Threema was developed from the ground up with data minimization and security in mind (Privacy by Design). For example, it is not required to provide personally identifiable information of any kind in order to use the service, and all types of communication (single and group chats, audio and video calls, etc.) are fully end-to-end encrypted.
The only way to decrypt a Threema message is by means of the intended recipient’s private key. Since nobody except the intended recipient has access to their private key, no one besides the intended recipient is able to decrypt their messages. In other words, not even Threema GmbH as the service provider can decrypt, let alone read, user messages.
Only as little data as possible is stored on Threema servers, and it is always stored for the shortest amount of time possible. Contact lists and group chats, for example, are managed directly on the users’ mobile devices, not on a central server.
Since Threema GmbH does not exceed the revenue limits set by the Federal Act on the Surveillance of Post and Telecommunications (BÜPF) and the accompanying decree VÜPF, the company is not required to store communication metadata (“data retention”).
Upon judicial order, however, Threema GmbH has to provide the “information that is available” (Article 22 paragraph 3 BÜPF). According to Article 27 BÜPF, it could be obliged to store data for the purpose of disclosure in certain cases. By sending “info” to
*MY3DATA, users can always retrieve their Threema ID’s inventory data that’s stored on the server side.
Requests for available user information are handled as follows:
- Based on Article 26 paragraph 2 VÜPF, inquiries will only be processed if they have been submitted via the PTSS in accordance with the procedure mandated by the VÜPF and if they fully meet the formal requirements upon legal review.
- Foreign authorities have to make an official request for legal assistance in accordance with the Federal Act on International Mutual Assistance in Criminal Matters. Threema does not handle inquiries by foreign authorities.
- If and only if the legal requirements are fully met, the following information associated with a given Threema ID will be provided:
- Date (without time) of the Threema ID’s creation
- Date (without time) of Threema ID’s most recent login
- The following information is only available if the user has chosen to use the respective optional functionality:
- Only in case the user in question has chosen to link a phone number and/or email address with their Threema ID: Hash of the user’s phone number and/or email address
- Only in case the user in question has chosen to use a third-party push service: Push token
Here is a breakdown of the user data that has been shared with authorities since 2014:
|Year||Requests by Swiss authorities||Requests by foreign authorities with Swiss legal assistance||Requests that have met the formal requirements||Requests that didn’t meet the formal requirements||Provided data (# cases)||Provided data (# IDs)|
* Since the new BÜPF act has come into force on March 1, 2018, Threema can no longer distinguish between requests by Swiss authorities and requests by foreign authorities with Swiss legal assistance.
Last update: 2022-01-04