The founder of an encrypted messaging app who left Australia for Switzerland after police unexpectedly visited an employee’s home says he had left because of Australia’s “hostile” stance against developers building privacy-focused apps.
Developed in Australia in 2018, Session is an encrypted messaging app that is open source and decentralised. The app runs on the tagline: “Send messages, not metadata.” It allows users to send messages with anonymity, by opting for 66-character account IDs rather than verifying a user via emails or phone numbers.
Messages are sent over a decentralised onion routing network similar to Tor (a popular encrypted browsing app) and no single server knows the message origins or destination.
Session was created by the Australian-based Oxen Privacy Tech Foundation, which in October announced it was transferring responsibilities to a newly created Switzerland-based body, the Session Technology Foundation. It was first reported by 404 Media.
The move came after employees working for OPTF were approached by the Victoria police and Australian federal police over several months including via help chat messages, letters and phone calls. Victoria police also visited the apartment of an employee late last year, asking questions about the app and its encrypted messaging, the company says.
Under anti-terrorism laws passed in 2018, law enforcement can issue notices requiring developers to assist with an investigation. This can include technical assistance which could require companies to build capability for law enforcement to break the encryption used in their services.
But the powers have rarely been used. And if they had, neither the AFP or the services targeted can divulge what an organisation has been ordered to do.
The director of OPTF, Alex Linton, said the looming threat of this legislative power, along with the wider regulatory environment in Australia, had been the tipping point for the organisation shifting to Switzerland.
“The legislative and regulatory landscape in Australia is just completely hostile towards building a privacy tool such as an encrypted messaging app,” he said. “The ongoing threat of these special powers actually being used against us, in the end, being in Australia just threatened our credibility as a privacy tool.”
A spokesperson for the AFP confirmed it “is aware” of the app “and has seen the use of Session by offenders while committing serious commonwealth offences” but declined to comment further. Victoria police was approached for comment.
Linton said because Session is open source it would make it obvious to people verifying the code that a backdoor had been installed or encryption had been compromised, if it were to occur.
He said laws in Switzerland understood and supported the kind of technology used by platforms such as Session, “as opposed to actively trying to snuff it out”.
Linton also pointed to the expected arrival of age assurance for social media, as well as a new code coming into effect in December on cloud and encrypted messaging providers from the eSafety commissioner, as other evidence of the hostile environment for privacy-focused apps.
The focus of Australian law enforcement on encrypted apps has mostly targeted messaging apps specifically designed for alleged criminals – including the AFP’s own Trojan horse app An0m.
Policing success targeting these services has reduced the number of alternatives. Linton said the road being paved now was for law enforcement to target the apps widely available to the general public.
“What I think we’re in danger of is seeing that rhetoric shift towards public-use applications like Signal or Session being painted as the next app for criminals, even though we know that they have very wide and legitimate user bases,” he said.
The office of the home affairs minister, Tony Burke, was approached for comment.
The Greens digital rights spokesperson, Senator David Shoebridge, said it was a problem if Australia had policies hostile to end-to-end encryption while privacy law was failing to protect people’s personal information.
He said the AFP approaching Session employees was “seriously troubling”.
“Are police now taking the view that just trying to protect your privacy makes you potentially guilty?
“We need a sovereign tech industry that delivers safe and secure products for local users and to make this happen the industry is telling us they urgently need an effective suite of privacy and data laws.”
