.


I&A: From Potential to Abuse

In the years since its founding, I&A has delivered on fears that its existence would lead to abuse:

  • Since at least 2016, I&A has overseen the Overt Human Intelligence Collection Program, a domestic-intelligence program that allows I&A officials to collect information on Americans through interviews, often through contact with prisoners and detained immigrants without legal counsel present.
  • In 2018, DHS posted a job listing for “media monitoring services,” to be used to create a database of “journalists, editors, correspondents, social media influencers, bloggers, etc.” At the time, it was unclear how I&A might use such a database, but DHS has since been caught compiling intelligence dossiers on journalists covering immigration and I&A’s internal practices.
  • In 2020, during the George Floyd protests, I&A officials monitored Telegram group chats of protesters in Portland, Oregon, prompting Congressional concerns about unlawful surveillance. Information taken from these conversations — including travel routes — was formatted into a DHS report that was shared with federal agents and law enforcement officials.

The DHS report referencing those Telegram group chats, identified by the Washington Post as a DHS Open Source Intelligence Report, points to the use of web surveillance tools by I&A or another party. While social networks like X (formerly Twitter) have provided law enforcement and government officials with information about their users, typically through third-party developers that collect and sell user data, these companies have been loath to discuss how their platforms are being exploited by intelligence agencies, defense contractors, and law enforcement for surveillance via the creation of fake accounts. 

Unicorn Riot documented fake “sockpuppet” accounts tied to DHS-affiliated fusion centers. In 2019 we reported on the existence of social profiles for an Angel Garcia-Lonetree that appeared to be run by Lt. Jeff Rugel, then-commander of the Strategic Information Center (SIC) — a fusion center run by the Minneapolis Police Department (MPD). 

The SIC would later act as the hub for Operation Safety Net (OSN), a program aimed at unrest around former Minneapolis police officer Derek Chauvin’s murder trial. OSN was an interagency collaboration between the MPD, FBI, DHS, and numerous other state and local law enforcement groups to surveil and spy on civil rights activists in Minneapolis in the wake of the George Floyd protests. One tactic used both prior to and during OSN was the creation of fake social media accounts to surveil and harass Black activists.

Documents obtained through the Freedom of Information Act offer new insight into how agencies like DHS — and I&A in particular — are spying on activists.


Infiltrating Telegram for Homeland Security

When the DHS intelligence report was published on July 17, 2020, I&A was in the trial phase for a web surveillance tool known as Tangles, which its creator, Cobwebs Technologies, bills as a “deep web detective.” According to a description of the technology in promotional material, Tangles uses artificial intelligence and machine learning to identify patterns across the deep, dark, and surface webs, allowing intelligence agents and law enforcement officers to monitor online communications in near-real-time.

The problem, however, comes in how this monitoring occurs. While Tangles is promoted as a tool that relies on open source intelligence, or information that’s publicly accessible online, the Washington Post article about the Telegram group chats highlights a key concern for activists navigating online spaces. 

Telegram offers groups that can be accessed by anyone on the site, but not all information on the encrypted messaging app is public. According to the Post, I&A had somehow gained access to messages sent by Portland protesters about their travel routes, from what appeared to be a private group chat. Per the Post, “It’s not clear how DHS obtained the messages and whether an informant or undercover officer had access to the Telegram group.”

A little over a month later, on August 25, 2020, Eyal Bachar, the managing director of North American operations for Cobwebs America Inc., signed off on a deal with DHS worth $587,510, with the option for DHS to renew annually for up to five years. Although the contract doesn’t identify Tangles by name, a license extension issued by Cobwebs in 2021 does, confirming that the contract was for Tangles and Cobwebs’ other services.

A Statement of Work obtained as part of Unicorn Riot’s FOIA request states that Tangles would be paired with Cobwebs’ LYNX platform. On a promotional page that Cobwebs has since deleted, it described LYNX as a “global proxy infrastructure” that allows users to “join darknet forums, hacker communities and other platforms without their cover being blown.”

In contractor parlance, a Statement of Work “provides a description of a given project’s requirements. It defines the scope of work being provided, project deliverables, timelines, work location, and payment terms and conditions.”


Cobwebs, Tangles, and Social Engineering

Another indicator that I&A may have used Tangles to infiltrate private group chats and other closed forums is a contract Cobwebs Technologies inked with the Department of the Treasury the same month it closed on the DHS deal. On August 6, 2020, the Treasury awarded Cobwebs $181,000, on an initial agreement, for a “Gold Subscription WEB Intelligence Platform” — a euphemism echoing the “Software Interface Tool” listed in the DHS contract for Tangles.

