Threema Push is the new answer to the old question of how to use Threema for Android without Google’s proprietary push service. Even though the vast majority of users might not be too concerned with this question, Threema Push is a major breakthrough for users of de-googled Android variants such as /e/OS, and it allows anyone to steer clear of Google’s push service while maintaining Threema’s full functionality and usability.
By default, Google’s pre-installed (and privileged) push service is used to notify Threema for Android about incoming messages while the app is in the background. Although the notification payload is empty and no contact or message details are transferred over this channel, the so-called “push token” (a unique identifier that points to the destination app on the appropriate device) could hypothetically be used to establish a link between a given Threema user and their Google account. Therefore, it has always been possible to resort to Threema’s Polling feature instead of using Google’s push service.
With Polling enabled, Threema for Android would periodically connect to the Threema server while the app was in the background. This way, users could still receive new messages without having to open Threema. Most of the time, however, the messages would arrive with several minutes of delay, and answering calls was basically not possible unless the app was in the foreground.
Thanks to Threema Push, these inconveniences are now a thing of the past. With Threema Push, which replaces Polling, a connection to the Threema server remains open in the background, allowing new messages to arrive instantly on the phone and enabling users to answer calls no matter whether the app is open or closed. In short, privacy-conscious users no longer have to skip the “instant” part in “instant messaging.”
Find out how to activate Threema Push and learn what to consider when using it in the FAQs. More information about Threema 4.7 for Android can be found in the changelog.
SMS: A Low Reference Point
In the video ads WhatsApp has been publishing this week, viewers join a cheeky postman as he delivers mail to recipients who are baffled by the fact that their letters and parcels have already been opened. The message is plain and simple: Those who send text messages via SMS disclose their privacy, whereas the privacy of those who use WhatsApp is well protected thanks to end-to-end encryption.
At first glance, this line of thought may seem plausible, but it is based on an oversimplified notion of data protection that only takes into account the message content, while completely disregarding both metadata and the possible motives for undermining users’ privacy. Of course, end-to-end encryption is preferable to unencrypted message transmission. However, end-to-end encryption alone does not ensure comprehensive privacy protection. Not by a long shot.
The Commodity of the 21st Century
Like Facebook and Instagram, WhatsApp requires users to disclose personally identifiable information, such as their phone number. For this reason, Meta is able to identify users across different services and combine their data from various platforms into comprehensive user profiles. On top of that, there are tools that are capable of gathering data outside of Meta’s services, e.g., the Facebook plugin, which, when integrated into third-party websites, can track Internet users’ browsing behavior beyond Meta’s domain.
By systematically collecting user data from different sources, it is possible to draw a picture of an individual user that’s far more detailed and much more accurate than one that’s merely based on message content. The chat metadata (i.e., information about who communicates with whom, when, where, etc.) that accumulates when using WhatsApp equates to a comprehensive “social graph,” which is quite revealing in and of itself. “Likes” on Facebook and Instagram not only reflect users’ interests and their preferences, further information – such as age and income class, marital status, or sexual orientation – can also be inferred from collections of such data points. By combining the obtained information, matching it against the social graph, and supplementing it with attributes of close contacts, the whole data set becomes much more than the sum of its parts and arguably speaks volumes about the user it’s associated with.
What’s more, metadata is a lot easier to process and more reliable than the actual content it corresponds to. Edward Snowden once put it like this:
Metadata is extraordinarily intrusive. As an analyst, I would prefer to be looking at metadata than looking at content because it’s quicker and easier, and it doesn’t lie.
A Matter of the Business Model
The reason Meta relentlessly collects user data is inextricably tied to the tech corporation’s business model. In typical Silicon Valley fashion, Meta provides its services free of charge and generates revenue by selling targeted advertisements. The more Meta knows about its users, the better the ads can be targeted to the users. The better the ads are targeted to the users, the higher the price advertisers are willing to pay and the greater Meta’s profit.
Due to this business model, Meta/WhatsApp has a vital interest in collecting as much and as telling user data as possible. This practice is, of course, not compatible with privacy protection by any stretch of the imagination. The fact that WhatsApp messages are end-to-end encrypted (as Meta claims) is an advantage over SMS, but in the grand scheme of things, this is only a small comfort.
