Countless WhatsApp users have taken the opportunity to leave Facebook’s controversial chat service and prevent the exploitation of their user data.
The notion that privacy is an invaluable asset and the realization that free services can come at a high price are becoming increasingly popular. More Internet users than ever prefer to pay a small one-time fee instead of giving up their privacy for a “free” service.
Instant messaging has become an important part of business communications. Excellent availability, unmatched ease of use, and short response times are just a few of its numerous benefits. There is, however, one major challenge for companies: choosing the right service.
Chat apps for private users are not suitable for business purposes because they lack the means for administration and user management, don’t offer any business features, and, more often than not, fall short in terms of security and data protection. There are, of course, services specifically designed for companies, which roughly fall into three categories:
Secure instant messengers: Stashcat, Teamwire, Threema Work, Wickr, and Wire
Collaboration tools: Google Chat and MS Teams
Engagement apps: Beekeeper and Staffbase
To illustrate how the different services stack up against one another, we have compiled a comprehensive comparison that reveals the key differences and shows which requirements are met by which services.
The comparison confirms: Even if a company already uses a collaboration tool or an engagement app, a secure instant messenger is still a must. Services like MS Teams or Staffbase do not provide the security level required for the exchange of sensitive company data. They also don’t fulfill the staff’s need for an intuitive app that’s similar to Threema or WhatsApp in terms of usability and features.
That said, even among the business messengers that are supposed to be secure, significant differences emerge in the area of security and data privacy. It’s safe to say that not all apps are cut from the same cloth. See for yourself:
Threema’s Android app gets a substantial update, bursting with new features and general refinements. Among the highlights are the global search functionality, the integrated media gallery, and the optional image-search feature, which is based on local, and thus privacy-compliant, image recognition.
Today is Data Privacy Day. This annual observance was established by the Council of Europe to raise awareness for data protection and to draw attention to the dangers of a decrease in online privacy.
Since the Data Privacy Day’s inception back in 2007, a myriad of startling privacy incidents has demonstrated over and over how vulnerable our privacy is and how easily it can be invaded on the Internet.
In a joint statement, we, together with ProtonMail, Tresorit, and Tutanota, outline why this proposal is not only misguided but also counterproductive and dangerous, and we ask the EU Council to adhere to the spirit of the Data Privacy Day and acknowledge the importance of privacy for democracy:
The latest Threema version for iOS includes several minor improvements. For example, you can now create groups containing up to 256 members, and it’s possible to quote any type of message, including images, voice messages, and locations.
When using a messaging service, the question who else is on that platform inevitably arises. In conventional chat apps, the contact list answers this question conclusively. In Threema, where privacy is a top priority and users are not forced to disclose their phone number, the contact list might not reveal every contact who uses the service.
Messengers like WhatsApp or Signal use the phone number as unique identifier. Since the phone number is personal data that points to the identity of its owner, Threema uses a random string of characters (the “Threema ID”) instead, and providing a phone number is optional.
Only contacts who have linked a phone number to their Threema ID appear automatically in Threema’s contact list.
Send your individual Share Link to friends who don’t appear in your contact list, and add this link to your email signature, for example. Those who don’t use Threema yet can download it using this link and contact you as soon as they have done so.
If you still use other chat services you intend to leave due to privacy concerns, consider setting this image as profile picture to let others know where to contact you in the future:
Besides Threema, Telegram and Signal are often considered to be secure alternatives to WhatsApp. But are theses solutions really equal in terms of security and privacy protection? Is their approach even comparable? And how does their range of features differ?
In order to answer these questions, we have compiled a comprehensive comparison that shows how the mentioned services stack up against one another in different respects.
The comparison shows that Telegram hasn’t got what it takes to be a secure WhatsApp alternative: By default, end-to-end encryption is disabled and messages are permanently stored on a server, where they could, in theory, be read by the service provider at any time.
Signal enjoys an outstanding reputation among experts, and it’s certainly a good alternative to WhatsApp. However, just like WhatsApp, it requires users to disclose personally identifiable information: Providing a phone number is mandatory. As a US-based IT service provider, Signal is also subject to the CLOUD Act, which entitles US authorities to access the service provider’s data.
When Threema was launched back in 2012, the main goal was to provide a WhatsApp alternative that’s as secure and privacy-friendly as possible. Given this goal, it’s no surprise that the Swiss messenger stacks up well against the competition in terms of security and data protection. It is the only one of the four services that adheres to the “Privacy by Design” principle: Only data that’s absolutely necessary for the service’s operation is generated, and Threema can be used without providing any personal data whatsoever.
As of today, the Threema apps are open source! To celebrate this occasion, the apps are available at half price until December 28. That’s 100% transparency at 50% of the price. Those who don’t use Threema yet have more compelling reasons than ever to regain privacy now.
Now, we go a step further. To ensure full transparency and to dispel even the slightest shadow of a doubt, the Threema apps’ source code is publicly accessible starting today. It is subject to the AGPLv3 license, and thanks to reproducible builds, there’s a way to verify that the published code (of the Android app, for the time being) actually corresponds to the apps available for download.
Therefore, it’s no longer necessary to believe our claims or to trust someone else’s assessment. Anyone knowledgeable enough is now able to confirm Threema’s security on their own.
