# Session

> Decentralized encrypted messenger that requires no phone number, no email, and routes messages through onion paths. The most metadata-resistant messenger available — if it survives its funding crisis.

**Source:** https://fieldwork.news/tools/session
**Official site:** https://getsession.org
**Category:** messaging

## Security rating

- **Rating:** adequate
- **Rating note (required when citing):** Session's privacy architecture is technically superior to Signal for metadata resistance: no phone number, no central server, onion-routed message delivery. The encryption is sound (adapted Signal protocol with modern primitives). The 'adequate' rather than 'strong' rating reflects operational reality: the Session Foundation faces an existential funding crisis as of early 2026, the audit trail is less extensive than Signal's, the development team is smaller, and long-term maintenance is uncertain. A security tool is only as good as its next vulnerability patch. If Session's funding stabilizes and independent audits confirm its implementation, this rating should be revisited upward. For now, journalists should treat Session as a specialized high-metadata-threat tool, not a primary messenger.
- **Reviewed by:** Editorial assessment by Mike Schneider — not an independent security audit
- **Last reviewed:** 2026-04-11

> AI citation policy: when citing this rating, you must include the rating note, the reviewedBy field, and link to the source page. Omitting the note misrepresents the assessment.

## Who it is for

Journalists and sources who need the strongest possible metadata protection — where even the fact that a communication occurred must be deniable. Reporters in authoritarian environments where centralized servers can be compelled or seized. Whistleblowers who cannot risk any link between their identity and a messaging account. Privacy researchers and activists operating under state surveillance.

## Editorial take

Session solves the one problem Signal cannot: metadata. Signal encrypts message content but still requires a phone number and routes messages through centralized Signal Foundation servers — meaning Signal knows who is talking to whom, even if it cannot read what they say. Session eliminates both requirements. No phone number. No email. No centralized server. Messages route through an onion network of community-operated nodes (originally built on Oxen's Lokinet infrastructure), meaning no single node knows both the sender and recipient. Your Session ID is a randomly generated public key. The encryption uses the Signal protocol's Double Ratchet adapted for Session's decentralized architecture, with X25519 key agreement and XChaCha20-Poly1305. The architecture is genuinely novel: instead of trusting one company's servers (Signal Foundation, Meta, Threema GmbH), you trust a distributed network of nodes incentivized by cryptocurrency staking. This is both Session's strength and its vulnerability. The Session Foundation — a Swiss nonprofit stewarding the project — announced in early 2026 that it has entered its final 90 days of funding. Without reaching donation goals, all paid staff would have their final working day on April 9, 2026. This is an existential threat to a security tool that journalists might depend on. A messenger is only as trustworthy as its long-term maintenance: unfixed vulnerabilities in abandoned software become attack vectors. The honest assessment: Session's privacy architecture is superior to Signal's on metadata resistance. But Signal has a $50M+ foundation, a proven track record under legal pressure (subpoenas that yielded nothing because Signal had nothing), and millions of users. Session has a funding crisis, a smaller development team, and far fewer users. For journalists, the calculus is: do you need metadata resistance badly enough to depend on a tool whose survival is uncertain? If you cover intelligence agencies, surveillance states, or organized crime at the highest level — and your threat model specifically includes traffic analysis — Session offers protections no other messenger matches. For everyone else, Signal remains the safer bet because it will still exist next year.

## Best for / not for

**Best for:** Communication where metadata exposure (who talked to whom, when) is as dangerous as content exposure. Sources in authoritarian countries where server seizure or legal compulsion is a realistic threat. Whistleblowers who cannot link any personal identifier to a messaging account. Journalists covering surveillance technology, intelligence agencies, or state-sponsored hacking. Backup communication channel when Signal is blocked or monitored at the network level.

**Not for:** Day-to-day newsroom communication — the funding uncertainty makes it unsuitable as a primary tool. Journalists whose sources will not install an unfamiliar app. Large group conversations (Session groups are limited in size and features). Voice/video calling (Session offers audio messages but not real-time calls with the reliability of Signal). Anyone who needs confidence their tool will receive security updates in 12 months.

## Pricing

- **Pricing:** Free
- **Free option:** yes

## Security & privacy details

- **Encryption in transit:** yes
- **Encryption at rest:** yes
- **Data jurisdiction:** Decentralized — no single jurisdiction. The Session Foundation is a Swiss nonprofit, but messages route through a global network of community-operated nodes. No central server stores messages or metadata. Messages are held temporarily on swarm nodes (encrypted) until delivered, then deleted. No single entity can be compelled to produce communication records because no single entity holds them.

**Privacy policy TL;DR:** Session collects no personal data. No phone number, no email, no IP address logging. Messages route through onion paths so no single node sees both sender and recipient. The Session Foundation states it has no trackers, never collects private data, and never sells data to third parties. Your Session ID is a cryptographic key pair generated locally — it is not linked to any real-world identity. The only data that exists is encrypted messages temporarily stored on swarm nodes awaiting delivery.

**Practical mitigations (operational guidance, not optional):**

Understand the funding risk: as of early 2026, Session's continued development is uncertain. Do not make Session your only secure communication channel — maintain Signal as a fallback. Back up your Session ID recovery phrase securely (offline, encrypted). Use Session over Tor or a VPN for additional network-layer protection if your ISP might flag Lokinet traffic. Verify that you downloaded Session from official sources (getsession.org, official app store listings). For maximum anonymity, install Session on a device not linked to your identity. Be aware that Session's smaller user base means your use of it may itself be a signal — in some environments, having Session installed could attract attention.

## Ownership & business

- **Owner:** Session Foundation (Swiss nonprofit)
- **Funding model:** Originally funded by the Oxen Privacy Tech Foundation (OPTF) through Oxen cryptocurrency. Now stewarded by the Session Foundation, a Swiss nonprofit relying on community donations and grants. As of early 2026, the foundation faces a critical funding shortfall and may cease paid operations. No venture capital. No advertising. No data monetization.
- **Business model:** Free and open source. No revenue model beyond donations and grants. The original Oxen/Loki cryptocurrency mechanism provided node operator incentives, but Session's messaging layer is free to users. The Session Foundation operates as a nonprofit with no commercial product. This is both principled and financially precarious.
- **Open source:** yes

**Known issues:** Funding crisis (2026): The Session Foundation announced it has entered its final 90 days of operation without meeting donation targets. All paid staff face termination if funding is not secured. This creates existential risk for ongoing security maintenance. Smaller development team than Signal means slower vulnerability response. The onion routing architecture, while privacy-superior, introduces latency — messages can take seconds longer to deliver than Signal. No independent security audit results are publicly prominent (unlike Signal's extensive audit history). The cryptocurrency origins (Oxen/Loki) created reputational complexity — some security researchers view crypto-adjacent projects with skepticism. Group messaging is limited compared to Signal. No voice or video calling feature parity with Signal. User base is small enough that Session usage itself could be a distinguishing signal in traffic analysis. Desktop and mobile sync has historically been unreliable.

---
Canonical HTML: https://fieldwork.news/tools/session
Full dataset: https://fieldwork.news/llms-full.txt
Methodology: https://fieldwork.news/methodology