WhatsApp and the Commodity of the 21st Century

Last year, WhatsApp stirred up quite the controversy with its infamous privacy policy update that arguably weakened users’ data protection. Now, a few months later, the messaging service owned by Meta (formerly known as “Facebook”) has launched a large-scale marketing campaign to present itself as a guardian of privacy. Let’s set some things straight.

SMS: A Low Reference Point

In the video ads WhatsApp has been publishing this week, viewers join a cheeky postman as he delivers mail to recipients who are baffled by the fact that their letters and parcels have already been opened. The message is plain and simple: Those who send text messages via SMS disclose their privacy, whereas the privacy of those who use WhatsApp is well protected thanks to end-to-end encryption.

At first glance, this line of thought may seem plausible, but it is based on an oversimplified notion of data protection that only takes into account the message content, while completely disregarding both metadata and the possible motives for undermining users’ privacy. Of course, end-to-end encryption is preferable to unencrypted message transmission. However, end-to-end encryption alone does not ensure comprehensive privacy protection. Not by a long shot.

The Commodity of the 21st Century

Like Facebook and Instagram, WhatsApp requires users to disclose personally identifiable information, such as their phone number. For this reason, Meta is able to identify users across different services and combine their data from various platforms into comprehensive user profiles. On top of that, there are tools that are capable of gathering data outside of Meta’s services, e.g., the Facebook plugin, which, when integrated into third-party websites, can track Internet users’ browsing behavior beyond Meta’s domain.

By systematically collecting user data from different sources, it is possible to draw a picture of an individual user that’s far more detailed and much more accurate than one that’s merely based on message content. The chat metadata (i.e., information about who communicates with whom, when, where, etc.) that accumulates when using WhatsApp equates to a comprehensive “social graph,” which is quite revealing in and of itself. “Likes” on Facebook and Instagram not only reflect users’ interests and their preferences, further information – such as age and income class, marital status, or sexual orientation – can also be inferred from collections of such data points. By combining the obtained information, matching it against the social graph, and supplementing it with attributes of close contacts, the whole data set becomes much more than the sum of its parts and arguably speaks volumes about the user it’s associated with.

What’s more, metadata is a lot easier to process and more reliable than the actual content it corresponds to. Edward Snowden once put it like this:

Metadata is extraordinarily intrusive. As an analyst, I would prefer to be looking at metadata than looking at content because it’s quicker and easier, and it doesn’t lie.

A Matter of the Business Model

The reason Meta relentlessly collects user data is inextricably tied to the tech corporation’s business model. In typical Silicon Valley fashion, Meta provides its services free of charge and generates revenue by selling targeted advertisements. The more Meta knows about its users, the better the ads can be targeted to the users. The better the ads are targeted to the users, the higher the price advertisers are willing to pay and the greater Meta’s profit.

Due to this business model, Meta/WhatsApp has a vital interest in collecting as much and as telling user data as possible. This practice is, of course, not compatible with privacy protection by any stretch of the imagination. The fact that WhatsApp messages are end-to-end encrypted (as Meta claims) is an advantage over SMS, but in the grand scheme of things, this is only a small comfort.

SMS and WhatsApp have in common that neither was designed with a particular focus on security and data privacy. To find out how WhatsApp stacks up against a messenger like Threema, which was built from the ground up with security and data privacy in mind, please refer to this side-by-side comparison.

Data Privacy Week: Raise Awareness with Your Profile Picture

Today is the first day of the Data Privacy Week, which culminates in the Data Privacy Day on Friday, January 28. The aim of this initiative is to raise the public’s awareness for online privacy and to encourage Internet users to exercise their right to privacy.

Join the movement!

Support the cause, and stand up for privacy: Add the #RegainPrivacy banner to your profile picture in chat apps and on social media to show your contacts and followers that you care about privacy and disapprove of mass surveillance by authorities and exploitation of user data by Big Tech.

Create your #RegainPrivacy profile picture here →


The Data Privacy Day is an international awareness day that was initiated by the Council of Europe (not to be confused with the European Council) back in 2008 and is held annually on January 28.

This date was chosen because on January 28, 1981, the Council of Europe proposed its “Convention 108,” which is the first internationally binding agreement to protect personal data and could be considered to be a precursor to, or inspiration for, the GDPR.

Since 2008, various organizations, both governmental and non-governmental, educational institutions, and companies use this opportunity to make a case for privacy and point out the inherent dangers of systematic data collection by tech corporations and government agencies.

For one thing, privacy is a basic human right that’s valuable and worthy of protection in and of itself. For another, it is an important corner stone of democratic societies. And last but not least, there’s simply no way of knowing what kind of inferences can be drawn about individuals in the future by means of the tremendous amount of collected user data in conjunction with new technologies such as artificial intelligence.

