Tools I Use – Threema Pt. 1

Short-form communication (text and instant messaging apps) that I have tried/use.

In our fast moving, constantly changing world of today, communication is a vital part of how we interact with everyone around us. There is a never-ending list of types of communication not limited to long-form (email), short-form (SMS, Instant Messaging), and social (Facebook, Twitter). I have a desire to talk about all the tools I use and what their purposes are for me and hopefully this helps anyone who reads this with selecting services for their own needs. I am hitting the highlights of the Instant Messaging service I use and why I chose it. I’ll write a 2nd post later on the “how-to”.

The way we communicate has changed drastically over my lifetime. We don’t always communicate face to face, and electronic communications have all but taken over all other interactions. As I call it, short-form communication plays a vital role; the genesis of this was SMS or standard text messaging which then evolved into the many services we have available as instant messengers today. I have experimented with many different implementations of instant messaging, and ended up settling on an app called Threema.

I chose Threema for a few different reasons:

Privacy and Data Protection

I began to be concerned with the privacy of my communications as I learned about the business model of most large tech companies that offer services online for free. These companies (Google, Facebook, etc.) earn money, to the tune of billions of dollars, by building and selling data profiles of their users (or by selling advertising profiles of users) by watching each and every move they make online. This involves, but is not limited to, analyzing communications passing across services as well as who is talking to who. I have come across many statements of how they anonymize the data they collect, but I’m not sure that I am ready to trust that assertion. I heard it said once that if you are not paying for the product, then you are the product. In addition to the technology companies that track us and invade privacy, governments (NOT just mine) track and analyze communications too. There have been big scandals about the government collecting communications as well as scandals involving the targeting of dissent for nefarious purposes. It’s not just conspiracy stuff, this is all verifiable and not at all partisan. I don’t like the precedent this sets and so desired a solution that mitigated this particular problem. This made me seek out a solution with strong encryption.

The Competition

In looking for an encrypted messaging program, I immediately eliminated SMS as it by its nature cannot be encrypted. After a lot of research, I narrowed my list to the Signal, WhatsApp, Threema, and Telegram. Google Allo and Hangouts as well as Facebook Messenger were also eliminated because of point number 1. I never considered iMessage because I don’t use an iPhone.

Methodology of the Company

Open source software is a nice option because (for those with the “know-how”) can look at the code that makes up the app in order to verify what is claimed by the authors. Signal is the only one of these that is open source [UPDATE: As of September 2020, Threema is open source too!]. Without getting too technical, I ruled out Telegram because it is not open source, but they also do not use standard encryption solutions for their app. They have come up with their own proprietary solution; since it cannot be verified that it is truly doing what they say, I didn’t feel that I could trust it. Signal is open source, and WhatsApp is actually built on a base of Signal. The way encryption is implemented is where I had a problem with it. Two-way encrypted communication works by arranging a swap of encryption keys between two parties. Signal, and by result, WhatsApp handle all of the handshaking in the background without the user needing to do anything special in order to make it work seamlessly. Threema leaves it to the user to handle the exchange of encryption keys. I opted for Threema because the result gave me control over and ultimately the responsibility of my own encryption keys. The security model used by Signal/WhatsApp (this is also Apple’s iMessage security model) inherently means they have access to the encryption keys and ultimately means they can circumvent their own security model technologically speaking.

I Am in Control

Threema uses an encryption model that leaves me in control and ensures my communications are secure. It also performs encryption on the device in use, not on a server, so encryption passing through the interweb ether is encrypted along all points where it could possibly be picked up and eavesdropped on, mitigating point 1. It also has a robust set of features that keep it competitive with all of the other messaging apps. While Threema is not open source, they have been audited more than once by outside security firms in order to verify their claims of security. The caveat is it is a paid app, costing a few dollars for the app from your favorite app store. It seems like a small price to pay to mitigate my earlier statement about “being the product”.

I will follow up with a “how-to” of setting up Threema and just how their app works. I will link below to a comparison that someone put together of a bunch of IM programs as well as the latest security audit Threema took part in. I’d love to hear if you chose something else and why you did so.

Secure Messaging Apps

Threema’s Latest Security Audit