Session, a small but increasingly popular encrypted messaging app, is moving its operations outside of Australia after the country’s federal law enforcement agency visited an employee’s residence and asked them questions about the app and a particular user. Now Session will be maintained by an entity in Switzerland.
The move signals the increasing pressure on maintainers of encrypted messaging apps, both when it comes to governments seeking more data on app users, as well as targeting messaging app companies themselves, like the arrest of Telegram’s CEO in August.
“Ultimately, we were given the choice between remaining in Australia or relocating to a more privacy-friendly jurisdiction, such as Switzerland. For the project to continue, it could not be centred in Australia,” Alex Linton, president of the newly formed Session Technology Foundation (STF) which will publish the Session app, told 404 Media in a statement. The app will still function in Australia, Linton added.
Linton said that last year the Australian Federal Police (AFP) visited a Session employee at their home in the country. “There was no warrant used or meeting organised, they just went into their apartment complex and knocked on their front door,” Linton said. The AFP asked about the Session app and company, and the employee’s history on the project, Linton added. The officers also asked about an ongoing investigation related to a specific Session user, he added.
Linton showed 404 Media an email sent by Session’s legal representatives to the AFP which reflected that series of events. Part of Session’s frustration around the incident came from the AFP deciding to “visit an employee at home rather than arranging a meeting through our proper (publicly available) channels,” Linton said.
“They ended up wanting to organise another meeting, at which they asked some quite a lot more technical questions about Session and some broad questions about future development,” Linton added.
The AFP told 404 Media in a statement that “The AFP is aware of the application Session and has seen the use of Session by offenders while committing serious Commonwealth offences.” The AFP declined to comment specifically on the incident involving the Session employee.
Session is an end-to-end encrypted messaging app that says it also protects against certain types of metadata monitoring. It does not require a phone number or email address to sign up, and runs on a decentralized network of servers. On Twitter, the company recently said it has more than one million users.
Linton also pointed to Australia’s recently enacted surveillance laws, and said “we felt Session was sufficiently secured because it is open source, decentralised, and we were just building privacy-focussed technology in good faith.” That changed after the country laid out plans to have service providers collect and store a certain amount of data on users. “For Session, the final straw was with end-user registration guidelines included in new regulations being introduced by the Australian E-Safety Commissioner which require all online services to collect a phone number or email address from users,” Linton said. While the guidelines primarily target very large social media companies, “the categorisations do not make allowances for services with smaller user bases or more limited scope (such as messaging compared to social media),” he added.
After French authorities detained Pavel Durov, Telegram’s CEO, in August, there was a broader concern about what this might mean for other communications or social network apps. In the wake of the arrest, 404 Media reported that many Telegram users were fleeing that platform. At the time, Session co-founder Kee Jeffreys told 404 Media that the app had seen a “small spike” in users since Durov’s arrest. “However, the overwhelming majority of people using tools like Session are everyday people who value privacy, and we believe this is true of those who are seeking an alternative to Telegram at the moment,” he added.
Telegram previously left Russia after facing pressure from the country’s authorities. It now runs operations from Dubai. Proton, the maintainers of ProtonMail, is based in Switzerland due to the country’s privacy laws.
Anecdotally, 404 Media has sources linked to drug trafficking and cybercrime that have used Session.
The STF will now be listed as the developer of Session on the Apple App Store and Google Play Store; the GitHub repositories will be moved to the STF; keys used to sign applications will change to keys held by a member of the STF, and transparency reports will now be published by the STF, according to an announcement on Session’s website.
