Threema is designed from the ground up to generate as little data as technically possible. The less data that is generated in the first place, the lower is the potential for misuse and theft.
With Threema, the user applies the encryption, not the service provider. The decryption of a message is only possible with the recipient’s private key. This private key was generated by the recipient, and we don’t have access to it. It is therefore technically impossible for us to decrypt users’ messages.
Threema GmbH is not required to store communication metadata (“data retention”), as it does not exceed the revenue limits set by the Federal Act on the Surveillance of Post and Telecommunications (BÜPF) (version in effect since 01.03.2018) and the accompanying decree VÜPF.
However, as before, Threema GmbH must provide information that it already has upon judicial order. Therefore, we make a point of processing and storing as little information about our users as possible.
Here is how we handle requests for information about our users from authorities:
- According to article 26 paragraph 2 of the VÜPF, we only deal with inquiries placed through the PTSS according to the procedure mandated by the VÜPF, and that fully meet the formal requirements according to legal examination.
- Foreign authorities have to make an official request for legal assistance in accordance with the Federal Act on International Mutual Assistance in Criminal Matters; we don’t deal with direct inquiries by foreign authorities.
- If the legal requirements are fully met, we can provide the following information associated with a given Threema ID:
- Phone number, if provided by the user
- Email address (hashed), if provided by the user
- Push token, if a push service is used
- Public key
- Date (without time) of Threema ID creation
- Date (without time) of last login
Here’s a statistic of all requests by authorities that we have received since 2014:
|Year||Requests by Swiss authorities||Requests by foreign authorities with Swiss legal assistance||Requests that have met the formal requirements||Requests that didn’t meet the formal requirements||Handing over of data (# cases)||Handing over of data (# IDs)|
Last update: 28.02.2018