[LINK] session encrypted app

Kim Holburn kim at holburn.net
Mon Oct 11 11:24:10 AEDT 2021 

https://restoreprivacy.com/secure-encrypted-messaging-apps/session/

Desktop, Android and iOS apps

Lots of technical detail:

> Session messenger is making a play for the position as the best secure messaging app. In this, it is going up against some intense 
> competition from the likes of Signal <https://restoreprivacy.com/secure-encrypted-messaging-apps/signal/> and the other top apps 
> we cover in our Best Secure and Encrypted Messaging Apps review <https://restoreprivacy.com/secure-encrypted-messaging-apps/>. In 
> this updated Session review, we’ll look at Session’s capabilities — both those active today and those comings soon.
>
> Signal merits special mention in this Session review. That’s because Session is a fork 
> <https://en.wikipedia.org/wiki/Fork_(software_development)> of Signal, meaning that much of the guts of Session originally came 
> from Signal. This is excellent since Signal has long been considered the most secure of the secure messaging services. Thanks to 
> the excellent end-to-end (E2E) encryption provided by the Signal Protocol, Signal is about as secure as a messenger app can be.
>
> But Signal isn’t as strong on privacy as it is on security. It collects some metadata and doesn’t have a corporate sponsor like 
> Facebook sucking up and monetizing that metadata. More importantly, *Signal requires you to submit a phone number* to create an 
> account. Signal also relies on central servers to manage message flow and hold the metadata it does collect.
>
> Because Session is a fork of Signal, it inherited Signal’s strong security. From there, the Session team built an anonymized, 
> decentralized system that provides superior privacy and anonymity for its users. Are you ready to learn more about this challenger 
> for the throne of the best secure and private messenger app? Then let’s dive in with this Session review.
>
...

>
>     Concerns about Australia and data security
>
> On the topics of privacy and the security of your data, we must discuss where Session is based. As noted above, Session is based 
> in Australia. Unfortunately, Australia is not a very good privacy jurisdiction for a few reasons.
>
> As we recently discussed in our guide on the best VPNs for Australia <https://restoreprivacy.com/vpn/best/australia/>, the country 
> passed a law to undermine encryption and data security in 2018. Here’s a quick overview 
> <https://www.nytimes.com/2018/12/06/world/australia/encryption-bill-nauru.html> of this law:
>
>     The Australian Parliament passed a contentious encryption bill on Thursday to require technology companies to *provide law
>     enforcement and security agencies with access to encrypted communications*. Privacy advocates, technology companies and other
>     businesses had strongly opposed the bill, but Prime Minister Scott Morrison’s government said it was needed to thwart
>     criminals and terrorists who use encrypted messaging programs to communicate.
>

> The Loki Foundation that is behind Session addressed this thorny issue in a blog post 
> <https://loki.network/2018/12/10/lokis-response-to-the-assistance-and-access-bill-2018/>:
>
>     Obviously, we were terrified when we first saw this bill. The potential for the project to be entirely undermined by this
>     legislation did not go unnoticed. We had begun to consider how we might set up failsafes to allow people to catch bad code
>     being injected into our codebase, or to pay someone external to Loki to do regular inspections of our binaries that we release
>     and ensure they are not leaking extra information or mismatching the codebase in some way. If we were to be issued a TCN
>     [Technical Capability Notice], we would not be able to tell anyone about it. If we set up some sort of canary system, we could
>     be imprisoned. So whatever failsafe we did set up would have to be external to Loki, and would have to be regularly auditing
>     us to make sure we haven’t been compromised before a TCN was issued.
>
> Ultimately, the Loki Foundation believes they can still operate a secure messenger service in this perilous legal environment. 
> Their blog post <https://loki.network/2018/12/10/lokis-response-to-the-assistance-and-access-bill-2018/> on the topic really goes 
> deep into technical and legal details, which you can investigate if you have the time and inclination. In addition, they address 
> the issue in the FAQ topic titled, ” Does the Australian government’s anti-encryption stance pose a risk to Session?” as well as 
> in this update to their original blog post <https://loki.network/2019/12/06/the-assistance-and-access-bill-one-year-later/>.
>
...

>
>     Other privacy concerns with Australia
>
> It’s also worth noting that the anti-encryption legislation is not the only privacy issue that plagues Australia. Consider this:
>
>   * *Mandatory data retention* – In 2017, Australia implemented a mandatory data retention framework. This forces all internet
>     providers and telephone companies to store connection data for government agencies for a full two years.
>   * *Five Eyes* – We have also noted before that Australia is a member of the Five Eyes
>     <https://restoreprivacy.com/5-eyes-9-eyes-14-eyes/> surveillance alliance. This alliance works together to collect and share
>     mass surveillance data.
>

-- 
Kim Holburn
IT Network & Security Consultant
+61 404072753
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

More information about the Link mailing list