In an exclusive interview with crypto.news, Kee Jefferys, CTO of Session, discussed the inherent risks to privacy with centralized messaging platforms.
As our world becomes increasingly connected, privacy has transformed from a luxury into a necessity. Every click, every message, every digital interaction is a potential leak, spilling secrets into a sea of data ready to be harvested.
Messaging apps, which are integral to our daily communication, are facing growing scrutiny over their privacy practices.
Yet, incidents like those involving WhatsApp and Telegram—where breaches and metadata mishaps have eroded trust—spotlight the fragile nature of privacy in traditional platforms.
Such episodes constantly remind us of the vulnerabilities that users face daily, exposing them to potential profiling and surveillance, undermining trust.
Enter web3, a beacon of hope, promising a paradigm shift towards decentralization. This new technology framework seeks to dismantle the centralized powers that traditionally govern our data, proposing instead a system where privacy is inherent, not optional.
Jefferys, through his work with Session, champions this vision, employing a network of community-run nodes to safeguard user interactions without the need for a central authority.
He believes that a decentralized approach is crucial for creating a new trust model. One that doesn’t rely on centralized entities but distributes responsibility across a network of independent operators.
With the recent security breaches and metadata collection issues in messaging apps like WhatsApp and Telegram, what are the risks currently plaguing users in the traditional messaging app sector, particularly in terms of privacy?
Traditional messaging apps like WhatsApp and Telegram are inherently centralized, creating honeypots of sensitive metadata, such as phone numbers, IP addresses, and profile images. This data can be linked with other metadata, like message timing and group membership, to create detailed profiles of users, their habits, and relationships. Although these services claim not to engage in such profiling, they possess the data and access to do so, and this data could be leaked or accessed by hackers or compelled by authorities. To enhance privacy, we need systems that minimize data collection and centralization.
Law enforcement agencies access user data from secure messaging apps through metadata and cloud backups. How would web3 address this? Do you expect a potential backlash from regulators as these solutions surface?
Cloud backups are a convenient feature usually facilitated by device manufacturers like iCloud for iOS and Google One/Drive for Android. Messaging app publishers can mitigate risks created by these cloud backup services by opting out of automatic backups and instead using custom-built decentralized storage networks like Arweave or Filecoin, which don’t implement regulatory backdoors for mandated access. Regulators and law enforcement typically focus on device seizures during investigations, which would reveal similar content to what could be obtained from cloud backups, so this shift may not cause significant regulatory issues.
How does the decentralized nature of web3 technologies specifically address the privacy and trust issues that traditional messaging apps struggle with?
In the most fundamental way, decentralization creates a new trust model that shares the burden and responsibility of trust among thousands of parties instead of a single entity and creates a rules-based system to govern this new trust model. It eliminates centralized honeypots of user metadata and instead distributes user data, making it nearly impossible to gain a global view of the network. This means that instead of compromising a single entity, one would need to compromise thousands of individual operators to access user data.
What do you see as the future of secure messaging in the context of increasing government surveillance and cyber threats?
Most efforts in the secure messaging space have focused on securing the contents of messages via more advanced end-to-end encryption schemes, often at the expense of user experience. I think in the next 10 years, the space as a whole will focus more on metadata protection as end-to-end encryption becomes a more solved problem and governments move to even wider-scale metadata collection. The name of the game will no longer be content, it will be context.
How can web3 and decentralized technologies overcome the existing flaws and shape a more secure future for messaging apps?
Web3 and decentralized technologies can overcome flaws by breaking the trust assumptions of centralized messengers and proving that usability does not need to be sacrificed for privacy or decentralization.
Session claims to offer a ‘trustless’ messaging environment. Could you explain how Session’s architecture addresses the specific privacy flaws found in traditional messaging apps, ensuring that user data remains private and secure without requiring users to place their trust in a central authority?
Instead of relying on a centralized server, when a user sends a message on Session, they interact with a network of community-run nodes called the “Service Node network.” This network has over 2,000 nodes, which store and route the encrypted data of Session users. This architecture ensures that user data remains private since there’s no central location to collect user messages. Trust is maintained purely between the network and its users without any central authority or middleman to govern this process.
What mechanisms does Session use to protect user privacy?
There’s 4 main things Session does to protect user privacy; No phone number or personally identifiable information is required to sign up—just generate a Session ID and start messaging. All messages are end-to-end encrypted using an audited encryption protocol and open-source clients. Session uses onion routing to hide users’ IP addresses while using the service. A decentralized network is used for temporary storage, eliminating the need to trust a central service provider.
