> I would like more information on what information exactly zood receives and stores.
When you sign up, the Zood Location server receives
* the username you picked
* (optionally, if you provided it) your email address
The server also stores a backup of various pieces of data for you, but this data is encrypted on your phone before being backed up to the server. It's exactly like how a password manager backs up your passwords to the cloud so you can access them from any machine. THIS DATA IS ALL ENCRYPTED ON YOUR PHONE with a key DERIVED FROM YOUR PASSWORD before the blobs are sent to the server.
The encrypted data includes:
* your symmetric key
* your asymmetric key
* your password salt
* the algorithm used for your password derived key (currently, argon2id)
* your friends list and their public keys (for TOFU reasons)
Again, all that data is encrypted in the app on your phone before it ever leaves your device. This is no different than using a password manager.
> Does zood know who is sharing with whom?
The most information that the server can ever see is that some user sent some communication to a particular user. The contents of the message are unknown. Location sharing actually happens through "drop boxes" to make it more difficult for the server to see when and how often users send communications. When a friendship is established, the friends agree upon drop box addresses to use for each other, and they simply place encrypted data in the drop box for the other user to check whenever it wants.
In theory, I could perform metadata analysis to try to statistically determine friendships, but I still wouldn't know anybody's location. The server code is available, and not terribly complicated so it's easy to verify that no analysis is happening there [1].
> Is the data usage to username logged?
For debugging purposes, I can have the server log to stdout when a user makes a REST call to drop an encrypted blob on the server, or when a REST call is made to send an encrypted blob to another user, but that's off in production. It was there to help me build the thing.
In general, thwarting metadata analysis by the person running the service is tough. I look to what the Signal messenger folks are doing in this space to improve things.
> Is the amount of data sent to zood increase as a function of 1. How many people you are sharing your location with
If you have more friends, your phone will send more encrypted blobs to different drop boxes on the server. The reason is that though you only physically exist in one point of space at a time, because communication with each friend is end-to-end encrypted, your phone will encrypt the location info payload for each friend with their own public key. So if you have 5 friends, every time your location changes, your phone will encrypt the payload 5 different times and place it in five different drop boxes on the server.
> 2. If you are traveling quickly
That's based on your phone's operating system and version. Google and Apple are always tweaking how often location updates are reported to apps. But if a location update comes in, Zood will encrypt it and upload it.
> 3. If you are on battery saver or not?
I don't really use battery saver, but I think location services is disabled when your phone is in that state, so Zood wouldn't get any location updates at all. I could be wrong about that.
> I would like more information on what information exactly zood receives and stores.
When you sign up, the Zood Location server receives
* the username you picked
* (optionally, if you provided it) your email address
The server also stores a backup of various pieces of data for you, but this data is encrypted on your phone before being backed up to the server. It's exactly like how a password manager backs up your passwords to the cloud so you can access them from any machine. THIS DATA IS ALL ENCRYPTED ON YOUR PHONE with a key DERIVED FROM YOUR PASSWORD before the blobs are sent to the server.
The encrypted data includes:
* your symmetric key
* your asymmetric key
* your password salt
* the algorithm used for your password derived key (currently, argon2id)
* your friends list and their public keys (for TOFU reasons)
Again, all that data is encrypted in the app on your phone before it ever leaves your device. This is no different than using a password manager.
> Does zood know who is sharing with whom?
The most information that the server can ever see is that some user sent some communication to a particular user. The contents of the message are unknown. Location sharing actually happens through "drop boxes" to make it more difficult for the server to see when and how often users send communications. When a friendship is established, the friends agree upon drop box addresses to use for each other, and they simply place encrypted data in the drop box for the other user to check whenever it wants.
In theory, I could perform metadata analysis to try to statistically determine friendships, but I still wouldn't know anybody's location. The server code is available, and not terribly complicated so it's easy to verify that no analysis is happening there [1].
> Is the data usage to username logged?
For debugging purposes, I can have the server log to stdout when a user makes a REST call to drop an encrypted blob on the server, or when a REST call is made to send an encrypted blob to another user, but that's off in production. It was there to help me build the thing.
In general, thwarting metadata analysis by the person running the service is tough. I look to what the Signal messenger folks are doing in this space to improve things.
> Is the amount of data sent to zood increase as a function of 1. How many people you are sharing your location with
If you have more friends, your phone will send more encrypted blobs to different drop boxes on the server. The reason is that though you only physically exist in one point of space at a time, because communication with each friend is end-to-end encrypted, your phone will encrypt the location info payload for each friend with their own public key. So if you have 5 friends, every time your location changes, your phone will encrypt the payload 5 different times and place it in five different drop boxes on the server.
> 2. If you are traveling quickly
That's based on your phone's operating system and version. Google and Apple are always tweaking how often location updates are reported to apps. But if a location update comes in, Zood will encrypt it and upload it.
> 3. If you are on battery saver or not?
I don't really use battery saver, but I think location services is disabled when your phone is in that state, so Zood wouldn't get any location updates at all. I could be wrong about that.
[1] https://github.com/zood/oscar