Screenshot of Session messenger

The Loki Foundation developed a more private alternative to the Signal instant messenger, which is known for its end-to-end encryption and (resulting) high degree of privacy. That private messaging app is called Session, which is actually a fork of the Signal messenger. The primary difference is that Signal messenger uses your phone number to identify your account, while Session doesn’t request that or any other personal data.

Considering the data sharing practices among technology companies, and the fact that the majority of them wring your phone number out of you and store it with your other personal data — that isn’t entirely private (if at all). Session uses cryptography to generate a unique user ID (called a Session ID) instead of having you log in with a username and password. If you get a new device, you ‘log’ back in by entering the backup phrase (random string of words) that was provided during account creation — and you’re good to go.

Session dropped Signal’s client-server model in favour of a more private, anonymous service node network run by volunteers. Session is also end-to-end encrypted. The service nodes route messages instead of a centralized server. Anyone can register to run a service node. Although I would have preferred if they went a little further and incorporated a more decentralized node approach that doesn’t require registration. I said more decentralized because more individuals would run nodes, and decentralization is something that comes in numbers. There should be many nodes spread out around the world.

Loki — the underlying open-source infrastructure that powers Session is where the service nodes are, and that utilizes the Cryptonote protocol.. Monero (which is where Cryptonote was implemented) is known for offering a very high degree of privacy. Aside from privacy, Session is offering a very high degree of security for the same reason:  No back doors. Back doors are a major security vulnerability that not only allows service providers to access your personal data and messages, but hackers can use them to get in too.

Unfortunately, back doors for law enforcement are no exception. That being said, Australia recently passed a law requiring back door access to user data. However, the Loki Foundation says that they wouldn’t be required to because it may introduce a ‘systemic weakness’ in the network, and the law is designed to avoid causing security issues. Session and Loki’s developers are based in Australia and they develop other privacy tools as well.

Eliminating username/password logins and utilizing cryptography can provide a very high degree of security. This is an extremely uncommon combination of qualities. It is important that the network protects itself by not storing unnecessary amounts of user data. Storing user data along with metadata such as phone numbers, emails, or names would make it a more lucrative target for hackers and identity thieves. That’s because that would make the data more useful to them. This is why anonymous messaging apps provide a security benefit, not just privacy.

Anonymous messaging became rare among new apps. However, growing privacy invasions (and privacy scandals) have sparked an interest in private messaging. This has helped Signal grow (and rightfully so). Truly anonymous private chat apps may finally make a comeback thanks to decentralization.  Community projects which are not profit-driven appear to be the most promising (least likely to hide their source code and secretly sell your data).

Please take a minute to check out my privacy guide!

Messaging Privacy Infographic

Full Anonymity: This Requires More Than End-To-End Encryption

Full anonymity doesn’t only entail that your messages are stored privately, anonymity is defined as being unknown. So this refers to your identity, not your messages. This is most likely why Session forewent the phone number requirement and doesn’t ask for any personal information. If it required an email address and password to sign up like other messengers, that would introduce the common attack vector of using stolen emails and passwords from other online services. The problem here is that people often reuse email addresses and passwords across multiple online services.

Session uses Onion routing technology to obfuscate your IP address. Your IP address is something that virtually every other service is able to see and use to identify who you are, unless you use a good VPN. If it isn’t obfuscated, your IP address can be used to track your activity because it is consistent across all the services you use online and is associated with your identity. Therefore a great deal of personal information is connected to it. Data sharing enables companies to link it to what you buy, what you like, your medical details, financial details and much more (this is of course theoretical and depends on your own country’s privacy laws).

Protests In Oppressive Regimes

The 2019-2020 protests in Hong Kong served as a reminder that oppressive regimes use surveillance to track the organizers of protests and remain a step ahead of them. Telegram was subjected to a Distributed Denial-of-Service (DDoS) attack during the Hong Kong protests, which it said originated in China. It also saw a surge in usage in Hong Kong during the protests. Telegram is one of the largest go-to messengers for users seeking privacy. The end-to-end encrypted messenger offers disappearing messages. In August 2019, Telegram had also provided an update that would allow users to hide their phone numbers so that authorities in China and Hong Kong couldn’t identify them.

The Illusion Of Safety Online: Anonymous Messengers Are Not More Dangerous

When social media eventually took a turn towards demanding several personal details from users, it created the illusion that they would be safer because scammers could be identified. Scammers still run rampant on all of these platforms. Some of them even require phone numbers (such as Telegram), and I am inundated with messages from fake accounts on a daily basis. I also frequently receive friend requests from fake accounts on Facebook. Facebook’s strict policy to delete fake accounts is a good effort, but there are just too many of them to handle.

Trying out an anonymous messenger like Session provided a reminder that seeing a full name and personal details on an account doesn’t mean that the account is legitimate. Seeing nothing but AIM or IRC-style screen names makes it clear that you can’t trust people online. Profile pictures and names have done nothing except make people feel safer and more inclined to trust criminals.

Loki and Session are open source. Open-source projects are especially appealing because when a closed-source app vendor makes a claim, you have to just take their word for it because you can’t verify it yourself.

With open-source software, you can: