Australian News Today

Encrypted app Session’s exit amid police pressure proves Australia at risk of becoming ‘tech backwater’

Encrypted app Session’s exit amid police pressure proves Australia at risk of becoming ‘tech backwater’

In late 2023, Victoria Police reportedly paid an employee of the encrypted messaging app Session an unexpected visit at their apartment. Without a warrant or prior warning, officers entered the apartment complex and knocked on the employee’s front door.

During their visit, the police reportedly asked a series of questions about the app, the company, and the employee’s involvement with the project. They also questioned the employee about an ongoing investigation concerning a particular user of the app, as reported by 404 Media. While no information around the investigation has been publicly disclosed, the Australian Federal Police (AFP) told 404 that it is aware of “the use of Session by offenders while committing serious Commonwealth offences”.

The visit came after Session employees were approached by the AFP and Victoria Police through help-chat messages, letters, and phone calls earlier that year.

Session’s Alex Linton has publicly expressed frustration over the AFP’s choice to visit the employee in their private residence, rather than arrange a meeting via the company’s official and publicly available channels.

Session is an end-to-end encrypted messaging app developed in Australia in 2018 and designed to protect against certain types of metadata monitoring, offering “absolute privacy and freedom from any form of surveillance”. It allows users to sign up using 66-character account IDs without providing a phone number or email address and operates on a decentralised network that ensures servers cannot determine a message’s origin or destination.

On October 15, Session announced that, given the current regulatory environment around privacy technology and encrypted messaging in Australia, it will relocate to Switzerland — a known hub for encrypted services like Proton, Threema, Nym, VyprVPN, and Tresorit — and will be overseen by the newly formed Session Technology Foundation (STF).

“Switzerland offers some of the most robust digital privacy regulations in the world” and has “a longstanding tradition of respecting personal privacy and fostering technological innovation,” wrote STF in a blog post. The app has confirmed that it will continue to operate in Australia.

The tipping point for Session’s decision came when the Australian eSafety commissioner introduced new amendments to the Basic Online Safety Expectations in July 2024, requiring all online services to collect “a phone number, email address, or other identifier” from users as part of end-user registration guidelines.

In addition, anti-terror laws passed in 2018 grant law enforcement the power to issue notices that compel developers to aid in investigations. This assistance can involve technical measures, which might require companies to establish capabilities allowing law enforcement to override their service encryption. Yet, these powers have rarely been invoked, and if they were, neither the AFP nor the targeted services would be authorised to reveal what an organisation was required to do under the laws. 

“Australia has a set of bad national security laws that need to be revised because they are hostile to tech innovation and they’re leading Australia to become a tech backwater,” Suelette Dreyfus, senior lecturer at Melbourne University’s School of Computing and Information Systems, told Crikey.

Dreyfus believes that Session’s decision to move to Switzerland is an important milestone in demonstrating that innovative technology providers are being driven out of the country. 

“These laws are really about overreach,” she said. 

“They basically discourage innovative start-ups from happening in Australia and encourage them to leave, as they are faced with such an onerous barrage of regulation, not being able to meet the commitments of privacy and security for their customers.”

Another problematic area is the mandatory data retention regime, a legislative framework that requires telecommunications providers to retain metadata for a minimum of two years, and make it available to law enforcement and national security agencies without a warrant, introducing significant burdens and risks for applications like Session. 

According to the 2022-23 data from the Australian Communications and Media Authority, Australian government agencies gave themselves the authority to make 710,918 disclosures of metadata of mobile phone accounts.

“This is very large-scale surveillance going on without judicial oversight,” says Dreyfus. “Law enforcement could do their job without this kind of mass surveillance. It requires them to really focus on their targets and put their energy into them, rather than having the leisure of just doing a large-scale driftnet fishing of people’s data without warrants overseen by a judge.”

Finally, another key issue is data sovereignty. Australia has a national interest in having some cloud providers — including messaging services — based and fully owned, with all the services and data stored, in the country.

“If you think it’s important as a country for sovereignty reasons to have the option of using your own home-grown services, then you can’t drive them off shore with bad laws,” concludes Dreyfus.

An AFP spokesperson declined to provide any comment on the case, following a request by Crikey. Victoria Police did not immediately respond to Crikey’s requests for comment either. Linton did not respond to Crikey’s requests for comment in time for publication.