Privacy
Since Threema's servers are in Switzerland, they are subject to the Swiss federal law on data protection. The data center is ISO/IEC 27001-certified.[47]
Linking a phone number and/or email address to a Threema ID is optional; when doing so, only checksum values (SHA-256 HMAC with a static key) of the email address and/or phone number are sent to the server.[48]
Due to the small number of possible digit combinations of a telephone number, the phone number associated with a checksum could be determined by brute force. The transmitted data is TLS-secured. The address book data is kept only in the volatile memory of the server and is deleted immediately after synchronizing contacts.[49]
If a user chooses to link a phone number or email address with their Threema ID, they can remove the phone number or email address at any time.[50] Should a user ever lose their device (and their private key), they can revoke their Threema ID if a revocation password for that ID has been set.[51]
Groups are solely managed on users’ devices and group messages are sent to each recipient as an individual message, encrypted with the respective public key. Thus, group compositions are not directly exposed to the server.[52]
Data (including media files) stored on the users’ devices is encrypted with AES 256. On Android, it can be additionally protected by a passphrase.[53]
Since 2016, Threema GmbH publishes a transparency report where public authority inquiries are disclosed.[54]
On March 9, 2017, Threema was listed in the "Register of organizers of information dissemination in the Internet" operated by the Federal Service for Supervision of Communications, Information Technology and Mass Media of the Russian Federation.[55]
In a response, a Threema spokesperson publicly stated:[56] "'We operate under Swiss law and are neither allowed nor willing to provide any information about our users to foreign authorities.'"On April 29, 2021, Threema won a significant case at the Federal Supreme Court of Switzerland against the Swiss Federal Department of Police and Justice, who wished to classify the company as a telecommunications provider. Had they lost the case, Threema would have had a legal requirement to identify users and send information about their users to law enforcement.[57]
Starting January 2022, Swiss Armed Forces suggested that the troops should use Threema instead of WhatsApp, Telegram and Signal, citing Threema being Swiss-based without servers in the United States and thus not subject to the CLOUD Act, also promising that soldiers would be reimbursed for the cost.[58]