In 2023, Joseph Cox, writing for VICE Motherboard, reached out to the Treasury about the contract. The department said the subscription was for the Internal Revenue Service’s Criminal Investigation office, an investigative unit that handles tax fraud, narcotics trafficking, and public corruption.

A representative from IRS-CI told Cox: “In certain circumstances, agents may operate in an undercover capacity and employ certain tools to gather evidence for a criminal case. Obviously, discussing specifics of how a special agent uses various tools in an undercover capacity is viewed as law enforcement sensitive information. In all cases, however, agency personnel must follow all legal and agency policies and procedures in the execution of their duties.”

Cobwebs has been accused of facilitating the creation of fake social media accounts. In 2021, Meta announced it had removed 200 fake accounts from its Facebook platform (PDF) associated with Cobwebs and its customers. (Describing them as “Cyber Mercenaries,” the Israeli newspaper Haaretz noted at the time that “Israel’s Spyware Industry is Getting Slammed Around the World.”)

A section of the Meta report reads: “In addition to collecting information about their targets, the accounts used by Cobwebs customers also engaged in social engineering to join closed communities and forums and trick people into revealing personal information.”

This Cobwebs Statement of Work also includes “avatar management” capabilities — a term also used by Royi Burstien, CEO of another Israeli electronic intelligence firm, Percepto International, to describe how his group manages sophisticated sockpuppet accounts.


The DHS-Cobwebs Statement of Work, Reports and ‘Baseball Cards’

The material produced by Tangles to generate profiles of activists echoes COINTELPRO-era “cards” produced by the FBI. System requirements listed in the Statement of Work appear designed to support I&A’s undercover work. Two of the requested tasks for Tangles provide clarification on how I&A develops targets on social media:

2.1.14  The software interface shall have algorithms used to identify linked content of users and known or suspected associations to the target.

2.1.23  The software interface must have the capability to conduct deep target identification via keyword search with social link analysis for both direct entities and associates to generate a risk assessment indication based on customized user driven dictionaries and severity levels.

DHS Statement of Work for Cobwebs contract

In the DHS report disclosed by U.S. Senator Ron Wyden (D-OR) in 2022, DHS stated I&A used Tangles to compile what were known as Operational Background Reports and internally as “baseball cards.” These were threat assessments on individual protesters in Portland, Oregon, and initial drafts contained information about friends and social media followers.

The references to “associations” and “associates” in the SOW suggest that DHS may still be creating risk assessments of individual social media users based on their connections to other accounts, or generating new targets using this same criteria. This kind of targeting tags activists for surveillance through friends and followers rather than anything more substantive. Even with this type of intelligence gathering, DHS continues to dismiss critiques of their fusion centers as “mini-spy agencies” akin to the FBI’s COINTELPRO, which they mention in their 2008 report.

Both preceding and during COINTELPRO, the FBI compiled secret lists of political activists, including their Security Index, Communist Index, and Rabble Rouser Index. Information contained on “cards” in these indexes referenced associations with political groups and other activists as a justification for their surveillance. In some cases, as with singer and activist Paul Robeson, this also resulted in American citizens being “tabbed for DETCOM,” short for ‘detain as communist.’ In the event of a national emergency, individuals tabbed for DETCOM would have been arrested and placed in internment camps without due process.


Cobwebs, Deleted Accounts, Bitcoin and Geo-Tracking

This leads to an obvious question: does privacy exist online? Many privacy advocates now argue for deleting your social media accounts altogether, but DHS is prepared for this as well.

Two other tasks listed in the SOW between DHS and Cobwebs:

2.1.13  The software interface shall enable locating web connections of deleted material, to include associations of users not visible directly on accounts. 


2.1.17  The software interface shall capture the metadata from deleted or suspended accounts.

DHS Statement of Work for Cobwebs contract

The SOW offers other indicators that DHS has developed complex profiles of social media users, using workarounds to anonymity and privacy measures. In the same list of tasks, DHS asks for the ability to link social media users to Bitcoin and other cryptocurrency transactions:

2.1.26  The software interface must have the capability to conduct block chain analysis for Bitcoin wallet address transactional direction and amounts.

DHS Statement of Work for Cobwebs contract

All of this information taken together (both deleted and still online), can then be used to locate social media users based on integration of location-tracking technology:

2.1.18  The software interface shall have a built-in geolocation feature without additional cost for use of the feature. […]

2.1.25  The software interface must have fully integrated deep analysis capabilities on accounts, posts, hashtags, locations and generate automatically entities and perform SNA [social network analysis] for topic, persons, transactions and visualize present relevant data over map for location data.

