On the recent Australian surveillance legislation
Regulators are increasingly acting with open hostility towards encryption, security, and privacy. The latest chapter in this sorry story took place in our own backyard when Australia’s government passed a new bill granting the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) new surveillance capabilities. Because Session is built in Australia, we’ve always kept a close watch on emerging regulation in Australia as well as the other Five Eyes countries. Unfortunately, this isn’t the first time Australia has rushed an anti-encryption bill into law, with the infamous Assistance and Access Act speed-running through Australia’s parliament in 2018.
Because surveillance capacities are being expanded and strengthened all over the world, Session’s design takes this into account. After all, the people using Session are often vulnerable people living and working in the most highly surveilled places in the world.
So where the bloody hell are you?
Choosing to build Session in Australia is something that has always raised eyebrows for people who are privy to the Five Eyes intelligence alliance. Why wouldn’t Session be based in Russia, Switzerland, or…just anywhere with a less hostile regulatory environment, really.
The answer is simple: running away from regulators is not a sustainable future for private tech. No, the solution is to build technology which is actually resistant to surveillance and other encroachments on people’s personal privacy. Local regulatory environments are always evolving and changing, and it’s not viable for development teams to pick up and move to the latest privacy haven every time their local laws change. An (unfortunate) recent example of this is ProtonMail.
While ProtonMail is widely trusted by the privacy community—I use it myself—and they’ve done awesome work spreading private, encrypted services to lots of people, there was a view ProtonMail could operate with impunity because they were based in Switzerland. So strong was this belief, that being Swiss was a core part of ProtonMail’s branding.
But the Swiss is safe mantra copped a body blow when it was revealed Swiss authorities compelled ProtonMail to share the IP address and device information about activists in France. This information reportedly resulted in the arrest of a climate activist, and now ProtonMail has deleted the claim they ‘don’t log your IP’ from their website.
While credit has to be given to Proton for remaining relatively transparent about this incident, it serves as an excellent illustration of the problem with placing too much importance on where a company is domiciled. While it’s an important aspect to consider, the technological design should always be a part of the evaluation as well. No matter how friendly government authorities might seem, when push comes to shove companies must always comply with their local laws. In this case, because of the way email technology and ProtonMail are designed, the Proton team simply had no legal alternative.
What this means for Session
The Session team has always been prepared to face regulatory hostility. Before a single line of Session code was written, we were pondering how to make sure the app itself would always remain a safe, secure place for people to communicate.
Decentralisation is at the heart of Session’s design. While it’s true that Session’s main development team is based in Australia, its infrastructure is spread all across the world. Over 1,500 community operated servers are currently routing Session messages for over 150,000 users. The network is growing all the time, as more and more people commit to upholding the privacy of Session’s users by running their own server. The team hasn’t got any way of accessing these servers, and we will never have the capacity to gain access.
Session is designed to minimise the amount of data required to deliver a message from one person to another. That data is also spread across many, many servers operated by many different people in different jurisdictions all over the world.
The whole point of Session is to keep its users safe — no matter where in the world they are.
The beating heart of privacy
Before we finish off this article, it’s important to criticise this legislation and its consequences — not necessarily for Session, but for all Australians. In Australia, this is the second major piece of legislation we have seen in the last few years which greatly inhibits the privacy of Australian citizens as well as jeopardising the future of several Aussie tech companies.
The right to privacy is enshrined in the UN’s Universal Declaration of Human Rights (UDHR). Australia sat on the Drafting Committee for this milestone human rights document and was one of 48 countries which voted for its adoption.
“No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”
Due to the grossly insufficient safeguards contained within the recently passed Identify and Disrupt Bill, Australia is failing to uphold its commitment to protect the privacy of its citizens.
The contemporary issue of privacy rights is deeply entangled with the concept of digital privacy and security. For Australians to enjoy the right to privacy as described in the UDHR, guarantees around the privacy of digital information is absolutely necessary. Because the Identify and Disrupt Bill doesn’t mandate any judicial oversight (by requiring a warrant), it’s also a possible concern that (as a consequence of weakening of the right to privacy) the act could lead to the contravention of other rights — such as people’s implied right to freedom of political communication, which is provided for in the Constitution of Australia.
In the future, the government should consider more carefully the rights of its people, as well as the recommendations made to them by the relevant human rights experts, before rushing amendments through its parliament.
As disappointing as attitudes towards privacy and encryption are, it is not entirely unexpected. We hope that, as the world moves forward, everyone will have the ability to navigate the digital world peacefully and privately. That’s the future Session is contributing to, and rest assured that the Session team is extremely dedicated to that vision. But for the time being, the most popular technology is centralised, and this kind of regulation punches a huge hole in centralised tech’s ability to remain private — even for platforms with the best intentions. That’s why engineered solutions like Session’s decentralised infrastructure are so important for the future of technology — without it, no service (regardless of where it’s based) can guarantee your privacy.
If you’ve got any questions for us, feel free to get in touch with us using the Session open group (on Session, of course).
Latest blog posts
Cyber laws around the world: Privacy is not the policy
There is no doubt that the European Union’s GDPR has changed the cyber regulation landscape forever. As onlookers from non-EU countries urge their governments and regulators to adopt similar legislation, countries are rapidly adopting their
READ MORE »
The long and winding road : Striving for data protection in Indonesia
Juliana Harsianti is an independent researcher and journalist working at the intersection of digital technology and social impact. The long awaited Indonesian Personal Data Protection Bill was approved by the parliament on 20 September 2022.
READ MORE »
Kazakhstan needs tougher laws to address the impacts of spyware
In July 2021, the United Nations (UN) High Commissioner for Human Rights, Michelle Bachelet, issued a statement exposing the widespread use of Pegasus spyware that targeted journalists, human rights activists, politicians, and other people across
READ MORE »