Source code of the Swiss crypto messenger Threema has been published
Threema web client architecture, a source
The secure messenger Threema opened the source code and instructions for a reproducible build of applications. Published 12 repositories for Android, iOS clients, web version, notification rileys and other components. This is the most important event in the history of Threema GmbH, which, with the publication of the source code, reaches a new level of development.
Against the background of the massive exodus of WhatsApp users, the paid messenger Threema has become one of the most downloaded applications in the world, along with Telegram, Signal and Element (Matrix decentralized network), see also the article “Which encryption is better: Signal or Telegram?”
Threema is the least known in this galaxy. But she has one advantage over competitors – Swiss jurisdiction…
Threema is a messaging service that implements end-to-end communications encryption (E2EE). It supports audio and video calls, file exchange and other features of modern instant messengers.
There are versions for Android, iOS and the web. A separate desktop application, including for Linux, has not yet been developed.
Interestingly, the sources on Github are only updated with client updates, i.e. one commit = one release… Pool requests and bugs in Github repos are not accepted, only by mail.
Jurisdiction is important
Threema is developed by the Swiss company Threema GmbH. The project servers are also in Switzerland. It is the Swiss jurisdiction that is the main advantage of Threema before Signal (USA) and Telegram (USA, UK, development is moving to offices in different countries, now located in the UAE, founders and programmers are mainly from Russia, investors from Russia and other countries except the USA).
The jurisdiction of the management company is not at all a secondary issue when the authorities have claims against individual users, customers of the service. For example, in the United States, there are laws under which a company must secretly implement backdoors in its products and services and implement surveillance of users if a secret court decides to do so.
This also applies to any cryptographic services, even open source and the most secure at the architectural level. It is very important that the company has no right to warn users about such actions. In fact, in this situation, she has only one option for protecting users: to close down and stop providing services.
Many people remember the story of the mail service Tutanota, which was forced by a German court to install a backdoor to decrypt a particular user’s mail. The owners of the Hanoverian company then regretted that they had not chosen another jurisdiction. In an interview, they said they were considering moving to Switzerland, although the legal situation in Germany is not so dire: “The legal situation and the German constitution are generally very good and protect people’s privacy. Community activism also helps us prevent or weaken problematic laws (surveillance). ”
In the US, the legal situation is much worse, especially after 9/11. In August 2013, the Lavabit mail service was forced to close. The founder and owner of the service, Ladar Levison, said that he made this decision after much deliberation:
“I would like to have a legal opportunity to tell you about all the events that led to my decision, but I cannot. I feel like you deserve to know what’s going on. The first amendment should guarantee me freedom of speech in situations like this. Unfortunately, Congress has passed laws that say otherwise. At this stage, I cannot share the events of the last six weeks, although I have sent the corresponding requests twice [чтобы мне разрешили это сделать]”, – wrote the founder of Lavabit Ladar Levison. He does not go into the details of his case, but appeals to all users: “The past events taught me one very important lesson: before the decision of Congress or a clear judicial precedent, I _very_ recommend that anyone trust the personal data of a company that is physically tied to the United States.”
There is nothing to say about the legal situation in countries with a less developed judicial system. In states like the Russian Federation, there are practically no legal guarantees of confidentiality as such. That is, trusting the private data of a Russian company is the greatest risk you can imagine.
In such a situation, the issue of jurisdiction of a particular web service becomes key. There are not many places in the world where human rights are valued higher than the rights of the state.
Threema GmbH is a Swiss startup that received funding from the German-Swiss investment company Afinum Management AG. The founders of the company are three programmers Manuel Kasper, Silvan Engeler and Martin Blatter.
The founding programmers of a startup believe that the release of source code is a key and most important stage in the development of a company.
The developers promise to release a full-fledged desktop client, including for Linux, which can be used without a smartphone: “Security and privacy protection are deeply rooted in Threema’s DNA, so our code was regularly audited by external auditors. audit results for November 2020). Thanks to open source, anyone can check the security of Threema themselves and make sure that the published source matches the downloaded application. In the future, thanks to the innovative multi-device solution, it will be possible to use multiple devices in parallel. Unlike other approaches, no traces of personal data will be left on the server. Thanks to this technology, Threema can be used on a PC without a smartphone. As a result, Threema will become an even more reliable and more user-friendly application. “
Unlike Telegram, Threema’s servers do not store user messages and files, so infrastructure costs are minimal here.
Except of Telegram and Signal, which everyone chosen, there are also other good messengers, like https://utopia-ecosystem.com/ No matter it’s not too popular, from my point of view, it has the highest level of encryption for now. Also Threema and Wickr can be chosen. Something that don’t require your phone number is the best choice.