Frequently asked questions

What are share types (aka, data types)?

Share types (can also be referred to as data types) are just which type of data is being references. There are currently two different share types on HYFM.

  1. Data is your private data. Meaning your encrypted data which includes your service passwords, private instructions, recovery codes, etc.
  2. Update data is your update posts. This can be location update, trip details (including hotel and flight information), images, etc.

When sharing your data with another HYFM user you can choose if you want to allow them access to your private data, your update data, or both.

Rules for private data access

When sharing your private data with another user you will be able to set rules which describes their access to your data.

  1. You specifically have to allow them access to your private data.
  2. You specify a wait period they must follow before they are granted access to your private data (see "What is the wait period" below)

This allows you full control over who can access your private data and the rules that are enforced before they get access to it.

What is the wait period?

You specify the wait period a user must follow before they're given access to your private data. This can be immediate - as in, they're given immediate access to your data - or can be up to 7 days.

This means if another user requests access to your private data, you have within the wait period configured for that user share to either approve or deny their request. If you do not approve or deny within the wait period, then they are automatically granted access to the private data once the wait period expires.

Why have a wait period at all?

The idea is that you can control who has access to your data and what rules they must follow to get that access.

This allows you to specify rules for different people. For example:

  1. Your spouse/partner can have immediate access (essentially no wait period).
  2. Your children can have a 24 hour wait period.
  3. Your parents can have a 36 hour wait period.
  4. Your best friend can have a 4 day wait period.
  5. Your co-worker can have a 7 day wait period.

Since you are sharing potentially extremely private data (ie, bank accounts) then you should be able to specify with who, and how, you want to share it.

Accessing private data

When a user that you've shared your private data with is requesting to access the data they will go through the following process:

  1. Go to their data requests page.
  2. Submit a new data request for your private data.
  3. You will be notified by email and/or Telegram (depending on your settings) that a new data request has arrived.
  4. You will have the user share's configured wait period to respond to the data request. You can either approve or deny it.
  5. If you do not respond within the configured wait period then the request is automatically approved and both you and the user requesting the data will be notified of the approval.
  6. The requesting user can then return to their data requests page and click "Read Data" from the request for your data.
  7. At any time you can login and disable their request, which will immediately disable their access to your private data.

It's important to note that any approved data request (either manually approved by you or automatically approved by the system) will remain approved until manually disabling it.

Ready to dive in? Start your free trial today.

Pausing private data access

You may pause all requests for your private data any time you wish. You can even specify a date that they should be allowed to resume.

For example, say you're going on a hike that will be for many days. You know you will be without internet or cell phone data so you want to pause any data requests during that window.

You simply do the following:

  1. Go to your user preferences
  2. Check the "Pause data requests" option
  3. Optionally, you can set the "Pause Until" field. Once this date comes, if you haven't un-paused manually yet, then the system will automatically un-pause your account and allow data requests to resume.
Why allow pausing of private data requests?

This is another tool to help protect your private data from bad actors. For instance, say your going on the multi-day hike referenced above. You're also going through a painful divorce and your spouse knows there is a two day wait period for them to access your private data.

The ability to pause ensures that a vindictive spouse (in this example) can't take advantage of the fact that you will be disconnected from the world and thus unable to respond to the data request. If you don't respond within the two day wait period, they will automatically be granted access to your private data.

This is just an example but there are many scenarios where you would want to pause data requests.

What are User Shares

User Shares are the number of users that you can share your data with. By "data" we mean either your private data or update data (or both). Think of it as how many individual users you can share your data with.

You should always be proactive with managing your user share list. Once you no longer fully trust someone that you have shared with, you should consider removing their user share or at least altering their wait period to a longer period.

Why are there limits on Friend Shares?

Normal accounts are limited to 7 Friend Shares. We feel this is a good number to share data with the most important people in your life.

The goal of HYFM is to allow you to share personal, and in some cases private, data with trusted people. We do not want this to be used as a small private social networking site.

Our mission is to provide families, friends, and confidants access to helpful information for the people they care about the most in case of emergency situations.

If you genuinely need more than 7 user shares please contact us at hello@helpyoufind.me and we'll add a few extra shares for you.

Do users I share with need a paid HelpYouFind.Me account?

No, people you share your data with do not need a paid account. However, they do need an account to be able to access your data. When you share with someone and they are not currently registered with the system, we will send them an invite to register an account. They will then have what is known as a "Read Only" account, where they can only read data shared with them. They will not be able to post any updates or enter their own private data, etc. Of course if they want to use all the features they always have the option of upgrading their account to a paid account.

What are sub-accounts?

A family account is a special account that can pay for the entire family. A family account consists of 5 accounts in total; one main account holder and four sub-accounts.

This means that the main family account holder can invite four additional accounts to be under the same family account. These four accounts are considered sub-accounts.

Sub-accounts are paid for by the main family account and have all the same features and limits that the main account does.

Are sub-accounts private from the main account?

Yes! Every HYFM account is completely private. A main account does not get default access to a sub-account's private data. In fact, the sub-account must specifically share their data with the main account just the same as any other user in the system.

Ready to dive in? Start your free trial today.

Why would a family account not get access to sub-accounts data?

Ever user has the right to privacy, no matter who's actually paying for their account. This is a hard rule for HYFM and one we will never break.

Even if we wanted to add default access to private data it would be impossible for us to do so. This is because of how HYFM is built. We, ourselves, never have access to the private data of any user so it's a technical impossibility for us to provide others access to it.

Why is billing annual instead of monthly?

We are a small company and are charging very little for our service.

As such, we try to offer as much convenience as possible to our users. We feel that paying such a low fee, on a monthly basis, is a bit counter productive.

Also, it helps us save money as well. Each credit card charge costs us a fee. Not just the percentage that our merchant takes, but also a per charge fee. So we technically are paying just one charge fee per year versus twelve.

Lastly, since we are a small company, it helps us plan for the future a lot easier on a yearly basis versus monthly.

Is it secure?

Yes, we feel that it is very secure. All your private data is encrypted with your very own unique private keys. We never have access to your encryption key password and therefore we never have access to your data.

Any shared data is decrypted, after YOU enter your password, and re-encrypted for the recipient using their public encryption keys. This is the same scheme used for decades by software like PGP. This method is very secure and has been battle tested for more than 20 years.

Thus in the event we ever suffered a data breach, no one will be able to access your encrypted data.

How does it work?

This is a fairly complex topic but we will try to explain it as plainly as possible.

The encryption scheme is based on private keys and public keys, these are known as key-pairs. Each HYFM user will have both sets of keys created when they create their account. A password will be required to generate these keys.

Data is then encrypted using the public key of the recipient of this data. The recipient can then only decrypt it using their private key, and their private key can not be obtained without knowing their key password.

So let's say Mary want's to share private data with Joe. Mary will encrypt her private data using Joe's public key and send Joe the result. Joe will then take that encrypted data and decrypt it using his private key to get access to the private data that Mary had sent.

This video also gives a pretty decent understanding.

https://www.youtube.com/watch?v=GSIDS_lvRv4

The power of HYFM is that you store your private data, totally encrypted with YOUR KEYS (so we never have access to it!), and when you want to share your data with someone else, you use your password to decrypt your private data, make a copy of it, encrypt it using the recipients public key, and send the encrypted data to them.

All of this is managed automatically within with HYFM infrastructure and only requires user interaction or input when you need to provide your encryption keys password.

How is encryption handled in my web browser?

Again this is very technical but we will point you to the documentation and provide a generalized explanation.

Essentially all modern web browsers for both your computer and your smart phone support something called the "WebCrypto API" and have supported this cryptographic interface for years now.

What this means is that while you're editing or updating your private data, it lives within your web browser on your computer. When you're ready to save it our JavaScript code (this is code that runs inside your web browser) will use the WebCrypto API to encrypt the data within your web browser.

Only once it's encrypted will it be submitted to the HYFM servers. The process is the same, just reversed, for decrypting (aka, reading) private data - whether your own or data that has been shared with you. We simply deliver the encrypted data, your web browser then decrypts it, and our JavaScript code constructs the screen to display the information to you.

For more technical details you can see the WebCrypto API documentation here:

https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API

Why can't my encryption password be the same as my account password?

Your encryption keys password must be different from your HelpYouFind.me (HYFM) account password. This is deliberate to avoid any leaking of your account password and thus, access to your private data.

Since we're submitting our passwords, can't you read our data?

Your encryption key passwords are never submitted to our servers. All encryption/decryption of private data is done within your own web browser.

Our systems will only ever receive your encrypted data which is impossible for us read.

Our company, Netlandish, has been in business since 2008 and has been trusted by companies such as HBO, Sony, National Geographic Channel, National Association of Realtors, Scripps Research Institute, IDS Real Estate Group, and many others with highly sensitive data and we have always respected and guarded said data.

Again, we do not have access to your private data and it is impossible for us to get access to it.

Ready to dive in? Start your free trial today.

Why can't you recover my encryption password?

Because you will never submit your encryption password to our servers we would never be able to recover it. Also because your private key is also encrypted and protected by your encryption password, if you lose your encryption password it will be impossible for us to recover your private data.

Please, please, please keep your encryption password stored safely

Why can't you change my encryption password?

Your encryption private key (which is needed to decrypt your private data) is itself encrypted and protected by your encryption password. It is impossible for us to change the password because it would involve first decrypting your private key and re-encrypting it with a new password. Since we will never have access to your encryption password we can not decrypt your private key.

Please, please, please keep your encryption password stored safely

Why then, can you change my HYFM account password?

Your account password (remember, this is different than your encryption password) is stored encrypted on our systems and we can't recover that. We can only change it. We can change it because we can set a new password for your account in our database. Again, this does not give us access to your encryption passwords or private data.

Account management on HYFM is handled the same way as the majority of other secure websites. Similar to your banks, credit cards, Netflix, health provider, and other services you rely on every day. That is, when you set, or update, your account password, we encrypt that password and store it in the database.

Later when checking if a password is valid, we encrypt the given password and check the encrypted result against the value in our database. If they're a match, then the password is correct.

Two Factor authentication (2FA)

Two factor authentication is an extra security method to protect your account. Once setup, after entering your account password to login to HYFM, you will be asked for a code. This code can be fetched from your cell phone and changes every 30 seconds. It's an excellent way to provide additional security of your HYFM account.

You can, and should, secure your account with two factor authentication. It's very easy to do in HYFM. Read how here:

https://helpyoufind.me/help/two-step-verification/

What is your "Warrant Canary"?

Yes, we have a warrant canary. See it on the warrant canary page

A warrant canary is a cryptographically signed document stating that we have not received any warrants or orders from any form of law enforcement or other government agencies. The document is renewed every 3 months. Should a renewal date pass without an updated warrant canary then you should assume that some form of law enforcement has legally taken action to attempt to access users private data.

Should the warrant canary expire you should assume that the HYFM software has been altered and not use the service until we have posted an update with a new signed canary statement.

Ready to dive in? Start your free trial today.

What is this "signature.asc" attachment on emails from HYFM?

Every email from our service is cryptographically signed so you can verify that the email actually comes from the HYFM service. The "signature.asc" file is the cryptographic signature for the given email. Essentially it's impossible to spoof this signature. Someone would have to somehow gain access to our private signing key and it's password to be able to successfully sign an email as coming from HYFM.

How do I know I can trust emails that claim to be from HYFM?

Before you click any link in the email, be sure to verify that the link starts with "https://helpyoufind.me/". We will never include any links to outside websites in our service emails. If the link does not start with that, please do not click it. Also forward the email to us for inspection. You can forward those messages to hello@helpyoufind.me.

How do I verify the signature attached on emails from HYFM?

The entire point of these signed emails is to verify that we're the ones actually sending them. Unfortunately, this is a fairly technical task. If you're up for it, here's how you can verify them.

These steps below will be very general and we expect you to be able to complete them on your own. Unfortunately this is a task that must be done on your computer and is not something we can provide support for. Still, it's not terribly difficult and maybe you'll have some fun learning something new.

Note: This is a very technical task better suited for advanced computer users. However, we believe it's something everyone should learn how to do. That said, your experience may vary depending on your technical level.

PGP/GnuPG

We recommend the GnuPG software for your computer's encryption needs. There are versions for Windows, Mac, Linux, etc. Here is a YouTube video primer on the software.

https://www.youtube.com/watch?v=CEADq-B8KtI

HYFM Public Key

You will need our public key to verify the email signatures. You can download and import it into your GnuPG install. You can download the key here:

gpg --keyserver hkps://hkps.pool.sks-keyservers.net --recv-key EEA4BD36E5E4D14463CD0E9D3913A95AF81EE10A

Client Integration

Here are come GnuPG integrations with very common mail clients. Your client may not be listed, in which case you'll have to do some internet searching for your clients integration. Most major mail clients will have an integration, both on your PC and mobile device.

There are even browser extensions for services like Gmail, etc.

Outlook: https://www.youtube.com/watch?v=VI9UF-qEEC4

Apple Mail:

https://support.apple.com/guide/mail/sign-or-encrypt-emails-mlhlp1180/mac

Thunderbird:

https://support.mozilla.org/en-US/kb/digitally-signing-and-encrypting-messages

Manual way

If you want to manually do the signature verification in a terminal then this is a good walk through of how it's done:

https://medium.com/@martinzugnoni/how-to-verify-a-signed-email-with-gpg-ae665178d3fe