Conscious communication: users must have control over their data
Continuing our campaign to raise awareness about proper communication through apps that allow users to control their data, as required by Whereas(7) of the GDPR, we want to present a reasonably articulated solution entirely focused on privacy protection.
An app called Session is part of a much larger and articulated project that is extremely interesting.
Session: privacy-centric messaging app for secure communications
Session is an open-source messaging app with end-to-end encryption for sending text, voice, and attachments such as documents, images, and emojis to individual users and groups.
It is not currently possible to make calls or video calls.
Session does not require a phone number protects metadata and user identity.
Session is a decentralized solution with a strong focus on user privacy protection, managed entirely by Oxen Privacy Tech Foundation (“OPTF”), whose mission is to equip every digital citizen with technology which upholds their right to privacy.).
OPTF is a nonprofit charity registered in Australia.
Session’s related project is OXEN
Oxen is a blockchain linked to the $OXEN cryptocurrency based on the Proof-of-stake consensus mechanism.
We read here: “Oxen network is a huge, global network of staked Oxen Service Nodes that power Oxen’s second-layer privacy tools and services, including Session, our end-to-end encrypted anonymous messenger, and Lokinet, a low-latency onion router for private browsing, voice and video calls, and more.”.
The entire project ecosystem around Session focuses on providing Internet users with privacy protection by referencing the Universal Declaration of Human Rights.
When you start the Session app, it automatically generates a “recovery phrase” linked to the device you are using, and it is the only way to access your account. It is recommended to save the recovery phrase in a safe place; otherwise, you will no longer be able to access the account it refers to.
Session uses the “Session Protocol”, a state-of-the-art end-to-end encryption protocol built on libsodium (more details here https://doc.libsodium.org), a highly controlled and widely trusted cryptographic library.
Session is based on a private key that is generated when you start the app, connected to your device, and must be kept if you want to always log in with the same account.
Session protects metadata encrypts the content of messages, preventing digital traces of communication from being left behind.
Session also protects the personal identity of those who exchange messages, leaving the communication anonymous unless the user decides to use his real profile image.
Reading Session’s FAQ, it turns out that
“your messages are sent to their destinations through a decentralised onion routing network similar to Tor (with a few key differences), using a system we call onion requests. Onion requests protect user privacy by ensuring that no single server ever knows a message’s origin and destination.”.
Also, in the FAQ, we read
“Session does not collect any geolocation data, metadata, or any other data about the device or network you are using. At launch, Session used proxy routing to ensure nobody can see who you’re messaging or the contents of those messages. Shortly after launch, Session moved to our onion routing system, which we call onion requests, for additional privacy protection.”
“When you send a message, it is sent to your recipient’s swarm. A swarm is a group of Oxen Service Nodes tasked with temporarily storing messages for retrieval by the recipient at a later point.”
No, your messages are not stored on a blockchain. Messages are stored by swarms, and are deleted after a fixed amount of time (called the “time-to-live”, or TTL).
All of your messages are encrypted, and can only be decrypted using the private key which is stored locally on your device.".
The FAQ explains what Onion Routing is, and we read
“An onion routing network is a network of nodes over which users can send anonymous encrypted messages. Onion networks encrypt messages with multiple layers of encryption, then send them through a number of nodes. Each node ‘unwraps’ (decrypts) a layer of encryption, meaning that no single node ever knows both the destination and origin of the message. Session uses onion routing to ensure that a server which receives a message never knows the IP address of the sender.”
Session’s onion routing system, known as onion requests, uses Oxen‘s network of Oxen Service Nodes, which also power the $OXEN cryptocurrency."
Conclusions and Privacy
Session and the whole project of OPTF are appreciable, indeed.
From the information published, the security of communications and users’ privacy is guaranteed.
In our humble opinion, this is a project that complies with the Privacy by Design (PbD) principle and “Data Protection by Design and Protection by Default” principles ex Article 25 of GDPR.