Cobwebs Spy Software Locks Onto Protesters: Israeli Social Media Mining Contract with Homeland Security Revealed
Israeli Firm âCobwebsâ Linked to 2020 Protests, Provides Monitoring Services to Homeland Security for Tracking Dissenters
Last year, Unicorn Riot reported on a contract between the Department of Homeland Security (DHS) and Cobwebs, an Israeli tech firm that licenses web surveillance tools to law enforcement and intelligence agencies. We can now provide that contract and details about the software â sensitive technology DHS has used to spy on activists during the last several years.
In August 2020, three months after the murder of George Floyd by then-Minneapolis police officer Derek Chauvin kicked off the largest civil rights protests in the United States since the 1960s, DHS signed a contract with a representative of Cobwebs America Inc., the American arm of Cobwebs Technologies. That contract, obtained via the Freedom of Information Act (FOIA), identifies a âsoftware interface toolâ not referred to by name, but since identified in a DHS report published by U.S. Senator Ron Wyden (D-Oregon) as Tangles (PDF), a web-based intelligence tool that collects information on social media users. *
The Cobwebs Homeland Security contract, a Statement of Work (SOW), and additional documents provided as part of the FOIA request (PDF) outline a troubling multi-year collaboration between DHSâs Office of Intelligence and Analysis (I&A) and Cobwebs Technologies that could run through 2025.
This report covers the DHS-Cobwebs contract deal, but before going into the details, we take a broader look at the little-understood I&A office, and how fusion centers and counterintelligence tactics can be abused and misused to harass protesters and other members of the public using powerful tools like Cobwebs products.
Sections: Enter Intelligence & Analysis | From Potential to Abuse | Infiltrating Telegram for Homeland Security | Tangles, Infiltration & Social Engineering | Statement of Work, âBaseball Cardsâ | Deleted Accounts, Bitcoin & Geo-Tracking | Spire Capital Partners Assembles U.S. Surveillance Empire | Resources
Enter the DHS Office of Intelligence and Analysis (I&A)
Created in 2007 under the long shadow of the 9/11 attacks, I&Aâs original mission statement (PDF p.8) claimed its purpose was to facilitate better intelligence sharing between federal agencies and local law enforcement through data analysis, while also âprotecting the privacy, civil rights, and civil liberties of the people I&A serves.â
This statement reflected a growing concern among privacy advocates over the rapid expansion of Americaâs national security apparatus. DHS, itself established only five years prior, was developing a plan for the rollout of fusion centers â information-sharing hubs that would bridge divides between federal, state, and local agencies and law enforcement, private defense contractors, and the military. But as one DHS report would later observe, the publicâs concern for the potential for abuse created the perception of fusion centers as âmini-spy agencies or akin to the [Federal Bureau of Investigation]âs discreditedâand long abandonedâCOINTELPRO program.â
The notion that a federal agency might abuse the intelligence privileges authorized to it by Congress wasnât outlandish in 2007, because only three decades earlier, the Federal Bureau of Investigation (FBI) ran covert counterintelligence programs, or COINTELPRO, targeting American anarchists, communists and college students. This involved everything from the use of informants and provocateurs to infiltrate political organizations and protests to manipulating conflict between groups of rival Black militants, culminating in the 1969 shootings of Black Panther Party members Alprentice âBunchyâ Carter and John Huggins by members of a rival group called the US Organization.
DHS, like the FBI, has a domestic mandate for intelligence-gathering and analysis. I&A officers are one of the primary means for accomplishing this and are embedded in 80 DHS-affiliated fusion centers across the United States. At any given time, an I&A officer might conduct intelligence activities ranging from reviewing tips and formatting raw intelligence into actionable information for local partners, to more direct methods of surveillance like monitoring publicly accessible content on social networks.
I&A: From Potential to Abuse
In the years since its founding, I&A has delivered on fears that its existence would lead to abuse:
- Since at least 2016, I&A has overseen the Overt Human Intelligence Collection Program, a domestic-intelligence program that allows I&A officials to collect information on Americans through interviews, often through contact with prisoners and detained immigrants without legal counsel present.
- In 2018, DHS posted a job listing for âmedia monitoring services,â to be used to create a database of âjournalists, editors, correspondents, social media influencers, bloggers, etc.â At the time, it was unclear how I&A might use such a database, but DHS has since been caught compiling intelligence dossiers on journalists covering immigration and I&Aâs internal practices.
- In 2020, during the George Floyd protests, I&A officials monitored Telegram group chats of protesters in Portland, Oregon, prompting Congressional concerns about unlawful surveillance. Information taken from these conversations â including travel routes â was formatted into a DHS report that was shared with federal agents and law enforcement officials.
The DHS report referencing those Telegram group chats, identified by the Washington Post as a DHS Open Source Intelligence Report, points to the use of web surveillance tools by I&A or another party. While social networks like X (formerly Twitter) have provided law enforcement and government officials with information about their users, typically through third-party developers that collect and sell user data, these companies have been loath to discuss how their platforms are being exploited by intelligence agencies, defense contractors, and law enforcement for surveillance via the creation of fake accounts.
Unicorn Riot documented fake âsockpuppetâ accounts tied to DHS-affiliated fusion centers. In 2019 we reported on the existence of social profiles for an Angel Garcia-Lonetree that appeared to be run by Lt. Jeff Rugel, then-commander of the Strategic Information Center (SIC) â a fusion center run by the Minneapolis Police Department (MPD).
The SIC would later act as the hub for Operation Safety Net (OSN), a program aimed at unrest around former Minneapolis police officer Derek Chauvinâs murder trial. OSN was an interagency collaboration between the MPD, FBI, DHS, and numerous other state and local law enforcement groups to surveil and spy on civil rights activists in Minneapolis in the wake of the George Floyd protests. One tactic used both prior to and during OSN was the creation of fake social media accounts to surveil and harass Black activists.
Documents obtained through the Freedom of Information Act offer new insight into how agencies like DHS â and I&A in particular â are spying on activists.
Infiltrating Telegram for Homeland Security
When the DHS intelligence report was published on July 17, 2020, I&A was in the trial phase for a web surveillance tool known as Tangles, which its creator, Cobwebs Technologies, bills as a âdeep web detective.â According to a description of the technology in promotional material, Tangles uses artificial intelligence and machine learning to identify patterns across the deep, dark, and surface webs, allowing intelligence agents and law enforcement officers to monitor online communications in near-real-time.
The problem, however, comes in how this monitoring occurs. While Tangles is promoted as a tool that relies on open source intelligence, or information thatâs publicly accessible online, the Washington Post article about the Telegram group chats highlights a key concern for activists navigating online spaces.
Telegram offers groups that can be accessed by anyone on the site, but not all information on the encrypted messaging app is public. According to the Post, I&A had somehow gained access to messages sent by Portland protesters about their travel routes, from what appeared to be a private group chat. Per the Post, âItâs not clear how DHS obtained the messages and whether an informant or undercover officer had access to the Telegram group.â
A little over a month later, on August 25, 2020, Eyal Bachar, the managing director of North American operations for Cobwebs America Inc., signed off on a deal with DHS worth $587,510, with the option for DHS to renew annually for up to five years. Although the contract doesnât identify Tangles by name, a license extension issued by Cobwebs in 2021 does, confirming that the contract was for Tangles and Cobwebsâ other services.
A Statement of Work obtained as part of Unicorn Riotâs FOIA request states that Tangles would be paired with Cobwebsâ LYNX platform. On a promotional page that Cobwebs has since deleted, it described LYNX as a âglobal proxy infrastructureâ that allows users to âjoin darknet forums, hacker communities and other platforms without their cover being blown.â
In contractor parlance, a Statement of Work âprovides a description of a given project’s requirements. It defines the scope of work being provided, project deliverables, timelines, work location, and payment terms and conditions.â
Cobwebs, Tangles, and Social Engineering
Another indicator that I&A may have used Tangles to infiltrate private group chats and other closed forums is a contract Cobwebs Technologies inked with the Department of the Treasury the same month it closed on the DHS deal. On August 6, 2020, the Treasury awarded Cobwebs $181,000, on an initial agreement, for a âGold Subscription WEB Intelligence Platformâ â a euphemism echoing the âSoftware Interface Toolâ listed in the DHS contract for Tangles.
In 2023, Joseph Cox, writing for VICE Motherboard, reached out to the Treasury about the contract. The department said the subscription was for the Internal Revenue Serviceâs Criminal Investigation office, an investigative unit that handles tax fraud, narcotics trafficking, and public corruption.