DHS Statement of Work for Cobwebs contract

The final set of features involving geolocation and mapping functions suggest that Cobwebs’ WebLoc platform may have been included in the deal. WebLoc is a geospatial and signals intelligence tool that uses commercial data purchased from brokers to identify unique mobile advertising IDs assigned to smartphones and mobile devices. This information can be used to track a person’s movements. Unregulated data brokers are an ongoing intrusion on privacy that enable law enforcement to evade civil liberties protections like warrants, according to the Brennan Center for Justice.

The ability to connect social media accounts to real people and their physical locations has made Tangles and WebLoc increasingly popular among federal and state agencies. In 2021, the West Virginia Fusion Center purchased an image and face processing module from Cobwebs in conjunction with a subscription to Tangles and WebLoc, and the Texas Department of Public Safety subscribed to both services for border surveillance.

Similarly, journalist Joey Scott, writing for the Los Angeles-based progressive news site Knock LA, discovered that the Los Angeles Police Department purchased a subscription to Tangles and WebLoc in 2022. As part of a presentation to the LAPD, Cobwebs provided a case study demonstrating how its tools were integrated by law enforcement in Europe to develop profiles of soccer fans attending a game and predict who in the crowd was “most likely to cause trouble.” Using only keywords and hashtags, officers were able to identify specific individuals and obtain photographs so that they could be tracked on the ground, in real-time.


Spire Capital Partners: Assembling a US Surveillance Empire

When the contract was signed by DHS in 2020, Cobwebs Technologies was still its own company. But in 2023, as noted in Unicorn Riot’s earlier investigation into Tangles, Spire Capital Partners, a New York-based equity firm, bought Cobwebs, bringing all of its services — including Tangles, LYNX, WebLoc, and another called Trapdoor — into its growing surveillance empire.

The year prior, Spire purchased a controlling share in surveillance communications firm PenLink, best-known for its cell-phone-tracking PLX software, and bought location-tracking software GeoTime outright. Cobwebs is now a part of PenLink, and some Cobwebs employees have been moved over to the latter company under the same or similar job titles. Based on his LinkedIn profile, Eyal Bachar, the Cobwebs representative who signed the DHS contract on behalf of the company, maintained his position under PenLink and works as its managing director.

Given that Cobwebs’ services may have been used to create fake social media profiles (as Meta reported [PDF]) to access activists’ private communications, which are protected by the Fourth Amendment, does this mean PenLink might be assisting I&A in similar investigations as part of Cobwebs’ contract?

The initial terms of the contact state that it would run through 2021 and provide for the ability to extend until 2025. An attachment provided with the contract, identified as an “end user license (extension),” states that “option period 1” for Tangles was exercised through August 2022 for 30 users. A subsequent memo from Cobwebs to I&A requested the agency notify it in writing if it would like to extend the contract again. No additional attachments were included with the FOIA request, making it unclear if I&A is still using Cobwebs’ services — overtly or covertly — to monitor the social media accounts of activists. 

During the 2020 protests in Portland, when Homeland Security staff at the DHS I&A Current and Emerging Threat Center (CETC) used Tangles to build profiles from social media surveillance, the erosion of privacy rights was severe enough that some CETC staff “voiced significant concerns over the legality of such an intrusive collection of mass amounts of [U.S. persons] information on protestors arrested for trivial criminal infractions having little to no connection to domestic terrorism. For some, the concern was so grave that they refused to work on [operational background reports] altogether.” On July 16, CETC leadership demanded they continue, saying “requests from leadership are justification enough, don’t need specifics … if he gives tasking it’s clear/legal to do.” The report says staff were alarmed enough to contact the oversight “analytical ombudsman” and Intelligence Law Division attorneys. Even during a chaotic wave of mass protests, Homeland Security staff knew this was dangerous to civil liberties and possibly illegal. How could technologies like Cobwebs be used against protesters in the future, and what privacy protections would be in place?


* Note: The DHS report on policing protests in Portland in 2020 also references TECS (Treasury Enforcement Communications System). See our December 2019 report, “Icebreaker Pt 7 – ICE Case Management Handbook Based on Federal Law Enforcement “System of Systems” for the full Homeland Security Investigations (HSI) Case Management Handbook (2008) for agents using TECS.

Resources

  • Cobwebs / Tangles FOIA including: “Solicitation/Contract/Order for Commercial Items, Open Source Collection Operations Tool Interface Requirements Statement of Work (SOW), Eagle End User License Extension, Memorandum to the Program Office,”29 page PDF (1.2MB)

Cover image, and video by Dan Feidt for Unicorn Riot. Portland protest photos by Matthew Roth.


Follow us on X (aka Twitter), Facebook, YouTube, Vimeo, Instagram, Mastodon, Threads, BlueSky and Patreon.

Please consider a tax-deductible donation to help sustain our horizontally-organized, non-profit media organization: supportourworknew