Not sure why you’ve chosen to be indignant about this particular implementation.
We are talking about a tracking App. Most selfhosted projects do not store such private data. You may can mage the argument for immich but only for ppl who take a picture every 5 min.
If the target server is compromised or taken by LEA the data is gone.
Laying the responsibility into the hands of the user is not ok for such an data aggregating service. Such highly critical, private and intime data should be protected and secure by default.
Not even transport encryption is enforced in the project. At first glance, http is allowed on local connections?!? Generate a self signed SSL cert on start and pin it in the app. Easy.
It is no excuse that other services do not follow these state of the art protection measures.
I absolutely agree with you. Such private data should be End-To-End-Encrypted.
German: netcup.eu
Not every order providers recieve is rightfull or legal or even fullfill the requirements of the law, or the legal forms are just not filled out correctly by the officer or department.
Fighting does not really mean, go to court, that would only really make sense for precedence, but more like “only do as much as you are required by law” and maybe “delay everything as much as you are allowed by law”.
Any legal hoster will have to give up the data to local LEA, eventually. I would rather go for a hoster that has proven to use encryption and is legally fighting any order they receive.
Sorry, but you have posted only 1 sentence about the project and not even a link to the project.
Additional with the
scripts—basically “em dash” which is really popular among llm generated texts, i get a bad feeling about it.
In security and development there is a statement, called “secure by default”. That means the default settings are secure. This would encapsulate something like enforced Transport encryption.
Does this mean that the config can not be changed to fit the thread model? No.