A representative from IRS-CI told Cox: âIn certain circumstances, agents may operate in an undercover capacity and employ certain tools to gather evidence for a criminal case. Obviously, discussing specifics of how a special agent uses various tools in an undercover capacity is viewed as law enforcement sensitive information. In all cases, however, agency personnel must follow all legal and agency policies and procedures in the execution of their duties.â
Cobwebs has been accused of facilitating the creation of fake social media accounts. In 2021, Meta announced it had removed 200 fake accounts from its Facebook platform (PDF) associated with Cobwebs and its customers. (Describing them as âCyber Mercenaries,â the Israeli newspaper Haaretz noted at the time that âIsraelâs Spyware Industry is Getting Slammed Around the World.â)
A section of the Meta report reads: âIn addition to collecting information about their targets, the accounts used by Cobwebs customers also engaged in social engineering to join closed communities and forums and trick people into revealing personal information.â
This Cobwebs Statement of Work also includes âavatar managementâ capabilities â a term also used by Royi Burstien, CEO of another Israeli electronic intelligence firm, Percepto International, to describe how his group manages sophisticated sockpuppet accounts.
The DHS-Cobwebs Statement of Work, Reports and âBaseball Cardsâ
The material produced by Tangles to generate profiles of activists echoes COINTELPRO-era âcardsâ produced by the FBI. System requirements listed in the Statement of Work appear designed to support I&Aâs undercover work. Two of the requested tasks for Tangles provide clarification on how I&A develops targets on social media:
“2.1.14 The software interface shall have algorithms used to identify linked content of users and known or suspected associations to the target.
2.1.23 The software interface must have the capability to conduct deep target identification via keyword search with social link analysis for both direct entities and associates to generate a risk assessment indication based on customized user driven dictionaries and severity levels.“
DHS Statement of Work for Cobwebs contract
In the DHS report disclosed by U.S. Senator Ron Wyden (D-OR) in 2022, DHS stated I&A used Tangles to compile what were known as Operational Background Reports and internally as âbaseball cards.â These were threat assessments on individual protesters in Portland, Oregon, and initial drafts contained information about friends and social media followers.
The references to âassociationsâ and âassociatesâ in the SOW suggest that DHS may still be creating risk assessments of individual social media users based on their connections to other accounts, or generating new targets using this same criteria. This kind of targeting tags activists for surveillance through friends and followers rather than anything more substantive. Even with this type of intelligence gathering, DHS continues to dismiss critiques of their fusion centers as âmini-spy agenciesâ akin to the FBIâs COINTELPRO, which they mention in their 2008 report.
Both preceding and during COINTELPRO, the FBI compiled secret lists of political activists, including their Security Index, Communist Index, and Rabble Rouser Index. Information contained on âcardsâ in these indexes referenced associations with political groups and other activists as a justification for their surveillance. In some cases, as with singer and activist Paul Robeson, this also resulted in American citizens being âtabbed for DETCOM,â short for âdetain as communist.â In the event of a national emergency, individuals tabbed for DETCOM would have been arrested and placed in internment camps without due process.
Cobwebs, Deleted Accounts, Bitcoin and Geo-Tracking
This leads to an obvious question: does privacy exist online? Many privacy advocates now argue for deleting your social media accounts altogether, but DHS is prepared for this as well.
Two other tasks listed in the SOW between DHS and Cobwebs:
“2.1.13 The software interface shall enable locating web connections of deleted material, to include associations of users not visible directly on accounts. â¨
2.1.17 The software interface shall capture the metadata from deleted or suspended accounts.“
DHS Statement of Work for Cobwebs contract
The SOW offers other indicators that DHS has developed complex profiles of social media users, using workarounds to anonymity and privacy measures. In the same list of tasks, DHS asks for the ability to link social media users to Bitcoin and other cryptocurrency transactions:
“2.1.26 The software interface must have the capability to conduct block chain analysis for Bitcoin wallet address transactional direction and amounts.“
DHS Statement of Work for Cobwebs contract
All of this information taken together (both deleted and still online), can then be used to locate social media users based on integration of location-tracking technology:
“2.1.18 The software interface shall have a built-in geolocation feature without additional cost for use of the feature. […]
2.1.25 The software interface must have fully integrated deep analysis capabilities on accounts, posts, hashtags, locations and generate automatically entities and perform SNA [social network analysis] for topic, persons, transactions and visualize present relevant data over map for location data.“
DHS Statement of Work for Cobwebs contract
The final set of features involving geolocation and mapping functions suggest that Cobwebsâ WebLoc platform may have been included in the deal. WebLoc is a geospatial and signals intelligence tool that uses commercial data purchased from brokers to identify unique mobile advertising IDs assigned to smartphones and mobile devices. This information can be used to track a personâs movements. Unregulated data brokers are an ongoing intrusion on privacy that enable law enforcement to evade civil liberties protections like warrants, according to the Brennan Center for Justice.
