Gericht beschränkt die Macht des FBI zur Durchsuchung von Daten bei Apple und anderen Unternehmen; Schwachstelle in der Datenschutzfunktion von Cloudflare

A court has limited the FBI's power to search for data that technology giants like Apple, Google and internet service providers obtained under the FISAA (Foreign Intelligence Surveillance Act).

Similarly, a privacy flaw was identified by Cloudflare in one of Apple's IT service providers, which could have exposed the approximate location of millions of web and app users before it was fixed …

Court limits FBI powers to use FISA data

An observation power approved by the USA, which is controversial, is Section 702 of the Foreign Intelligence Surveillance Act.

Agencies like the NSA and FBI apply for authorization from the FISACircle to obtain data from technology companies. These court proceedings are held in secret, meaning that the media and public cannot verify the decisions made. If companies like Apple are compelled by a FISAWarrant to submit user data, they cannot say that they did so.

Intelligence agencies can only submit an FISA order for surveillance of foreign entities after taking measures. Once the data is submitted, they can then search for private information from US citizens without further authorization.

Electronic message: A court has declared this practice illegal.

The FBI could perform "backdoor searches" for information about US citizens or residents who communicated with foreigners, and did so without prior approval of a court. The DeArcy Hall court found that these searches require a court order. "If allowed otherwise, it would enable the police to collect an archive of communications under Section 702 – including those from US agencies – which can then be searched at will and without restrictions," wrote the court.

Weakness in Cloudflare's privacy

When visiting many websites or using many apps, your request is first sent to a Content Delivery Network (CDN). Cloudflare is one of the largest CDN and handles traffic for about 19% of all websites and app servers.

Cloudflare performs two functions. Firstly, it checks requests to determine whether they come from an actual web or app user or a bot. This allows the company to recognize and block a frequently used method of an attacker to interrupt a server – by firing so many simultaneous requests at the server that it crashes. This is known as a DDoS-Attack (Distributed Denial of Service).

Secondly, Cloudflare stores copies of server data in hundreds of different cities around the world. By making data available from your next cache, it can reduce traffic to the main server.

Apple is one of Cloudflare's customers and uses the company's services for iCloud Private Relay.

A security researcher has found out how to determine which CDN server processes your request and thus obtains a rough overview of your location.

The security researcher, who goes by the name Daniel, has found a method to send an image to a target, collect the URL, and then query Cloudflare with a custom tool to find out which data center delivered the image – therefore likely the state or city where the target is located.

He reported the problem to Cloudflare, which now fixes it.

FOTO: BKA