Session is “an end-to-end encrypted messenger that removes sensitive metadata collection, and is designed for people who want privacy and freedom from any forms of surveillance.”
Available for Android, iOS, Mac, Windows, and Linux, Session aims to up the ante on secure messaging apps by eliminating the collection of metadata such as phone numbers from users. When signing up for a Session account, users are assigned a Session ID, which is a public key, but that Session ID is not connected to any personal information about the user.
What will Session do if compelled by a court to reveal user identities?
As Session is a project of the Loki Foundation, court orders in situations such as this would be targeted at the Foundation.
The Loki Foundation would comply with lawful orders. However, the Loki Foundation could not reveal user identities simply because the Foundation does not have access to the data required to do so. Session account creation does not use or require email addresses or phone numbers. Session IDs (which are public keys) are recorded, but there is no link between a public key and a person’s real identity, and due to Session’s decentralised network, there’s also no way to link a Session ID to a specific IP address.
The most the Loki Foundation could provide, if compelled to do so, would be tangential information such as access logs for the getsession.org website or statistics collected by the Apple App Store or Google Play Store.
The folks behind Session have a technical white paper explaining how the system works, Session: A Model for End-To-End Encrypted Conversations With Minimal Metadata Leakage.