Modern messengers have a common privacy problem: they almost invariably ask for your phone number. Even though we have gotten used to it by now, it is actually not very discreet. After all, we do not know to whom it is passed on. Session should solve that. We introduce the new Messenger for privacy friends in more detail.
Smartphones are supposed to connect us with each other in an uncomplicated way. Simple messenger apps offer convenient options and are mostly free. Nevertheless, we pay a price for it: our phone number and contacts, as well as the so-called meta data, are often used commercially by the operators. There is money to be made from the information when we communicate with whom and for how long.
And even if we can trust an app developer, as it is the case for me with Signal messenger, there is a catch: we are supposed to register with our phone number and give the app access to our contacts. In Germany, the former is inevitably linked to our real identity, and the latter would theoretically have to agree individually that we pass on their phone numbers.
A friend or threat to Signal?
The new messenger Session is a so-called fork from Signal. Functionally, it is largely identical, but during the setup process, however, you will no longer be asked for your phone number. There's also no provision for accessing your contact list or linking your number or email address to your session ID - making Session even more paranoid than Threema.
What Session can do
Session masters the usual chat functions. There are voice messages, a GIF search (with privacy warning), file sharing and group chats. You can add new contacts by scanning a QR code or exchanging the session ID. You can share your groups via a link.
Encrypted group chats
Another advantage over Signal or Telegram is end-to-end encrypted group chats. Up to ten people can network fully anonymously via session. Yes, WhatsApp also has encrypted group chats. But your metadata, phone numbers, and IP addresses remain visible to Facebook. Session is completely unsuspecting.
Session on all platforms
Session is available in the Play Store (or as APK), in the App Store and for download for Windows, macOS, and Linux. In theory, you can use the same Session ID on all your devices at the same time. Unfortunately, in a self-experiment, I did not succeed. When you install Session for the first time, it creates a - hence the name - new session. This is protected by a recovery phrase. So if you change your smartphone, you can continue your session on the new device using this phrase.
Chat backups are made in sessions in two different ways. Either you create a local backup, also protected by a passphrase, just like in Signal. You can copy these from the internal storage of your smartphone to the new device before you reset your phone.
Or you rely on your chat partners and download the chat logs from them after restoring your session. Unfortunately, even this did not succeed in the self-experiment.
What Session cannot (yet) do
As you can see above, Session is not very talented at restoring backups. If you want to move the app to a new device, you will have to expect difficulties restoring the chat logs. However, since Session is designed for short-lived sessions, I don't expect any improvement in this area in the near future.
Unlock restored sessions
Session is also not very reliable in keeping you in contact with people. When I restored a session in the test, I was able to restore my session contacts, but only with their IDs and without their nicknames. But I couldn't write to them anymore because of my changed crypto-key. Only when they contacted me, I could answer again. So if one of your session contacts doesn't answer for a while, ping them once. You might have to unlock it again first.
Telegram is Sessions' best friend
Since Sessions is designed for you to create and then throw away sessions only for short periods of time, it is worth using Telegram in parallel. I have used the latter for a quick exchange of IDs (optionally via secure chat with self-destruct timer) and for saving and synchronizing my IDs and passphrases. Similar functionality would be offered by the combination of syncing and text editor, but it is not as easy to set up.
Who is behind Session?
Session is part of the Loki Foundation, a non-profit organization without a permanent seat. The CEO is Simon Harman. Even though the project is not profit-oriented, it wants to monetize Session. Parts of the infrastructure are based on a block-chain network that mines its own currency, $LOKI.
The network provides important infrastructure for anonymizing its users, including an onion router to hide your IP address. Neither your counterpart nor the Loki Foundation can determine your location.
So if a state were to obtain a court order to inspect the session servers, investigators would find nothing but meaningless session IDs and TOR-IP addresses. None of this information would allow us to draw clear conclusions about the identity of the messenger app's users.
Session is one of the most promising messengers for the paranoid for me. If it overcomes the annoying weaknesses when used on multiple devices and especially when restoring the session, it will become suitable for everyday use for me as well. Until then, it is definitely an exciting feasibility study and proof that it can be done differently.