FMD Server

Privacy Notice

What data is stored when visiting the website?

To establish a connection your IP address is transmitted, but not saved. While using the website the private key and the user-id will be saved temporarily in your browser, but will be removed when leaving the page.

What data is stored on the server?

The server stores the plaintext random user id and your password hash. It also stores all encrypted data uploaded by your phone: location, date, any pictures, battery level, the public key, and the encrypted private key.

Is my data transferred/sold/etc?

Your data is only used to provide the functionality of finding your device. It is not given to other parties.

Is my data encrypted?

Yes, except the user id all data is encrypted. But you need to keep your password safe!

How exactly does the encryption work?

Your device creates an RSA-3072 keypair during registration. The private key is encrypted symmetrically with AES-GCM-256 with the Argon2 hash of your password as a key. Then the keypair is uploaded to the server.
Every time your device sends data it uses the public key to encrypt this data and uploads the encrypted data to the server.
When you access the web page and enter your user id and password, the web page derives a different Argon2 hash from your password and sends it to the server. This proves to the server that you know the password without actually sending it to the server. The web page then downloads the keypair from the server and decrypts the RSA private key. It can then download any other data, such as the location, and locally decrypt it in your browser.

Who has access to the data?

Only the server operator has access to the database. But all important data is encrypted anyway.

How can I delete my data from the server?

Log in with the FMD app and click "Delete data".