Judge limits FBI powers to trawl data from Apple and others

A judge has limited FBI powers to trawl through data obtained from tech giants like Apple, Google, and ISPs under FISA (the Foreign Intelligence Surveillance Act).

Separately, a Cloudflare privacy flaw has been identified in one of Apple’s IT service providers, which could have exposed the rough location of millions of web and app users before it was fixed …

Judge limits FBI powers to use FISA data

One of the most controversial surveillance powers granted to US agencies is Section 702 of the Foreign Intelligence Surveillance Act (FISA).

Agencies like the NSA and FBI apply to a FISA court for permission to access data from tech companies. These court hearings are held in secret, meaning that the media and public is unable to scrutinize the decisions made. When companies like Apple are required to give access to user data under a FISA warrant, they are not permitted to say that they have done so.

Intelligence agencies can only apply for a FISA warrant for the purpose of surveilling foreign entities. However, once the data had been handed over, they could then search it for private information on US citizens without a further warrant.

Wired reports that a judge has just ruled this practice illegal.

The FBI could perform “backdoor searches” for information on US citizens or residents who communicated with foreigners, and it did so without first obtaining a warrant. Judge DeArcy Hall found that these searches do require a warrant. “To hold otherwise would effectively allow law enforcement to amass a repository of communications under Section 702—including those of US persons—that can later be searched on demand without limitation,” the judge wrote.

Cloudflare privacy flaw

When you visit many websites, or use many apps, your request is first sent to a content delivery network (CDN). Cloudflare is one of the biggest CDNs, and handles traffic for around 19% of all websites and app servers.

Cloudflare performs two functions. First, it checks requests to see whether they appear to originate from a genuine web or app user, or a bot. This allows the company to detect and block a common method for an attacker to take a server offline – hitting it with so many simultaneous requests that it crashes. This is known as a DDoS (distributed denial of service) attack.

Second, Cloudflare keeps cached copies of server data in hundreds of different cities around the world. By serving data from your nearest cache, it can reduce traffic to the main server.

Apple is one of Cloudflare’s clients, and uses the company’s services for iCloud Private Relay.

A security researcher found a way to work out which CDN server handled your request, and thus get a rough idea of your location.

The security researcher, who goes by Daniel, found a way to send an image to a target, collect the URL, then use a custom-built tool to query Cloudflare to find out which data center delivered the image—and thus the state or possibly the city the target is in.

He reported the issue to Cloudflare, which has now fixed it.

Photo: FBI