SMS and WhatsApp have in common that neither was designed with a particular focus on security and data privacy. To find out how WhatsApp stacks up against a messenger like Threema, which was built from the ground up with security and data privacy in mind, please refer to this side-by-side comparison.
Today is the first day of the Data Privacy Week, which culminates in the Data Privacy Day on Friday, January 28. The aim of this initiative is to raise the public’s awareness for online privacy and to encourage Internet users to exercise their right to privacy.
Join the movement!
Support the cause, and stand up for privacy: Add the #RegainPrivacy banner to your profile picture in chat apps and on social media to show your contacts and followers that you care about privacy and disapprove of mass surveillance by authorities and exploitation of user data by Big Tech.
The Data Privacy Day is an international awareness day that was initiated by the Council of Europe (not to be confused with the European Council) back in 2008 and is held annually on January 28.
This date was chosen because on January 28, 1981, the Council of Europe proposed its “Convention 108,” which is the first internationally binding agreement to protect personal data and could be considered to be a precursor to, or inspiration for, the GDPR.
Since 2008, various organizations, both governmental and non-governmental, educational institutions, and companies use this opportunity to make a case for privacy and point out the inherent dangers of systematic data collection by tech corporations and government agencies.
For one thing, privacy is a basic human right that’s valuable and worthy of protection in and of itself. For another, it is an important corner stone of democratic societies. And last but not least, there’s simply no way of knowing what kind of inferences can be drawn about individuals in the future by means of the tremendous amount of collected user data in conjunction with new technologies such as artificial intelligence.
Threema Web, which has been around for some time, allows you to conveniently use Threema from the desktop without compromising security. Now, chatting on the computer gets even more user-friendly.
Thanks to the new desktop app, you no longer need to search for Threema in the browser and switch back and forth between tabs all the time. Instead, your favorite messenger is always at hand in the dock or via the app switcher. Anyone who regularly exchanges text messages on a computer will greatly appreciate this streamlined chatting experience.
The desktop solution is available for macOS, Windows, and Linux starting today. Just like the web client, on which it is based, the desktop app establishes an end-to-end encrypted connection to your mobile device. Of course, Threema for desktop covers the complete range of Threema Web’s features.
In terms of security, the desktop client even surpasses the high standard of the tried-and-tested web solution in certain respects. For one thing, there’s no way for browser plugins to introduce vulnerabilities. For another, it would be even more difficult for attackers to manipulate the app code since it isn’t loaded from a server each session but permanently stored on the user’s end.
Get the desktop app for your operating system now:
The next major update of the desktop app will not only introduce a completely redesigned user interface, it will also be based on a totally new architecture. Thanks to multi-device functionality, version 2.0 no longer requires an active connection to your mobile device. This is to say that you’ll be able to use the desktop app even if your smartphone happens to be turned off.
The development of the multi-device technology is in full swing, but it turns out to be more time-consuming than anticipated. Several technical challenges have already been met, but there is still work ahead. More often than not, the path to security is neither easy nor fast. And when it comes to security and privacy protection, we are under no circumstances willing to cut corners. Unfortunately, the multi-device solution’s release therefore gets delayed. Thank you for your patience and understanding!
We’ll keep you posted and provide another update about the development of Threema 2.0 for desktop at the end of the year. Stay tuned!
Update 30.12.2021: The development of Threema 2.0 for desktop is coming along great, but there’s still a lot to do. We’re currently busy combining frontend and backend. A sneak peek of the new UI can be found on Twitter.
With its option to adjust privacy settings on a per-contact basis, the latest Threema update for Android introduces a useful new feature.
There are some scenarios where one-size-fits-all solutions just won’t cut it, and one such scenario concerns read receipts: While you may want to send read receipts to some contacts, you probably don’t want to send them to all contacts.
That’s why Threema now allows you to fine-tune privacy settings. Instead of sending read receipts to either every contact or no contact at all, you can override the default setting for specific contacts. The same goes for the typing indicator.
