In a digital landscape saturated with secure messengers, Session stands out by radically rethinking how privacy should work.
In this exclusive conversation, we spoke with the people behind Session about their decentralized architecture, metadata resistance, challenges of delivering anonymity at scale, and how recent shifts, both technical and regulatory, are shaping the future of secure communication.
CyberInsider: In the ‘crowded’ secure messenger apps space, why would people consider using Session over other offerings?
Session: Most messaging apps still operate on centralized systems. Even if they offer end-to-end encryption, they usually depend on centralized servers, run by a private, for-profit company, to manage and control everything behind the scenes. Session is different, messages are routed through a global network of community-operated servers, with no central authority and no single point of control. Anyone in the world can join this system by running a node and actively supporting the network.
Another key difference is that Session does not require a phone number, email, or any other personal information to create an account. There’s no identity attached to your account, and no tracking of your activity. Session has been architected from the ground up to prevent the collection of user metadata, which means there is no central database of messages or metadata, greatly minimising the risk of data leaks, breaches, or your information being sold to third parties.
Session provides real anonymity, freedom from censorship, and independence from the companies that dominate the tech world.
The project is open source, sustained by a diverse community, and free from the pressure to extract value from users. Session is built for people, not profit.
CyberInsider: Many claim to offer end-to-end encryption, but is that enough to keep user communications private? And are all end-to-end encryption implementations equal?
Session: End-to-end encryption is important because it protects the content of your messages, but that is not the whole story. Most apps still collect metadata, which means they can see who you talked to, when, and how often. That kind of info reveals a lot about you.
And no, not all encryption is built the same way. Some apps are closed-source, so you have no way of knowing if the encryption works the way they say it does. Session is open-source, so anyone can review the code. It uses strong encryption and is designed to prevent the collection of metadata. That’s what makes a difference.
CyberInsider: Session doesn’t need phone numbers for registration and doesn’t store user metadata. Competitors claim this approach introduces technical complexities. Can you give us an overview of these and how you manage to overcome them?
Session: Not using phone numbers or emails sounds simple on the surface, but technically it’s a big shift. Most messaging apps rely on those identifiers to sync contacts and route messages. But it also ties your identity to your messages and opens the door to metadata collection.
Session works differently. Instead of asking who you are, it assigns you a randomly generated cryptographic key that functions as your identity and Account ID on the network. This design allows users to send and receive messages, without ever needing to give away personal details.
Messages are routed through a decentralized network of nodes run by people all around the world, not through central servers. Routing is handled by a protocol called Onion Requests. It’s designed to strip out metadata, so even the nodes that help deliver a message never simultaneously know the messages its final destination or where it came from. On top of that, messages are stored redundantly across small groups of nodes called Swarms. That way, your messages will still arrive even if you or the recipient are offline when they’re sent.
This kind of setup does make things more complex. It required a rethink of everything, from how notifications work to how to support attachments and group chats, all without compromising privacy.
It’s a harder path, no doubt. It takes more work to build a system like this, but it means there’s no central server keeping tabs, no identity tied to your account, and drastically minimizes the metadata created when a user sends a message. And for people who care about real privacy, that’s the tradeoff that matters.
As an open-source project, Session has been shaped by many contributors from around the world. They help improve the code, review changes, and push the project forward. The founders are genuinely grateful because what started as a small team effort has grown into something that belongs to everyone.
CyberInsider: What would you say is the ‘weakest link’ in the security of messaging apps which many tend to overlook?
Session: The biggest risk is metadata. Even if your messages are encrypted, if someone knows who you talk to and when, they can learn a lot about you.
Most messaging apps still collect lots of information, even if the messages are encrypted, the metadata often isn’t. It’s easy to ignore, but it’s what surveillance systems are built on. If there’s no metadata to collect, there’s no data trail to follow.
Session tries to close that gap. It uses anonymous routing avoiding centralised routing servers altogether, so there’s no easy way to trace who’s talking to whom.
CyberInsider: You recently announced a migration from the Oxen Service Node Network to the Session Network, maintaining decentralization and operational simplicity, while enhancing transparency. For users of the platform, did this have any tangible benefits in terms of data security?
Session: The migration from Oxen to Session token was primarily focused on streamlining accessibility of the token network which backs Session. The migration has made Session Token more accessible on decentralised exchanges and the staking interfaces have been completely overhauled to lower the barriers to entry to staking Session Token. By making the token layer more accessible, more users are now able to get involved in running the decentralised network of nodes which powers Session, leading to enhanced network security.
CyberInsider: Session recently moved its base from Australia to Switzerland to benefit from stronger data protection regulations. How has this move impacted your operations, and has it worked out the way you’d hoped?
Session: Definitely. Switzerland has clear data protection laws and a great community of developers and companies building in the privacy space. Moving to Switzerland has helped Session connect with those companies and people who care about the same things we do. Being based in Switzerland has further strengthened Session’s commitment to privacy and security and has been received positively by both the Session community and Session users.
CyberInsider: Switzerland recently announced a partial revision of the Ordinance on the Surveillance of Correspondence by Post and Telecommunications (OSCPT), which includes mandatory user identification. The proposal was met with strong opposition by Proton Mail and Threema, that are based in the country. What is the status of the revision proposal, and how would it impact Session? Do you have any “emergency plans” in relation to it?
Session: We are proud of the response from the Swiss privacy community in relation to the proposed changes, and the support from commentators within Switzerland and abroad has been overwhelming. This shows why having a healthy, passionate community of privacy advocates is so important, no jurisdiction is immune to ill-conceived policy.
At this stage, the Session Foundation is keeping a close eye on the situation and remains hopeful that the feedback from industry and civil society will be strongly considered before changes come into effect.
As Session itself is decentralized, the impacts are not as clear cut as they are for centralized projects based in Switzerland.
CyberInsider: You launched a new Session Pro tier last month. How is the adoption of this new tier progressing?
Session: Yeah, it’s really exciting and our main focus at the moment. Pro Beta is currently planned for release in early Q4, 2025. On July 18, 2025, Session contributors finalized the designs for the Pro badges and user profile modals both new elements which will appear in the Session Pro Beta, so lots of progress is being made very quickly!
The community is excited and the expectation is that many Session users will see the value of the additional features provided in the Session Pro Beta, leading to high adoption. It is important to highlight that Session will always remain free for all users. Session Pro simply offers additional capabilities for those who need them, including: higher group member limits, animated profile pictures, pro-badges, higher character limits for messages, more pinned conversations, and more.
Running a decentralized messaging network requires significant resources, and unlike traditional messaging apps, Session will never monetize through data collection or advertising. Session Pro creates a sustainable economic model where users who require more network resources like longer messages, and larger groups, can contribute resources to unlock these features and thereby increase the rewards available to the node operators who provide the extra storage and bandwidth.
This approach keeps Session independent, ensures fair compensation for infrastructure providers, and aligns the network's interests with its users. Basically those who need more from the platform can support the infrastructure that serves them.
CyberInsider: The secure communication space was shaken recently by the TeleMessage SGNL security failures that exposed sensitive government exchanges. Can you comment on these lapses? Were they merely software security issues or something more systemic?
Session: The vulnerabilities in TM SGNL were far more than isolated software bugs, they were the result of multiple severe design and implementation errors. These flaws undermined the intended security of the platform and amounted to what can best be described as “security theater.”
TM SGNL created unencrypted copies of every message sent and stored those messages on a centralized server, creating a honeypot of sensitive data. Additionally, the server publicly exposed a URL from which anyone could download the current state of its memory, which included users’ passwords and plaintext messages. These systemic issues allowed even relatively unsophisticated attackers to repeatedly download server memory, extract authentication details, and access sensitive conversations. This reminds us that secure protocols are only as strong as the underlying code quality and infrastructure implementation.
CyberInsider: Why would government officials use an obscure app like TM SGNL instead of audited tools with a proven record of trustworthiness? Is it ignorance or the false premise of security through obscurity?
Session: It’s unclear why TM SGNL was chosen, but the case shows the danger of relying on a vendor without full transparency. The flaws in TM SGNL exposed sensitive data due to poor design. This is a reminder that trust alone is not enough. Open-source, third-party audited and decentralized options like Session are built to remove the need for trust in the first place.
CyberInsider: In our review of Session from May 2025, we highlighted the problems of lack of two-factor authentication, and Perfect Forward Secrecy. Are there any plans to strengthen these points in future releases?
Session: I agree with you that Session suffers from a perception problem around Perfect Forward Secrecy (PFS), even though this perception doesn't always reflect reality.
The cryptographic security provided by PFS is not well understood by most, and it has become a checkbox feature. It has been a challenge to communicate effectively about PFS, as the topic quickly gets technical and is hard for some to follow, there are strong preconceived notions about what PFS provides that are difficult to challenge.
Session's tooling has improved significantly since PFS was removed, especially with the introduction of libsession. This shared library is now implemented across all platforms and allows developers to implement complex protocols more consistently, reducing cross-platform bugs.
I will say, Session contributors have been re-exploring PFS recently and looking at ways Session might achieve a notion of PFS while also minimizing the potential downsides PFS creates when being implemented in a decentralized context, with accounts which may have multiple linked devices.
However, significant challenges remain. A PFS implementation would likely require every linked device to maintain its own key pair that cannot be synced between devices. This creates problems around key rotation: if one device rotates its keys while other linked devices are offline for a significant period of time, those devices might encrypt messages for a non-existent key, resulting in messages being sent to contacts which cannot be decrypted. This is a challenge still faced by other messaging applications which support PFS and allow multiple linked devices. But I do think there could be a happy medium here, and this is something Session contributors are actively exploring.
Leave a Reply