All information on how to download the source code, build it, and reproduce the app can be found here:
As previously announced, the Threema apps’ source code will be published soon. This step ensures full transparency, and anyone knowledgeable enough will be able to independently verify Threema’s security.
However, going open source doesn’t mean it’s no longer necessary to commission external experts to audit the code. The mere fact that a software’s source is open doesn’t guarantee that qualified specialists go to the trouble of systematically reviewing the code. After all, reviewing software of Threema’s scale not only requires profound technical expertise, it’s also quite time-consuming.
Whereas the most recent audit to date was conducted by the University of Münster’s Lab for IT Security in 2019, we hired Cure53 this time. In a total of 16 person days, experts of the renowned security firm subjected the Threema apps to a thorough inspection.
Even though the audit was carried out with great rigor and attention to detail, it did not reveal any serious vulnerabilities. On the contrary, the experts were impressed with Threema’s code quality and its general structure:
“Cure53 needs to underline that the overall impression of the code quality and general structure of the project can only be described as unusually solid. The design and implementation were clearly accomplished by a rare team of experienced and securityaffine engineers. In Cure53’s opinion, there should be no doubt about the focus of these processes being on providing a highly secure messaging application without encumbering the overall user-experience.” (p. 17)
Of the few minor improvements Cure53 suggested, some are already implemented in the current app versions, and the others will be incorporated into upcoming updates. Read the full audit report here:
There’s a minor Threema update for iOS available, which, among other things, includes some improvements in regard to photo handling.
On iOS 14, you can now grant the Threema app access to individual photos on the fly (instead of either granting access to the entire photo library or not granting access at all):
Navigate to “iOS > Settings > Threema > Photos”
If you tap the plus sign in a chat and select “Choose Existing,” you’ll be presented with iOS’s photo picker instead of Threema’s. This way, the Threema app only gets access to the photos you actually send, not to your entire photo library.
While captions could only be added when sending photos via the Share button prior to this update, it’s now possible to add captions right in the app. And if you select multiple photos at once, simply drag and drop them to define the order in which they are sent.
To learn about other changes and additions the 4.6.3 update contains, please refer to the changelog.
These days, many chat services allow users to use multiple devices in parallel. Therefore, one might assume that such a multi-device functionality must be easy enough to implement. Provided that security and privacy protection are not a major priority, this notion isn’t far off. If, however, the multi-device protocol is required to meet Threema standards, things get complicated.
In order to fulfill Threema’s requirements, a multi-device solution must, of course, provide full end-to-end encryption. That’s a given. But on top of that, it also has to rule out any possibility for the server to alter key material, and the amount of transferred metadata must be kept to the absolute minimum.
Even though these requirements pose a true technological challenge, we believe to have found a capable and elegant solution, which is currently in development and will become available in the course of 2021.
Using Threema Gateway, you can send, receive, and process Threema messages by means of your own software. Whappodo has used this technique to create a useful service for retrieving regional Corona stats.
Simply send a location (as location, not as text message) to the Threema ID *COVIDEN, and, in return, you’ll receive the current Corona stats for that region: Give it a try!
The Corona Radar showcases how Threema Gateway can be used in clever ways.
Chat apps have become an indispensable communication tool in many areas, also at school. Classroom chats form an integral part of everyday school life, and homework is often assigned via text message. Since conventional chat services systematically collect personal data, their use for school purposes is highly questionable and may violate applicable law.
With Threema Education, schools and other educational institutions benefit from all advantages modern instant messaging offers without compromising the privacy of students and teachers.
Thanks to a framework contract with educa.ch, it’s now easier than ever for public Swiss educational institutions to use Threema Education. As a Specialist Agency of the Swiss Confederation and the cantons, educa.ch negotiates framework contracts with commercial service providers in order to promote digitalization in the education sector.
The framework contract ensures legal certainty and reduces the acquisition effort. And since Threema Education doesn’t generate recurring costs, educational institutions benefit from planning security in any case.
A new chapter is added to Threema’s success story.
Strengthened Through Partnership
After an intense startup phase, Threema lays the foundation for continuity, further growth, and an acceleration of the product development thanks to the entry of the German-Swiss investment company Afinum Management AG.
Afinum fully shares our values regarding security and privacy protection. The additional resources gained through this partnership enable Threema to grow beyond the German-speaking part of Europe, and we can use our energy for visionary new ideas and projects. That said, Threema’s founders – Manuel Kasper, Silvan Engeler, and Martin Blatter, all software developers – will continue to lead the company and still retain a significant ownership interest.
Open Source and Multi Device
Security and privacy protection are deeply ingrained in Threema’s DNA, which is why our code gets reviewed externally on a regular basis. Within the next months, the Threema apps will become fully open source, supporting reproducible builds. This is to say that anyone will be able to independently review Threema’s security and verify that the published source code corresponds to the downloaded app.
In the future, it will be possible to use multiple devices in parallel thanks to an innovative multi-device solution. In contrast to other approaches, no trace of personal data will be left behind on a server. Thanks to this technology, Threema can be used on a PC without a smartphone.
In conclusion, Threema will become even more trustworthy and even more convenient to use.