Undermining your privacy? Session says no and leaves Australia

The encrypted messaging app has just landed in Switzerland

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Send messages, not metadata. This is the level of privacy promised by Session, an open-source andencrypted messaging appdeveloped in 2018 and based in Australia. Or rather, it was based in the Land Down Under until last month.

The founders decided to flee the mother country due to an increasingly “hostile” legal landscape that opposed what they most believed in – their users' anonymity. While tougher regulations around encryption have been enforced since 2018, the last drop arrived last year when the police visited a Session employee at their home and asked questions about the service.

About nine months and a lot of bureaucracy later, the newly formed Session Technology Foundation (STF), based in Switzerland, was born to steward the project instead of the Australian Open Privacy Technology Foundation (OPTF) which was previously in charge of maintaining the service.

“It has been quite a difficult and arduous process,” STF President Alexander Linton told me. “Yet, I would much rather go through the effort of taking things from Australia and moving them to Switzerland than to see the project’s privacy or security credentials be compromised.”

A matter of jurisdiction

Australian police visited the Session worker to understand how the company and its technology operate – and the team knew that they couldn’t risk being required to reveal more.

Under the anti-terrorism law enforced in 2018 (theAssistance and Access Act), authorities can force tech companies and service providers to build capabilities that allow them to breakencryption.

This technology refers to the process of scrambling the content of online communications to prevent unwanted access. It’s used by many online services nowadays, from secure email providers and messaging apps to thebest VPNapps, to secure user privacy and security.

At the same time, though,encryption is under attackin many countries as authorities increasingly see it as an obstacle to law enforcement investigations.

Australia was the first country to take a strong stance against encryption, but it isn’t the only government willing to do so. While the UK Online Safety Act has postponed the practice until it’s “technically feasible to do so,” a proposal to scan encrypted communication is repeatedlydebated in the EU. The US and some countries in Asia.

In 2021, the so-calledIdentify and Disrupt Actextended Australian law enforcement powers even further. It enables officers to hack devices and take control of people’s accounts when they are under investigation without their knowledge.

Linton also mentions the more recente-Safety Commissioneras another reason for concern. The regulatory body introduces new industry codes that could clash with Session’s business model.

The new e-safety codes would require service providers to collect identifying information from end users. However, to avoid gathering this metadata, Session doesn’t require users to sign up with a phone number or an email – something that it may have had to change under these rules.

“And that’s a huge problem for people’s privacy and their ability to be anonymous online when they need or want to,” Linton told me.

The aforementioned reasons prompted Session to find a privacy-friendly jurisdiction to relocate to in order to offer the same product. Ultimately, Switzerland was a natural fit.

ICYMI: Session is now stewarded by a new Swiss foundation.This is great for Session, and for the 1M+ people who rely on it.But make no mistake: this change is driven by draconian anti-encryption regulation which represents an existential threat to your basic right to privacy.October 15, 2024

Switzerland is already home to some of the most prominent privacy companies on the market. The provider behind the popular paid andfree VPNandsecure emailservices, Proton was born here. Also,Threema, another encrypted messaging app, was developed in the European country back in 2012.

This is because Switzerland boasts very strong data protection laws. TheSwiss Federal Constitution, for example, explicitly establishes a constitutional right to privacy. WhileArticle 271 of the Swiss Criminal Coderules out strict provisions for any Swiss company to collaborate with foreign law enforcement.

Most importantly, in 2021, bothProtonandThreemaeven won a court case for not being classified as telecommunications service providers. This means email services and messaging apps do not fall under the BÜPF laws which oblige telecom providers to monitor and share traffic data with authorities.

How secure is the Session app

Similarly to the likes ofWhatsAppandSignal, Session uses end-to-end encryption to ensure that all your messages and calls remain private between you and the person you’re speaking to.

As mentioned earlier, though, Session promises to go a step further than its competitors by offering something that others do not – metadata protection.

“Encryption only protects the contents of your communications. But there’s all of this information surrounding them that can still impact your privacy, your security, and, oftentimes, even your safety,” Linton told me.

Metadata refers to all the details around the data you shared that it isn’t the content. These includeIP addresses, location, phone numbers, who you have spoken with, and when, among other things.

The team behind Session wanted to develop a fully open-sourced app focused on protecting these details. “Which usually means not collecting or creating that metadata in the first place,” said Linton.

presented without comment pic.twitter.com/eEE5jvvkG3September 2, 2024

This is why Session has never required a phone number or email address to sign up. The app simply generates a keypad on your device that you can use to send your messages to people. Last year, Signal also began beta testing the idea ofditching phone numbersin the name of privacy.

The ex-Australian app goes even further as it also protects your IP. Session runs on a decentralized network – meaning that not even the provider itself can see your IP or other data – which uses an onion routing to protect this piece of metadata from third-party access. This infrastructure is similar to the one that the secureTor browseralso employs.

Now that Session operations have moved country,the company assures usersthat the app will continue working exactly as it did before.

You can expect the same level of privacy, security, and usability, with its transparency reports and app updates now coming from the new Swiss Session Technology Foundation instead.

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up.She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com

What a new Trump mandate could mean for American data privacy rights

Are online dating and data privacy an incompatible match?

This can’t get any better for Black Friday – LG’s B4 OLED TV drops to just $649.99