FBIの権力を制限し、Appleなどのデータを検索する；Cloudflareのプライバシー脆弱性

The judge is limited in their ability to investigate data obtained from major technology companies (Apple, Google, ISPs, etc.) based on the Foreign Intelligence Surveillance Act (FISA).

It was discovered that a privacy vulnerability at Cloudflare, Apple's IT service provider, could have exposed millions of web users and app users until it was fixed.

The FBI Restricts Its Power to Use FISA Data

One of the most controversial and debated surveillance powers given to American institutions is Section 702 of the Foreign Intelligence Surveillance Act (FISA).

The NSA and FBI apply for access permissions to data from technology companies to the FISA Court. The trials at these courts are confidential, so media and ordinary citizens cannot criticize the decisions. When a company like Apple is asked for user data based on an FISA warrant, it cannot deny what it has done.

International organizations can apply for FISA letters to monitor foreign organizations. However, after the data is provided, they can search for additional information about US citizens' private data without further letters.

As reported by the media, this practice was considered illegal by a judge.

The FBI could obtain information about communications between American citizens and residents and foreigners through "backdoor searches" on FISA warrants. They were performing these operations without initially obtaining preservation orders. The Court of Appeals for the District of Columbia determined that these searches require preservation orders. "In such cases, it would enable law enforcement agencies to accumulate communication repositories under Section 702 without any restrictions, which is not appropriate." wrote the court.

Cloudflare's Privacy Vulnerability

Whenever you visit or use many websites and apps, your request first goes to a content delivery network (CDN). Cloudflare is one of the largest CDNs, handling traffic for about 19% of websites and app servers.

Cloudflare performs two functions. First, it verifies whether the request is from an actual web or app user, or a bot. This allows the company to detect and block common methods attackers use to take down servers, such as crashing them with multiple simultaneous requests. This is known as a DDoS (Distributed Denial of Service) attack.

Secondly, Cloudflare caches server data in hundreds of cities around the world. By providing data from the closest cache, it can reduce traffic to the main server.

Apple is one of Cloudflare's clients and uses its service, which includes iCloud Private Relay.

A security researcher discovered that they could determine which CDN server processed your request and gain an approximate understanding of your location based on the result.

The security researcher known as Daniel sent a target image, collected URLs, and then used his own tools to query Cloudflare to confirm which data center provided the image (meaning, which state or possibly city the target is in).

He reported the issue to Cloudflare, and it has since been resolved.

Photo: FBI