Supposing you have disabled read receipts in the global privacy settings (⋮ > Settings > Privacy > Receipts) but wish to send read receipts to a contact close to your heart, just open the contact details, and set “Send read receipts” to “Send.” This will override the global setting, and nobody except your special contact will receive read receipts.
To learn more about Threema 4.57 for Android, please refer to the changelog.
In Threema for iOS, contact-specific privacy settings will become available with an upcoming update. Stay tuned!
Threema Work is the gold standard of secure messaging apps for organizations. Renowned companies around the globe use the time-tested Swiss chat solution to protect their corporate data and to ensure full data-privacy compliance. With Threema Work, employees enjoy the productivity-boosting benefits of instant messaging without having to resort to questionable chat services that aren’t qualified for corporate use or don’t comply with the GDPR.
Now, Threema OnPrem turns the security and confidentiality of enterprise messaging up to eleven. The new on-premises solution allows organizations that require exceptional security to run Threema on their own server. This translates to complete data ownership along with total and exclusive control over every aspect of the communication tool. Not only the message exchange is carried out internally by the company server, the administration console is also self-hosted, with Threema OnPrem covering the full feature range of Threema Work.
The combination of Threema’s well-established security architecture and absolute data ownership results in a self-contained chat environment that’s second to none in terms of confidentiality. Threema OnPrem instances are completely independent and in no way, shape, or form connected to Threema’s infrastructure. Thus, Threema OnPrem is perfectly suited for professional use in industrial companies, public authorities, law enforcement, and wherever sensitive data is involved or maximum security and utmost confidentiality are required.
Countless WhatsApp users have taken the opportunity to leave Facebook’s controversial chat service and prevent the exploitation of their user data.
The notion that privacy is an invaluable asset and the realization that free services can come at a high price are becoming increasingly popular. More Internet users than ever prefer to pay a small one-time fee instead of giving up their privacy for a “free” service.
Instant messaging has become an important part of business communications. Excellent availability, unmatched ease of use, and short response times are just a few of its numerous benefits. There is, however, one major challenge for companies: choosing the right service.
Chat apps for private users are not suitable for business purposes because they lack the means for administration and user management, don’t offer any business features, and, more often than not, fall short in terms of security and data protection. There are, of course, services specifically designed for companies, which roughly fall into three categories:
Secure instant messengers: Stashcat, Teamwire, Threema Work, Wickr, and Wire
Collaboration tools: Google Chat and MS Teams
Engagement apps: Beekeeper and Staffbase
To illustrate how the different services stack up against one another, we have compiled a comprehensive comparison that reveals the key differences and shows which requirements are met by which services.
The comparison confirms: Even if a company already uses a collaboration tool or an engagement app, a secure instant messenger is still a must. Services like MS Teams or Staffbase do not provide the security level required for the exchange of sensitive company data. They also don’t fulfill the staff’s need for an intuitive app that’s similar to Threema or WhatsApp in terms of usability and features.
That said, even among the business messengers that are supposed to be secure, significant differences emerge in the area of security and data privacy. It’s safe to say that not all apps are cut from the same cloth. See for yourself:
Threema’s Android app gets a substantial update, bursting with new features and general refinements. Among the highlights are the global search functionality, the integrated media gallery, and the optional image-search feature, which is based on local, and thus privacy-compliant, image recognition.
Today is Data Privacy Day. This annual observance was established by the Council of Europe to raise awareness for data protection and to draw attention to the dangers of a decrease in online privacy.
Since the Data Privacy Day’s inception back in 2007, a myriad of startling privacy incidents has demonstrated over and over how vulnerable our privacy is and how easily it can be invaded on the Internet.
In a joint statement, we, together with ProtonMail, Tresorit, and Tutanota, outline why this proposal is not only misguided but also counterproductive and dangerous, and we ask the EU Council to adhere to the spirit of the Data Privacy Day and acknowledge the importance of privacy for democracy:
The latest Threema version for iOS includes several minor improvements. For example, you can now create groups containing up to 256 members, and it’s possible to quote any type of message, including images, voice messages, and locations.
