For the most part, Threema and WhatsApp offer the same features, and there is hardly any difference in terms of usability. When it comes to security and data privacy, however, the two services differ on almost every level. Threema was designed from the ground up with high security and data reduction in mind, while WhatsApp’s business model is based on the use of personal data for marketing purposes.
In order to use conventional chat services, it’s necessary to disclose personally identifiable information. WhatsApp, for example, requires users to provide their phone number. Threema, on the other hand, doesn’t force users to disclose any personal information whatsoever. Instead of a phone number, the Threema ID (i.e., a random string of characters) serves as unique identifier. Linking a phone number or email address to one’s Threema ID is possible but optional. Hence, Threema can be used completely anonymously, which is a crucial feature in terms of privacy protection: Where there is no personal data in the first place, no personal data can ever be misused.
WhatsApp requires access to the user’s address book. Contact details are transmitted to a server where the data is permanently stored. Without access to the address book, the service cannot be used (without serious limitations). Threema, on the other hand, lets users decide whether to grant access to the address book or not. The app is fully functional without address-book access. If a user decides to synchronize the address book for the purpose of finding contacts on Threema, the contact details are hashed, sent to the server, and immediately deleted from the server once the synchronization is complete.
To ensure full transparency, the Threema apps are open source. Thanks to reproducible builds, there’s also a means to verify that the published code (of the Android app, for the time being) actually corresponds to the apps available for download. Furthermore, Threema regularly commissions external experts to conduct comprehensive security audits. WhatsApp, on the other hand, is not open source, and no independent security audits have been published. This is to say that there is no way to verify the company’s claims regarding security and privacy protection.
Metadata is all data that’s involved in communication other than the actual content, e.g., any available information about sender and recipient, message properties, plus date and time and other circumstances of the transmission. Facebook, the owner and operator of WhatsApp, is financed by selling targeted ads and therefore has an economical interest in metadata that’s as telling as possible. By systematically collecting metadata and combining it with data from other services (e.g., Instagram), detailed user profiles can be created. Thanks to these user profiles, ads can be sold at high prices because they can be targeted to specific demographics.
Threema is based on a transparent business model that’s compatible with the “Privacy by Design” credo. The service is financed by the sale of the app, i.e., the users pay for the service. The system was designed from the ground up with security and metadata reduction in mind. Only data that’s necessary for the service operation is generated and never stored longer than technically required.
WhatsApp and the Commodity of the 21st CenturyThe most important differences between Threema and WhatsApp in terms of security and data privacy at a glance
Threema
The service can be used anonymously.
Other than the intended recipient, no one (not even the service operator) can read regular chat messages.
It’s not possible to circumvent the end-to-end encryption by means of unencrypted message copies on the device, there is no fingerprinting and no status feature on the server side, and received URLs are not opened automatically.
The service provider operates and runs all servers, and there are no cloud or hosting services (such as Amazon AWS or Google Cloud) involved.
Messages are immediately and irrevocably deleted from the server once they are delivered to the recipient.
User data is not used for targeted advertising or for other marketing purposes.
It’s not necessary to grant access to the address book in order to use the service (without workaround/limitation).
Contact lists, groups, and user profiles are managed directly on the user devices, not on a central server.
The identity of contacts can be verified out of band, e.g., by scanning a QR code, and the verification is persistent.
The service complies with the European General Data Protection Regulation (GDPR).
The app’s source code is publicly accessible, and reproducible builds can be used to verify that it actually corresponds to the app available for download.
There is no such thing as a free lunch. If you don’t pay money for a service, you pay with your data instead.
