Frag einen Datenschutzbeauftragten!

Threema: The most secure messenger for your privacy!

21 June 2021

0:00 – Teaser
0:23 – Intro
0:29 – Introduction
1:20 – Result on Threema
1:40 – Evaluation criteria
2:49 – The technology
6:39 – The law
7:37 – The economy
8:42 – The conclusion

Threema is the current superhero of messenger services and has the hearts of data protectionists racing. But is all that glitters really gold? After all, Threema was only programmed by a single developer. Is that trustworthy? Who knows. We take a look under the hood of the top messenger and put the “privacy-by-design” credo through its paces. Lets go!

Welcome to “Ask a data protection Officer.” This time with the exciting analysis of the messenger “Threema” and this will be completely new territory for some of you. Starting with the name. “Threema” sounds like theme with too many typos. Yes, but it’s actually the most secure messenger currently available. Even my favorite Signal can’t quite keep up. But first things first.

We want to check the current top messengers for their security, taking technology, law and business into account. That’s why I’ve come up with points to make this check possible and to help you classify the results correctly. After all, the point is that you can make an informed and voluntary decision.

Because I know that most of us can’t do much with long prefaces, here are the final results for Threema.

Threema offers the highest possible privacy by completely anonymizing its users, is based on best-in-class open source encryption and is run by an ISO-270001 certified Swiss company on its own servers exclusivly.

So let’s take a look at the criteria that led to the super rating in Threema’s case:

On the technical side, we have the questions:

  1. Is there end to end encryption and if so, is it secure?
  2. Is metadata collected and if so, how is it anonymized or pseudonymized?
  3. Is the source code independently verifiable and independently validated?

On the legal side, we have:

  1. Are the terms of use in compliance with the GDPR?
  2. Is the privacy policy easily understandable, transparent and precise?
  3. Can users fully exercise their rights and is the process easily accessible?
  4. Where is the provider located and which national laws are in effect?

and on the business side, we conclude with:

  1. What is the provider’s business model?
  2. What is the asset value and ownership?
  3. What aspirations for the future are known?

Once again, a whole lot of sweet talk to work through. So I would say get comfortable and look forward to this Messenger check.

The Technology

When it comes to technology, Threema is the very clear frontrunner among messengers. Threema offers all the common and well-known functions to private and group chats, audio and video calls, address books and so on and so forth. With Threema-Work, the app even expands into a mobile device management solution for businesses and teams.

Threema is based on the open-source asymmetric encryption NaCI. This was developed by Daniel Bernstein and Tanja Lange and enjoys an excellent reputation among cryptographers. Asymmetric means that all messages between sender and recipient can only be encrypted or decrypted using a coordinated pair of private and public keys. The recipient always receives only the public key. This makes it virtually impossible for third parties to change or circumvent the encryption.

Threema is operated with an ID instead of an email address or phone number. There is also a three-stage verification process to confirm the security of a contact. Here, a distinction is made between “external messages without a contact in the address book”, “external messages with a contact in the address book” and “QR code verified” communications. Which also leads to another feature, namely the verification of a contact via QR code scan. Of course, this requires both people to be in the same place to show as well as scan the QR codes.

Threema also offers multi-device support and explains how end-to-end encryption is guaranteed. You can find the link in the source of the video description.

Metadata

With Threema, really everything is encrypted. “Are the golden days when NSA, BND and KGB could tap privacy via leased lines?” Yes. Not only does Threema not store any data in unencrypted form, right down to device groups during synchronization. No, even the contents of the messages are immediately deleted from the server after delivery to the recipient.

Furthermore, Threema is the only messenger that can currently be used without providing any personal data. Email address or phone number are only collected when using the contact search. Again, the encryption is excellent, as the data on your device is converted into content sums (so-called hash values). These are then encrypted and transmitted to the server, which decrypts the data and compares the hash values with the known hash values of the users. After the comparison, the data is removed again from the server.

Even the participants of the group chats are never known to the Threema server. Instead, all messages are delivered to the users individually as private messages. Threema only displays them as groups, for convenience.

But that’s not all: Threema does not collect any data about the app’s usage time and cycles. Not even the access times or the sending and receiving times of messages are stored centrally. Here, almost everything that can be kept secret is really kept secret.

Small fun fact on the side. Even the Threema website does not use cookies or tracking of analytics software.

Source code

As mentioned earlier, Threema’s source code is freely available and of course linked in the sources of this video. The last independent external audit was conducted in 2020 and found no objections to the information officially disclosed by Threema. Moreover, the use of NaCI encryption is a simplification of the programming complexity and thus provides easier handling.

So. all in all, nothing to complain about!

The Law

Threema is operated by the Threema GmbH in Switzerland. Thus, Threema is subject to both the national federal law on data protection and the EU General Data Protection Regulation. A privacy policy is available on the website. However, this is incomplete in one point, as it does not have an explanation of cookies. Logically, however, it is impossible to call up a website without sending the server information that the website is to be displayed. Thus, the IP address must be transmitted to the server. This should be visible in the privacy policy and a cookie box that issues this notice is also part of the GDPR obligations. Thus, Threema can show a small weak point here.

Otherwise, there is nothing to complain about, as the excellent “Privacy by Design” policy of the developers does not collect any personal data and thus cannot be used further.

The Economy

Threema was developed in 2013 by Manuel Kasper, as a “small side project” with his company Kasper Systems GmbH. After initial teething problems, resulting from the high demand for security, the app has been operated and sold by Threema GmbH since 2018. In addition to the private version, Threema also offers professional solutions for teams and companies, which are divided into different categories. With its mobile device management, Threema Work is aimed specifically at companies and thus once again clearly differentiates itself from its competitors.

The company is certified according to ISO-270001 and thus bears an internationally recognized seal of quality for the security of data processing in its own data center. Which is another unique selling point.

The app can be purchased with a one-time payment of about 4€ in the app stores or in the Work variants with monthly subscriptions at similarly low prices.

The Bottom Line

In conclusion, we can say, “Threema is truly the most secure messenger you can use right now.” If you really care about your privacy, then the price shouldn’t be a hurdle and for convincing your friends, share this video with them.

How do you feel after this analysis? Did you learn anything new or is it all old coffee? Drop me your thoughts in the comments and let me know which messenger you use and why?

Thanks for your attention and see you next time when we take a closer look at Edward Snowden’s Messenger of choice. Bye!

Sources

Articles:
https://threema.ch/press-files/2_documentation/cryptography_whitepaper.pdf
https://threema.ch/de/blog/posts/md-architectural-overview-de
https://www.zeit.de/digital/mobil/2013-07/threema-app-manuel-kasper

Definitions:
https://de.wikipedia.org/wiki/Threema
https://de.wikipedia.org/wiki/NaCl_(Software)

Source Code:
https://threema.ch/de/open-source
https://nacl.cr.yp.to/

Datenschutz Management Flat-Rate

Ihre eigene pro­fessio­nelle Daten­schutz Ab­tei­lung
aus zer­tifizier­ten Daten­schutz- & IT-Sicher­heits­beauftragten für Ihr Unter­nehmen,
m
it mehr als 35 Jahren Expertise in strategischer IT-Beratung und Service!

Praxistaugliche Antworten auf Deutschlands größten Datenschutz Video-Blog

Frag einen Datenschutzbeauftragten