The ability to connect social media accounts to real people and their physical locations has made Tangles and WebLoc increasingly popular among federal and state agencies. In 2021, the West Virginia Fusion Center purchased an image and face processing module from Cobwebs in conjunction with a subscription to Tangles and WebLoc, and the Texas Department of Public Safety subscribed to both services for border surveillance.
Similarly, journalist Joey Scott, writing for the Los Angeles-based progressive news site Knock LA, discovered that the Los Angeles Police Department purchased a subscription to Tangles and WebLoc in 2022. As part of a presentation to the LAPD, Cobwebs provided a case study demonstrating how its tools were integrated by law enforcement in Europe to develop profiles of soccer fans attending a game and predict who in the crowd was âmost likely to cause trouble.â Using only keywords and hashtags, officers were able to identify specific individuals and obtain photographs so that they could be tracked on the ground, in real-time.
Spire Capital Partners: Assembling a US Surveillance Empire
When the contract was signed by DHS in 2020, Cobwebs Technologies was still its own company. But in 2023, as noted in Unicorn Riotâs earlier investigation into Tangles, Spire Capital Partners, a New York-based equity firm, bought Cobwebs, bringing all of its services â including Tangles, LYNX, WebLoc, and another called Trapdoor â into its growing surveillance empire.
The year prior, Spire purchased a controlling share in surveillance communications firm PenLink, best-known for its cell-phone-tracking PLX software, and bought location-tracking software GeoTime outright. Cobwebs is now a part of PenLink, and some Cobwebs employees have been moved over to the latter company under the same or similar job titles. Based on his LinkedIn profile, Eyal Bachar, the Cobwebs representative who signed the DHS contract on behalf of the company, maintained his position under PenLink and works as its managing director.
Given that Cobwebsâ services may have been used to create fake social media profiles (as Meta reported [PDF]) to access activistsâ private communications, which are protected by the Fourth Amendment, does this mean PenLink might be assisting I&A in similar investigations as part of Cobwebsâ contract?
The initial terms of the contact state that it would run through 2021 and provide for the ability to extend until 2025. An attachment provided with the contract, identified as an âend user license (extension),â states that âoption period 1â for Tangles was exercised through August 2022 for 30 users. A subsequent memo from Cobwebs to I&A requested the agency notify it in writing if it would like to extend the contract again. No additional attachments were included with the FOIA request, making it unclear if I&A is still using Cobwebsâ services â overtly or covertly â to monitor the social media accounts of activists.
During the 2020 protests in Portland, when Homeland Security staff at the DHS I&A Current and Emerging Threat Center (CETC) used Tangles to build profiles from social media surveillance, the erosion of privacy rights was severe enough that some CETC staff âvoiced significant concerns over the legality of such an intrusive collection of mass amounts of [U.S. persons] information on protestors arrested for trivial criminal infractions having little to no connection to domestic terrorism. For some, the concern was so grave that they refused to work on [operational background reports] altogether.â On July 16, CETC leadership demanded they continue, saying ârequests from leadership are justification enough, donât need specifics ⌠if he gives tasking itâs clear/legal to do.â The report says staff were alarmed enough to contact the oversight âanalytical ombudsmanâ and Intelligence Law Division attorneys. Even during a chaotic wave of mass protests, Homeland Security staff knew this was dangerous to civil liberties and possibly illegal. How could technologies like Cobwebs be used against protesters in the future, and what privacy protections would be in place?
* Note: The DHS report on policing protests in Portland in 2020 also references TECS (Treasury Enforcement Communications System). See our December 2019 report, âIcebreaker Pt 7 â ICE Case Management Handbook Based on Federal Law Enforcement âSystem of Systemsâ for the full Homeland Security Investigations (HSI) Case Management Handbook (2008) for agents using TECS.
Resources
- Cobwebs / Tangles FOIA including: âSolicitation/Contract/Order for Commercial Items, Open Source Collection Operations Tool Interface Requirements Statement of Work (SOW), Eagle End User License Extension, Memorandum to the Program Office,â – 29 page PDF (1.2MB)
Cover image, and video by Dan Feidt for Unicorn Riot. Portland protest photos by Matthew Roth.
Follow us on X (aka Twitter), Facebook, YouTube, Vimeo, Instagram, Mastodon, Threads, BlueSky and Patreon.
Please consider a tax-deductible donation to help sustain our horizontally-organized, non-profit media organization:
