Threema – private, secure messaging

Alastair Aitken 18 May 2014 0

Privacy is the new black and SnapChat looks like it’s wearing last season’s colours. What was supposed to be a secure, private service for sending time-expiring mobile messages was, according to the US Federal Trade Commission (FTC), based upon a lie. Well actually as it turned out, many lies: Snapchat had to settle FTC charges that promises of disappearing messages were false. Security breaches allowed hackers to retrieve over four million user names and phone numbers. The messages that those users were assured were private were actually stored on devices in unencrypted form. Geolocation data was collected without user consent. The notification that was supposed to be alert the sender if a recipient took a screenshot of their message didn’t actually work. Wow! That’s quite a rap sheet. Snapchat is obviously very sorry that it got caught and claims to take user privacy seriously and that it’s learned from its mistakes and that it will never do it again.

If only the FTC would act with the same decisiveness against the NSA.

Whilst my email, contacts and calendars no longer rely upon Google and Apple, messaging was always the weak link in my communications. What’s the problem with Apple iMessage? Whilst there is end-to-end encryption of messages, because Apple holds the keys (for both parties) it also has the capability to read those messages if it wants to, or is ordered to do so by a government agency. Apple also has knowledge of the message metadata: who it was sent to, who it was sent from, where it was sent from, and when it was sent.

So the challenge was to find a messaging service where the encryption keys aren’t under the control of the service itself or a third-party.

WhatsApp was always a non-starter due to its desire to upload the entire address book from the mobile device on which it’s running to WhatsApp’s servers. Such practice didn’t go down too well with the Privacy Commissioner of Canada, amongst others. WhatsApp is now part of Facebook, a company whose attitude to users’ privacy is a bit like Dirty Harry’s attitude to suspects’ rights.

Skype? Well Microsoft appears to have undermined the security of almost all of its own products in order to satisfy the US security services.

Of the other contenders on my messaging applications short-list – Line, Telegram, Threema – Threema stood out. Initially this was because both the company and its servers are based in Switzerland, a country whose laws appear to protect users’ privacy more than most (for the record, Line is based in Japan and Telegram in Germany).

On the technical side, Threema cannot decrypt messages as keys are kept on the communicating mobile devices, not on Threema servers. Keys are generated by the Threema application and never transmitted over the internet. There appear to be a number of independent tests that have determined that Threema works as described.

Whilst Threema needs to know message metadata, it claims not to log this information.

Having used Threema for a while now I can say that the application itself is very slick – it feels like using iMessage which as Apple fans will know is high praise indeed.

Perhaps the one fly in the ointment is that the code isn’t open source but that’s probably something that we’ll have to live with for the moment.

Alastair Aitken (124 Posts)

As a contract developer and manager I’ve worked in a wide range of enterprises in a variety of countries where I’ve encountered everything from great work, awful work, bizarre work, all the way down to quasi-legal work. If you think that you recognise your own organisation within my articles then you’re undoubtedly wrong, where you work isn’t that unique.

Leave A Response »