Chat on the Computer Without a Browser

Threema Web, which has been around for some time, allows you to conveniently use Threema from the desktop without compromising security. Now, chatting on the computer gets even more user-friendly.

Thanks to the new desktop app, you no longer need to search for Threema in the browser and switch back and forth between tabs all the time. Instead, your favorite messenger is always at hand in the dock or via the app switcher. Anyone who regularly exchanges text messages on a computer will greatly appreciate this streamlined chatting experience.

The desktop solution is available for macOS, Windows, and Linux starting today. Just like the web client, on which it is based, the desktop app establishes an end-to-end encrypted connection to your mobile device. Of course, Threema for desktop covers the complete range of Threema Web’s features.

In terms of security, the desktop client even surpasses the high standard of the tried-and-tested web solution in certain respects. For one thing, there’s no way for browser plugins to introduce vulnerabilities. For another, it would be even more difficult for attackers to manipulate the app code since it isn’t loaded from a server each session but permanently stored on the user’s end.

Get the desktop app for your operating system now:

Open download page →

Outlook: Threema 2.0 for Desktop

The next major update of the desktop app will not only introduce a completely redesigned user interface, it will also be based on a totally new architecture. Thanks to multi-device functionality, version 2.0 no longer requires an active connection to your mobile device. This is to say that you’ll be able to use the desktop app even if your smartphone happens to be turned off.

The development of the multi-device technology is in full swing, but it turns out to be more time-consuming than anticipated. Several technical challenges have already been met, but there is still work ahead. More often than not, the path to security is neither easy nor fast. And when it comes to security and privacy protection, we are under no circumstances willing to cut corners. Unfortunately, the multi-device solution’s release therefore gets delayed. Thank you for your patience and understanding!

We’ll keep you posted and provide another update about the development of Threema 2.0 for desktop at the end of the year. Stay tuned!

Update 2022-12-07: There’s a tech preview of Threema 2.0 for desktop available, which allows iOS users to test the upcoming multi-device functionality ahead of time.

Threema for Android Introduces Contact-Specific Privacy Settings

With its option to adjust privacy settings on a per-contact basis, the latest Threema update for Android introduces a useful new feature.

There are some scenarios where one-size-fits-all solutions just won’t cut it, and one such scenario concerns read receipts: While you may want to send read receipts to some contacts, you probably don’t want to send them to all contacts.

That’s why Threema now allows you to fine-tune privacy settings. Instead of sending read receipts to either every contact or no contact at all, you can override the default setting for specific contacts. The same goes for the typing indicator.

Supposing you have disabled read receipts in the global privacy settings (⋮ > Settings > Privacy > Receipts) but wish to send read receipts to a contact close to your heart, just open the contact details, and set “Send read receipts” to “Send.” This will override the global setting, and nobody except your special contact will receive read receipts.

To learn more about Threema 4.57 for Android, please refer to the changelog.

Threema OnPrem: Maximum Security Thanks to Self-Hosting

Threema Work is the gold standard of secure messaging apps for organizations. Renowned companies around the globe use the time-tested Swiss chat solution to protect their corporate data and to ensure full data-privacy compliance. With Threema Work, employees enjoy the productivity-boosting benefits of instant messaging without having to resort to questionable chat services that aren’t qualified for corporate use or don’t comply with the GDPR.

Now, Threema OnPrem turns the security and confidentiality of enterprise messaging up to eleven. The new on-premises solution allows organizations that require exceptional security to run Threema on their own server. This translates to complete data ownership along with total and exclusive control over every aspect of the communication tool. Not only the message exchange is carried out internally by the company server, the administration console is also self-hosted, with Threema OnPrem covering the full feature range of Threema Work.

The combination of Threema’s well-established security architecture and absolute data ownership results in a self-contained chat environment that’s second to none in terms of confidentiality. Threema OnPrem instances are completely independent and in no way, shape, or form connected to Threema’s infrastructure. Thus, Threema OnPrem is perfectly suited for professional use in industrial companies, public authorities, law enforcement, and wherever sensitive data is involved or maximum security and utmost confidentiality are required.

Learn more about Threema OnPrem

Why Threema Instead of WhatsApp?

On May 15, WhatsApp will enforce its new privacy policy. The changes have been met with significant pushback, and in addition to a wave of public outrage, the matter has sparked a general debate about data privacy in messaging services.

Countless WhatsApp users have taken the opportunity to leave Facebook’s controversial chat service and prevent the exploitation of their user data.

The notion that privacy is an invaluable asset and the realization that free services can come at a high price are becoming increasingly popular. More Internet users than ever prefer to pay a small one-time fee instead of giving up their privacy for a “free” service.

As a result, over a million new users have already joined Threema this year. For the remaining WhatsApp users, we have compiled the most important reasons to switch to Threema instead of accepting WhatsApp’s new privacy policy:

Why Threema Instead of WhatsApp?

Communication Tools for Companies: The Definitive Comparison

Instant messaging has become an important part of business communications. Excellent availability, unmatched ease of use, and short response times are just a few of its numerous benefits. There is, however, one major challenge for companies: choosing the right service.

Chat apps for private users are not suitable for business purposes because they lack the means for administration and user management, don’t offer any business features, and, more often than not, fall short in terms of security and data protection. There are, of course, services specifically designed for companies, which roughly fall into three categories:

  • Secure instant messengers: Stashcat, Threema Work, Wickr, and Wire
  • Collaboration tools: Google Chat and MS Teams
  • Engagement apps: Beekeeper and Staffbase

To illustrate how the different services stack up against one another, we have compiled a comprehensive comparison that reveals the key differences and shows which requirements are met by which services.

The comparison confirms: Even if a company already uses a collaboration tool or an engagement app, a secure instant messenger is still a must. Services like MS Teams or Staffbase do not provide the security level required for the exchange of sensitive company data. They also don’t fulfill the staff’s need for an intuitive app that’s similar to Threema or WhatsApp in terms of usability and features.

That said, even among the business messengers that are supposed to be secure, significant differences emerge in the area of security and data privacy. It’s safe to say that not all apps are cut from the same cloth. See for yourself:

Comparison of Communication Tools for Companies

Threema 4.5 for Android: New Features Galore

Threema 4.5 for Android: New Features Galore

Threema’s Android app gets a substantial update, bursting with new features and general refinements. Among the highlights are the global search functionality, the integrated media gallery, and the optional image-search feature, which is based on local, and thus privacy-compliant, image recognition.

Read on…

Data Privacy Day 2021: A Reminder for the EU Council

Today is Data Privacy Day. This annual observance was established by the Council of Europe to raise awareness for data protection and to draw attention to the dangers of a decrease in online privacy.

Since the Data Privacy Day’s inception back in 2007, a myriad of startling privacy incidents has demonstrated over and over how vulnerable our privacy is and how easily it can be invaded on the Internet.

As a welcome consequence of these incidents, the notion that privacy is also worth protecting if one has “nothing to hide” gradually gains ground. The massive influx of users Threema currently experiences due to the controversy surrounding WhatsApp’s privacy policy is a testament to the mindset shift many Internet users make.

Now that more and more Internet users exercise their right to privacy by using encrypted services like Threema, the EU Council suddenly questions this fundamental right by proposing to deliberately weaken the encryption of secure Internet services.

In a joint statement, we, together with ProtonMail, Tresorit, and Tutanota, outline why this proposal is not only misguided but also counterproductive and dangerous, and we ask the EU Council to adhere to the spirit of the Data Privacy Day and acknowledge the importance of privacy for democracy:

Reminder for the EU Council (PDF)

Threema for iOS: Larger Groups and More

The latest Threema version for iOS includes several minor improvements. For example, you can now create groups containing up to 256 members, and it’s possible to quote any type of message, including images, voice messages, and locations.

For more details about the 4.6.4 update, please refer to the changelog.

Threema for Android will allow you to create groups of up to 256 members with the upcoming update.

More Contacts Than You Might Think Already Use Threema – and You Can Get Even More on Board

When using a messaging service, the question who else is on that platform inevitably arises. In conventional chat apps, the contact list answers this question conclusively. In Threema, where privacy is a top priority and users are not forced to disclose their phone number, the contact list might not reveal every contact who uses the service.

Messengers like WhatsApp or Signal use the phone number as unique identifier. Since the phone number is personal data that points to the identity of its owner, Threema uses a random string of characters (the “Threema ID”) instead, and providing a phone number is optional.

Only contacts who have linked a phone number to their Threema ID appear automatically in Threema’s contact list.

There are different reasons to not disclose one’s phone number and use Threema anonymously. Out of all users, about 30% use Threema this way. Therefore, it’s likely that also some of your contacts don’t show up in your contact list.

How to Get Even More Contacts on Board

Send your individual Share Link to friends who don’t appear in your contact list, and add this link to your email signature, for example. Those who don’t use Threema yet can download it using this link and contact you as soon as they have done so.

If you still use other chat services you intend to leave due to privacy concerns, consider setting this image as profile picture to let others know where to contact you in the future:

Profile Picture

Signal, Telegram, Threema: Which is the best WhatsApp alternative?

Due to the current controversy surrounding WhatsApp’s privacy policy, Internet users around the globe wonder which chat apps are trustworthy.

Besides Threema, Telegram and Signal are often considered to be secure alternatives to WhatsApp. But are theses solutions really equal in terms of security and privacy protection? Is their approach even comparable? And how does their range of features differ?

In order to answer these questions, we have compiled a comprehensive comparison that shows how the mentioned services stack up against one another in different respects.


The comparison shows that Telegram hasn’t got what it takes to be a secure WhatsApp alternative: By default, end-to-end encryption is disabled and messages are permanently stored on a server, where they could, in theory, be read by the service provider at any time.


Signal enjoys an outstanding reputation among experts, and it’s certainly a good alternative to WhatsApp. However, just like WhatsApp, it requires users to disclose personally identifiable information: Providing a phone number is mandatory. As a US-based IT service provider, Signal is also subject to the CLOUD Act, which entitles US authorities to access the service provider’s data.


When Threema was launched back in 2012, the main goal was to provide a WhatsApp alternative that’s as secure and privacy-friendly as possible. Given this goal, it’s no surprise that the Swiss messenger stacks up well against the competition in terms of security and data protection. It is the only one of the four services that adheres to the “Privacy by Design” principle: Only data that’s absolutely necessary for the service’s operation is generated, and Threema can be used without providing any personal data whatsoever.

Find out which is the right messenger for you:

Go to the Messenger Comparison

In Celebration of Becoming Open Source, Threema Is 50% Off

As of today, the Threema apps are open source! To celebrate this occasion, the apps are available at half price until December 28. That’s 100% transparency at 50% of the price. Those who don’t use Threema yet have more compelling reasons than ever to regain privacy now.

Download Threema   Spread the word via email


Threema’s cryptographic procedures have been thoroughly documented from the outset, the proper application of the encryption library could always be verified independently, and external audits have repeatedly confirmed the apps’ security.

Now, we go a step further. To ensure full transparency and to dispel even the slightest shadow of a doubt, the Threema apps’ source code is publicly accessible starting today. It is subject to the AGPLv3 license, and thanks to reproducible builds, there’s a way to verify that the published code (of the Android app, for the time being) actually corresponds to the apps available for download.

Therefore, it’s no longer necessary to believe our claims or to trust someone else’s assessment. Anyone knowledgeable enough is now able to confirm Threema’s security on their own.

All information on how to download the source code, build it, and reproduce the app can be found here:


New Audit Confirms Threema’s Security Once Again

As previously announced, the Threema apps’ source code will be published soon. This step ensures full transparency, and anyone knowledgeable enough will be able to independently verify Threema’s security.

However, going open source doesn’t mean it’s no longer necessary to commission external experts to audit the code. The mere fact that a software’s source is open doesn’t guarantee that qualified specialists go to the trouble of systematically reviewing the code. After all, reviewing software of Threema’s scale not only requires profound technical expertise, it’s also quite time-consuming.

Whereas the most recent audit to date was conducted by the University of Münster’s Lab for IT Security in 2019, we hired Cure53 this time. In a total of 16 person days, experts of the renowned security firm subjected the Threema apps to a thorough inspection.

Even though the audit was carried out with great rigor and attention to detail, it did not reveal any serious vulnerabilities. On the contrary, the experts were impressed with Threema’s code quality and its general structure:

“Cure53 needs to underline that the overall impression of the code quality and general structure of the project can only be described as unusually solid. The design and implementation were clearly accomplished by a rare team of experienced and securityaffine engineers. In Cure53’s opinion, there should be no doubt about the focus of these processes being on providing a highly secure messaging application without encumbering the overall user-experience.” (p. 17)

Of the few minor improvements Cure53 suggested, some are already implemented in the current app versions, and the others will be incorporated into upcoming updates. Read the full audit report here:

Audit Report 2020

Improved Photo Handling in Threema for iOS

There’s a minor Threema update for iOS available, which, among other things, includes some improvements in regard to photo handling.

On iOS 14, you can now grant the Threema app access to individual photos on the fly (instead of either granting access to the entire photo library or not granting access at all):

  1. Navigate to “iOS > Settings > Threema > Photos”
  2. Select “None”

If you tap the plus sign in a chat and select “Choose Existing,” you’ll be presented with iOS’s photo picker instead of Threema’s. This way, the Threema app only gets access to the photos you actually send, not to your entire photo library.

While captions could only be added when sending photos via the Share button prior to this update, it’s now possible to add captions right in the app. And if you select multiple photos at once, simply drag and drop them to define the order in which they are sent.

To learn about other changes and additions the 4.6.3 update contains, please refer to the changelog.

Update/download Threema for iOS