Undermining your privacy? Session says no and leaves Australia

Send messages, not metadata. This is the level of privacy promised by Session, an open-source and encrypted messaging app developed in 2018 and based in Australia. Or rather, it was based in the Land Down Under until last month.

The founders decided to flee the mother country due to an increasingly “hostile” legal landscape that opposed what they most believed in – their users’ anonymity. While tougher regulations around encryption have been enforced since 2018, the last drop arrived last year when the police visited a Session employee at their home and asked questions about the service.

About nine months and a lot of bureaucracy later, the newly formed Session Technology Foundation (STF), based in Switzerland, was born to steward the project instead of the Australian Open Privacy Technology Foundation (OPTF) which was previously in charge of maintaining the service.

“It has been quite a difficult and arduous process,” STF President Alexander Linton told me. “Yet, I would much rather go through the effort of taking things from Australia and moving them to Switzerland than to see the project’s privacy or security credentials be compromised.”

A matter of jurisdiction

Australian police visited the Session worker to understand how the company and its technology operate – and the team knew that they couldn’t risk being required to reveal more.

Under the anti-terrorism law enforced in 2018 (the Assistance and Access Act), authorities can force tech companies and service providers to build capabilities that allow them to break encryption.

This technology refers to the process of scrambling the content of online communications to prevent unwanted access. It’s used by many online services nowadays, from secure email providers and messaging apps to the best VPN apps, to secure user privacy and security.

At the same time, though, encryption is under attack in many countries as authorities increasingly see it as an obstacle to law enforcement investigations.

In 2021, the so-called Identify and Disrupt Act extended Australian law enforcement powers even further. It enables officers to hack devices and take control of people’s accounts when they are under investigation without their knowledge.

Linton also mentions the more recent e-Safety Commissioner as another reason for concern. The regulatory body introduces new industry codes that could clash with Session’s business model.

The new e-safety codes would require service providers to collect identifying information from end users. However, to avoid gathering this metadata, Session doesn’t require users to sign up with a phone number or an email – something that it may have had to change under these rules.

“And that’s a huge problem for people’s privacy and their ability to be anonymous online when they need or want to,” Linton told me.

The aforementioned reasons prompted Session to find a privacy-friendly jurisdiction to relocate to in order to offer the same product. Ultimately, Switzerland was a natural fit.

Switzerland is already home to some of the most prominent privacy companies on the market. The provider behind the popular paid and free VPN and secure email services, Proton was born here. Also, Threema, another encrypted messaging app, was developed in the European country back in 2012.

This is because Switzerland boasts very strong data protection laws. The Swiss Federal Constitution, for example, explicitly establishes a constitutional right to privacy. While Article 271 of the Swiss Criminal Code rules out strict provisions for any Swiss company to collaborate with foreign law enforcement.

Most importantly, in 2021, both Proton and Threema even won a court case for not being classified as telecommunications service providers. This means email services and messaging apps do not fall under the BÜPF laws which oblige telecom providers to monitor and share traffic data with authorities.

How secure is the Session app

Similarly to the likes of WhatsApp and Signal, Session uses end-to-end encryption to ensure that all your messages and calls remain private between you and the person you’re speaking to.

As mentioned earlier, though, Session promises to go a step further than its competitors by offering something that others do not – metadata protection.

“Encryption only protects the contents of your communications. But there’s all of this information surrounding them that can still impact your privacy, your security, and, oftentimes, even your safety,” Linton told me.

Metadata refers to all the details around the data you shared that it isn’t the content. These include IP addresses, location, phone numbers, who you have spoken with, and when, among other things.

The team behind Session wanted to develop a fully open-sourced app focused on protecting these details. “Which usually means not collecting or creating that metadata in the first place,” said Linton.

This is why Session has never required a phone number or email address to sign up. The app simply generates a keypad on your device that you can use to send your messages to people. Last year, Signal also began beta testing the idea of ditching phone numbers in the name of privacy.

The ex-Australian app goes even further as it also protects your IP. Session runs on a decentralized network – meaning that not even the provider itself can see your IP or other data – which uses an onion routing to protect this piece of metadata from third-party access. This infrastructure is similar to the one that the secure Tor browser also employs.

Now that Session operations have moved country, the company assures users that the app will continue working exactly as it did before.

You can expect the same level of privacy, security, and usability, with its transparency reports and app updates now coming from the new Swiss Session Technology Foundation instead.