When using a messaging service, the question who else is on that platform inevitably arises. In conventional chat apps, the contact list answers this question conclusively. In Threema, where privacy is a top priority and users are not forced to disclose their phone number, the contact list might not reveal every contact who uses the service.
Messengers like WhatsApp or Signal use the phone number as unique identifier. Since the phone number is personal data that points to the identity of its owner, Threema uses a random string of characters (the “Threema ID”) instead, and providing a phone number is optional.
Only contacts who have linked a phone number to their Threema ID appear automatically in Threema’s contact list.
Send your individual Share Link to friends who don’t appear in your contact list, and add this link to your email signature, for example. Those who don’t use Threema yet can download it using this link and contact you as soon as they have done so.
If you still use other chat services you intend to leave due to privacy concerns, consider setting this image as profile picture to let others know where to contact you in the future:
Besides Threema, Telegram and Signal are often considered to be secure alternatives to WhatsApp. But are theses solutions really equal in terms of security and privacy protection? Is their approach even comparable? And how does their range of features differ?
In order to answer these questions, we have compiled a comprehensive comparison that shows how the mentioned services stack up against one another in different respects.
The comparison shows that Telegram hasn’t got what it takes to be a secure WhatsApp alternative: By default, end-to-end encryption is disabled and messages are permanently stored on a server, where they could, in theory, be read by the service provider at any time.
Signal enjoys an outstanding reputation among experts, and it’s certainly a good alternative to WhatsApp. However, just like WhatsApp, it requires users to disclose personally identifiable information: Providing a phone number is mandatory. As a US-based IT service provider, Signal is also subject to the CLOUD Act, which entitles US authorities to access the service provider’s data.
When Threema was launched back in 2012, the main goal was to provide a WhatsApp alternative that’s as secure and privacy-friendly as possible. Given this goal, it’s no surprise that the Swiss messenger stacks up well against the competition in terms of security and data protection. It is the only one of the four services that adheres to the “Privacy by Design” principle: Only data that’s absolutely necessary for the service’s operation is generated, and Threema can be used without providing any personal data whatsoever.
As of today, the Threema apps are open source! To celebrate this occasion, the apps are available at half price until December 28. That’s 100% transparency at 50% of the price. Those who don’t use Threema yet have more compelling reasons than ever to regain privacy now.
Now, we go a step further. To ensure full transparency and to dispel even the slightest shadow of a doubt, the Threema apps’ source code is publicly accessible starting today. It is subject to the AGPLv3 license, and thanks to reproducible builds, there’s a way to verify that the published code (of the Android app, for the time being) actually corresponds to the apps available for download.
Therefore, it’s no longer necessary to believe our claims or to trust someone else’s assessment. Anyone knowledgeable enough is now able to confirm Threema’s security on their own.
All information on how to download the source code, build it, and reproduce the app can be found here:
As previously announced, the Threema apps’ source code will be published soon. This step ensures full transparency, and anyone knowledgeable enough will be able to independently verify Threema’s security.
However, going open source doesn’t mean it’s no longer necessary to commission external experts to audit the code. The mere fact that a software’s source is open doesn’t guarantee that qualified specialists go to the trouble of systematically reviewing the code. After all, reviewing software of Threema’s scale not only requires profound technical expertise, it’s also quite time-consuming.
Whereas the most recent audit to date was conducted by the University of Münster’s Lab for IT Security in 2019, we hired Cure53 this time. In a total of 16 person days, experts of the renowned security firm subjected the Threema apps to a thorough inspection.
Even though the audit was carried out with great rigor and attention to detail, it did not reveal any serious vulnerabilities. On the contrary, the experts were impressed with Threema’s code quality and its general structure:
“Cure53 needs to underline that the overall impression of the code quality and general structure of the project can only be described as unusually solid. The design and implementation were clearly accomplished by a rare team of experienced and securityaffine engineers. In Cure53’s opinion, there should be no doubt about the focus of these processes being on providing a highly secure messaging application without encumbering the overall user-experience.” (p. 17)
Of the few minor improvements Cure53 suggested, some are already implemented in the current app versions, and the others will be incorporated into upcoming updates. Read the full audit report here: