[alphan0n]

It’s explained pretty well in link provided in comment your replying to.

The tl;dr is: The information is publicly available in an encrypted form that is only readable by the party with the key.

Think of it like this, when you mark an item as lost you publish a hashed public identification key, if another device detects that key it creates a location report encrypted with your public key and posts it to a public list of encrypted reports, you decrypt the report with your private key.

[meindnoch]

>you decrypt the report with your private key

Where would this private key be coming from when opening Find My on icloud.com (a website)?

[alphan0n]

From your keychain. Decrypted locally.

If you mean from another device other than one that your keychain is on, ie, a browser on a device you haven’t logged into before, you can’t.

You can get an active location through iCloud if the device is powered on or its last location before power off if the setting is enabled. But you can’t decrypt find my location reports without the private key, which is only available in devices you’ve logged into.

[meindnoch]

Websites can access my keychain? Since when?

[alphan0n]

What’s your actual point here? You seem to be trying to build up to something by asking me questions instead of RTFM.

You aren’t “sending” the key anywhere, you are downloading the report and decrypting it locally.

[meindnoch]

So you're saying that by logging into icloud.com and clicking on the "Find My" app, my web browser is downloading encrypted location reports from Apple's servers, and my web browser is decrypting them locally?

[alphan0n]

I’m saying that you should read the manual before asking such ignorant questions.

https://support.apple.com/guide/security/locating-missing-de...