The Assistance and Access bill (also known as TOLA) was introduced in 2018 with the intention of allowing the federal government to compel Australian entities to give them backdoors into encryption protocols. The scope of TOLA extends far beyond encryption, but the bill has clauses that prevent the government from asking an application developer to insert a “systemic weakness” into their application. Our analysis of this provision indicates that any backdoor which would violate user privacy in Session would be beyond the scope of the Assistance and Access legislation.
As the entire Session codebase is open-source, authorities or malicious actors from any jurisdiction could create modified Session clients themselves, which could undermine user privacy. As the Assistance and Access bill does not allow the government to force us to push out a ‘systemic’ vulnerability, or prevent us from fixing such vulnerabilities, any modified client would not be pushed through the App Store or other official download channels. Instead, the attacker would need some method to directly inject the modified client onto a specific user’s device, something which we are not capable of doing.
Session’s developers do not have control over the Oxen Service Node Network, the network used to route and store user encrypted messages. So long as associated codebases and software releases maintain integrity, we do not and will not have access to any privileged information which may undermine user privacy. And because our platform is open-source, anyone can independently verify that such integrity is maintained.
For a more in-depth overview of our perspective on the risks posed by TOLA, read our blog on the issue.