A judge has limited FBI powers to trawl through data obtained from tech giants like Apple, Google, and ISPs under FISA (the Foreign Intelligence Surveillance Act).Separately, a Cloudflare privacy flaw has been identified in one of Apples IT service providers, which could have exposed the rough location of millions of web and app users before it was fixed Judge limits FBI powers to use FISA dataOne of the most controversial surveillance powers granted to US agencies is Section 702 of the Foreign Intelligence Surveillance Act (FISA).Agencies like the NSA and FBI apply to a FISA court for permission to access data from tech companies. These court hearings are held in secret, meaning that the media and public is unable to scrutinize the decisions made. When companies like Apple are required to give access to user data under a FISA warrant, they are not permitted to say that they have done so.Intelligence agencies can only apply for a FISA warrant for the purpose of surveilling foreign entities. However, once the data had been handed over, they could then search it for private information on US citizens without a further warrant.Wired reports that a judge has just ruled this practice illegal.The FBI could perform backdoor searches for information on US citizens or residents who communicated with foreigners, and it did so without first obtaining a warrant. Judge DeArcy Hall found that these searches do require a warrant. To hold otherwise would effectively allow law enforcement to amass a repository of communications under Section 702including those of US personsthat can later be searched on demand without limitation, the judge wrote.Cloudflare privacy flawWhen you visit many websites, or use many apps, your request is first sent to a content delivery network (CDN). Cloudflare is one of the biggest CDNs, and handles traffic for around 19% of all websites and app servers.Cloudflare performs two functions. First, it checks requests to see whether they appear to originate from a genuine web or app user, or a bot. This allows the company to detect and block a common method for an attacker to take a server offline hitting it with so many simultaneous requests that it crashes. This is known as a DDoS (distributed denial of service) attack.Second, Cloudflare keeps cached copies of server data in hundreds of different cities around the world. By serving data from your nearest cache, it can reduce traffic to the main server.Apple is one of Cloudflares clients, and uses the companys services for iCloud Private Relay.A security researcher found a way to work out which CDN server handled your request, and thus get a rough idea of your location.The security researcher, who goes by Daniel, found a way to send an image to a target, collect the URL, then use a custom-built tool to query Cloudflare to find out which data center delivered the imageand thus the state or possibly the city the target is in.He reported the issue to Cloudflare, which has now fixed it.Photo: FBIAdd 9to5Mac to your Google News feed. FTC: We use income earning auto affiliate links. More.Youre reading 9to5Mac experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Dont know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel