Just in time for the tenth anniversary, Threema introduces “Ibex,” a new cryptographic communication protocol that further solidifies Threema’s time-tested security and future-proofs the overall system. On top of that, the overhauled protocol suite receives additional key components that lay the groundwork for forthcoming features.
In a conversation, you nod or shake your head to let others know what you think. In a messenger chat, the thumbs-up or thumbs-down icons are used instead. Threema was the first messenger to introduce the agree/disagree functionality, which allows users to react to incoming messages with approval (thumbs up) or disapproval (thumbs down) without triggering a push notification on the chat partner’s end.
This unobtrusive form of interaction is very popular among many users, and in certain situations, it is the most appropriate form of communication. It also allows those who have deactivated read receipts to acknowledge the receipt of individual messages.
As of now, the popular feature is also available in group chats, where it unfolds its full potential. If every member of a large group were to state their (dis)approval of some message by replying to it, things would get out of hand quickly. Using the agree/disagree feature, however, the group chat stays tidy, and it’s evident at a glance how the group members feel about the message. To see who (dis)agrees with a message, simply tap and hold it, and press “(i)” (on Android) or “Details” (on iOS).
The agree/disagree feature is available starting with Threema 5.0 for Android and Threema 4.8.5 for iOS.
When Threema was first released almost ten years ago, it was a chat-only app. These days, however, many users have come to rely on it for secure and privacy-compliant phone calls, which don’t require to disclose a phone number. Expanding Threema’s feature set further, the 5.0 update allows Android users to conduct audio/video group calls of up to 16 participants.
Just like 1:1 calls, group calls are end-to-end encrypted and meet the regular Threema call’s high level of security. Also in terms of quality, users don’t have to give up what they’re used to: group calls offer the same crystal-clear voice quality and brilliant video quality regular calls are known for.
To initiate a group call, simply tap on the camera icon in the top right corner of the desired group chat. All group members (who use the Android app) will receive a push notification that informs them about the call, and they can join by opening the notification, via the group chat, or from the chat overview.
Besides other changes and additions, the 5.0 update also provides the option to activate “Perfect Forward Secrecy” for messages. More information can be found in this FAQ entry.
A breath of fresh air in Threema’s iOS app: With a host of new features and numerous improvements, the extensive 4.8 update offers even more privacy options and provides better handling of the chat overview. You can now mark chats as private to protect them from prying eyes, set read receipts per contact, and tidy up your chat overview with the new archive feature.
If you use the web client or the desktop app on a regular basis, please read the notice at the end of this post.
As demonstrated by our recent candid-camera experiment, people still have a strong desire for privacy. In general, we’re not comfortable disclosing personal information about ourselves and our friends if third parties request it without having a compelling reason.
On the Internet, however, we are often unaware of the extent to which our personal data is collected and the exact purposes it is used for.
Companies that offer their online services free of charge and are funded by selling targeted ads go to great lengths to obscure the fact that user data is systematically collected, compiled into comprehensive user profiles, and, in some cases, shared with third parties. On the websites of such companies, these practices go unmentioned, and in their privacy policies, the relevant clauses are deliberately scattered across several paragraphs and written in incomprehensible language full of cryptic jargon. What’s more, some companies even have the audacity to advertise their services as particularly privacy-friendly.
There Is Another Way
To take a stand against this widespread surveillance capitalism, which is already accepted as a necessary evil by some, we’ve joined forces with Proton, Brave, the Tor Project, and a couple of other Internet services to launch the Privacy Pledge initiative.
For one thing, the Privacy Pledge aims to show that there are indeed ways to provide online services without undermining the users’ privacy. For another thing, it proposes a set of standards every online service should adhere to in order to give users control over their data and properly protect their privacy. To learn more, please visit the Privacy Pledge website:
After the recent introduction of Threema Push, which allows Threema to be used without Google’s push service, we now go a step further by introducing Threema Libre. By design, this Threema version for Android is completely free of proprietary dependencies, and it is available exclusively via the alternative app store F-Droid.
In Threema Libre, there’s no single line of code that would require a proprietary software library from Google or any other third party. Push notifications, for example, will only be delivered using Threema Push, and a fallback to Google’s push service is ruled out from the outset. Since Threema Libre also supports reproducible builds, it’s comparatively easy to verify that the installed app cannot leak any data to Google. And because the whole code including all components is open source, the app can be audited in its entirety.
Users of de-googled Android variants are now able to install Threema without worries via F-Droid and keep the app up to date with the store’s update management.
In order to download Threema Libre via F-Droid, it’s required to add Threema’s F-Droid repository. For details, please refer to this FAQ article.
What year were you born? What’s your phone number? And what’s your best friend’s name? – Would you answer personal questions like these in exchange for a free ice cream on a hot summer day? On Zurich’s largest square, we have put to the test how much personal information passersby are ready to disclose to get a free ice cream. The result is as funny as it is insightful:
The vast majority of the protagonists was clearly confused by the personal questions, and almost no one answered them straight off. At the same time, however, countless Internet users readily disclose the same personal information to tech companies in order to use their online services.
Yet, as the famous saying goes, if you’re not paying for a product, you are the product. This is to say that tech companies use the collected data to create detailed user profiles and generate revenue by selling targeted ads – a lucrative business because user data is much more valuable than it seems to the casual eye. Therefore, data protection and privacy comes at a price that’s worth paying for.
Threema Push is the new answer to the old question of how to use Threema for Android without Google’s proprietary push service. Even though the vast majority of users might not be too concerned with this question, Threema Push is a major breakthrough for users of de-googled Android variants such as /e/OS, and it allows anyone to steer clear of Google’s push service while maintaining Threema’s full functionality and usability.
By default, Google’s pre-installed (and privileged) push service is used to notify Threema for Android about incoming messages while the app is in the background. Although the notification payload is empty and no contact or message details are transferred over this channel, the so-called “push token” (a unique identifier that points to the destination app on the appropriate device) could hypothetically be used to establish a link between a given Threema user and their Google account. Therefore, it has always been possible to resort to Threema’s Polling feature instead of using Google’s push service.
With Polling enabled, Threema for Android would periodically connect to the Threema server while the app was in the background. This way, users could still receive new messages without having to open Threema. Most of the time, however, the messages would arrive with several minutes of delay, and answering calls was basically not possible unless the app was in the foreground.
Thanks to Threema Push, these inconveniences are now a thing of the past. With Threema Push, which replaces Polling, a connection to the Threema server remains open in the background, allowing new messages to arrive instantly on the phone and enabling users to answer calls no matter whether the app is open or closed. In short, privacy-conscious users no longer have to skip the “instant” part in “instant messaging.”
Find out how to activate Threema Push and learn what to consider when using it in the FAQs. More information about Threema 4.7 for Android can be found in the changelog.
SMS: A Low Reference Point
In the video ads WhatsApp has been publishing this week, viewers join a cheeky postman as he delivers mail to recipients who are baffled by the fact that their letters and parcels have already been opened. The message is plain and simple: Those who send text messages via SMS disclose their privacy, whereas the privacy of those who use WhatsApp is well protected thanks to end-to-end encryption.
At first glance, this line of thought may seem plausible, but it is based on an oversimplified notion of data protection that only takes into account the message content, while completely disregarding both metadata and the possible motives for undermining users’ privacy. Of course, end-to-end encryption is preferable to unencrypted message transmission. However, end-to-end encryption alone does not ensure comprehensive privacy protection. Not by a long shot.
The Commodity of the 21st Century
Like Facebook and Instagram, WhatsApp requires users to disclose personally identifiable information, such as their phone number. For this reason, Meta is able to identify users across different services and combine their data from various platforms into comprehensive user profiles. On top of that, there are tools that are capable of gathering data outside of Meta’s services, e.g., the Facebook plugin, which, when integrated into third-party websites, can track Internet users’ browsing behavior beyond Meta’s domain.
By systematically collecting user data from different sources, it is possible to draw a picture of an individual user that’s far more detailed and much more accurate than one that’s merely based on message content. The chat metadata (i.e., information about who communicates with whom, when, where, etc.) that accumulates when using WhatsApp equates to a comprehensive “social graph,” which is quite revealing in and of itself. “Likes” on Facebook and Instagram not only reflect users’ interests and their preferences, further information – such as age and income class, marital status, or sexual orientation – can also be inferred from collections of such data points. By combining the obtained information, matching it against the social graph, and supplementing it with attributes of close contacts, the whole data set becomes much more than the sum of its parts and arguably speaks volumes about the user it’s associated with.
What’s more, metadata is a lot easier to process and more reliable than the actual content it corresponds to. Edward Snowden once put it like this:
Metadata is extraordinarily intrusive. As an analyst, I would prefer to be looking at metadata than looking at content because it’s quicker and easier, and it doesn’t lie.
A Matter of the Business Model
The reason Meta relentlessly collects user data is inextricably tied to the tech corporation’s business model. In typical Silicon Valley fashion, Meta provides its services free of charge and generates revenue by selling targeted advertisements. The more Meta knows about its users, the better the ads can be targeted to the users. The better the ads are targeted to the users, the higher the price advertisers are willing to pay and the greater Meta’s profit.
Due to this business model, Meta/WhatsApp has a vital interest in collecting as much and as telling user data as possible. This practice is, of course, not compatible with privacy protection by any stretch of the imagination. The fact that WhatsApp messages are end-to-end encrypted (as Meta claims) is an advantage over SMS, but in the grand scheme of things, this is only a small comfort.
SMS and WhatsApp have in common that neither was designed with a particular focus on security and data privacy. To find out how WhatsApp stacks up against a messenger like Threema, which was built from the ground up with security and data privacy in mind, please refer to this side-by-side comparison.
Today is the first day of the Data Privacy Week, which culminates in the Data Privacy Day on Friday, January 28. The aim of this initiative is to raise the public’s awareness for online privacy and to encourage Internet users to exercise their right to privacy.
Join the movement!
Support the cause, and stand up for privacy: Add the #RegainPrivacy banner to your profile picture in chat apps and on social media to show your contacts and followers that you care about privacy and disapprove of mass surveillance by authorities and exploitation of user data by Big Tech.
The Data Privacy Day is an international awareness day that was initiated by the Council of Europe (not to be confused with the European Council) back in 2008 and is held annually on January 28.
This date was chosen because on January 28, 1981, the Council of Europe proposed its “Convention 108,” which is the first internationally binding agreement to protect personal data and could be considered to be a precursor to, or inspiration for, the GDPR.
Since 2008, various organizations, both governmental and non-governmental, educational institutions, and companies use this opportunity to make a case for privacy and point out the inherent dangers of systematic data collection by tech corporations and government agencies.
For one thing, privacy is a basic human right that’s valuable and worthy of protection in and of itself. For another, it is an important corner stone of democratic societies. And last but not least, there’s simply no way of knowing what kind of inferences can be drawn about individuals in the future by means of the tremendous amount of collected user data in conjunction with new technologies such as artificial intelligence.
Threema Web, which has been around for some time, allows you to conveniently use Threema from the desktop without compromising security. Now, chatting on the computer gets even more user-friendly.
Thanks to the new desktop app, you no longer need to search for Threema in the browser and switch back and forth between tabs all the time. Instead, your favorite messenger is always at hand in the dock or via the app switcher. Anyone who regularly exchanges text messages on a computer will greatly appreciate this streamlined chatting experience.
The desktop solution is available for macOS, Windows, and Linux starting today. Just like the web client, on which it is based, the desktop app establishes an end-to-end encrypted connection to your mobile device. Of course, Threema for desktop covers the complete range of Threema Web’s features.
In terms of security, the desktop client even surpasses the high standard of the tried-and-tested web solution in certain respects. For one thing, there’s no way for browser plugins to introduce vulnerabilities. For another, it would be even more difficult for attackers to manipulate the app code since it isn’t loaded from a server each session but permanently stored on the user’s end.
Get the desktop app for your operating system now:
The next major update of the desktop app will not only introduce a completely redesigned user interface, it will also be based on a totally new architecture. Thanks to multi-device functionality, version 2.0 no longer requires an active connection to your mobile device. This is to say that you’ll be able to use the desktop app even if your smartphone happens to be turned off.
The development of the multi-device technology is in full swing, but it turns out to be more time-consuming than anticipated. Several technical challenges have already been met, but there is still work ahead. More often than not, the path to security is neither easy nor fast. And when it comes to security and privacy protection, we are under no circumstances willing to cut corners. Unfortunately, the multi-device solution’s release therefore gets delayed. Thank you for your patience and understanding!
We’ll keep you posted and provide another update about the development of Threema 2.0 for desktop at the end of the year. Stay tuned!
With its option to adjust privacy settings on a per-contact basis, the latest Threema update for Android introduces a useful new feature.
There are some scenarios where one-size-fits-all solutions just won’t cut it, and one such scenario concerns read receipts: While you may want to send read receipts to some contacts, you probably don’t want to send them to all contacts.
That’s why Threema now allows you to fine-tune privacy settings. Instead of sending read receipts to either every contact or no contact at all, you can override the default setting for specific contacts. The same goes for the typing indicator.
Supposing you have disabled read receipts in the global privacy settings (⋮ > Settings > Privacy > Receipts) but wish to send read receipts to a contact close to your heart, just open the contact details, and set “Send read receipts” to “Send.” This will override the global setting, and nobody except your special contact will receive read receipts.
To learn more about Threema 4.57 for Android, please refer to the changelog.
Threema Work is the gold standard of secure messaging apps for organizations. Renowned companies around the globe use the time-tested Swiss chat solution to protect their corporate data and to ensure full data-privacy compliance. With Threema Work, employees enjoy the productivity-boosting benefits of instant messaging without having to resort to questionable chat services that aren’t qualified for corporate use or don’t comply with the GDPR.
Now, Threema OnPrem turns the security and confidentiality of enterprise messaging up to eleven. The new on-premises solution allows organizations that require exceptional security to run Threema on their own server. This translates to complete data ownership along with total and exclusive control over every aspect of the communication tool. Not only the message exchange is carried out internally by the company server, the administration console is also self-hosted, with Threema OnPrem covering the full feature range of Threema Work.
The combination of Threema’s well-established security architecture and absolute data ownership results in a self-contained chat environment that’s second to none in terms of confidentiality. Threema OnPrem instances are completely independent and in no way, shape, or form connected to Threema’s infrastructure. Thus, Threema OnPrem is perfectly suited for professional use in industrial companies, public authorities, law enforcement, and wherever sensitive data is involved or maximum security and utmost confidentiality are required.
Countless WhatsApp users have taken the opportunity to leave Facebook’s controversial chat service and prevent the exploitation of their user data.
The notion that privacy is an invaluable asset and the realization that free services can come at a high price are becoming increasingly popular. More Internet users than ever prefer to pay a small one-time fee instead of giving up their privacy for a “free” service.
Instant messaging has become an important part of business communications. Excellent availability, unmatched ease of use, and short response times are just a few of its numerous benefits. There is, however, one major challenge for companies: choosing the right service.
Chat apps for private users are not suitable for business purposes because they lack the means for administration and user management, don’t offer any business features, and, more often than not, fall short in terms of security and data protection. There are, of course, services specifically designed for companies, which roughly fall into three categories:
Secure instant messengers: Stashcat, Threema Work, Wickr, and Wire
Collaboration tools: Google Chat and MS Teams
Engagement apps: Beekeeper and Staffbase
To illustrate how the different services stack up against one another, we have compiled a comprehensive comparison that reveals the key differences and shows which requirements are met by which services.
The comparison confirms: Even if a company already uses a collaboration tool or an engagement app, a secure instant messenger is still a must. Services like MS Teams or Staffbase do not provide the security level required for the exchange of sensitive company data. They also don’t fulfill the staff’s need for an intuitive app that’s similar to Threema or WhatsApp in terms of usability and features.
That said, even among the business messengers that are supposed to be secure, significant differences emerge in the area of security and data privacy. It’s safe to say that not all apps are cut from the same cloth. See for yourself: