News

Threema Sold: Identifying the Risks

An analysis of the Threema acquisition, the value of metadata, and why Matrix might be the answer.

Michael Meister

5 min read
Threema Sold: Identifying the Risks

Have you ever wondered what happens when a bastion of privacy is sold to an investment firm known for tofu and pet food? It was recently announced that Threema, the Swiss standard for secure messaging, has been acquired by Comitis Capital. This raises a fundamental question for security enthusiasts and IT professionals alike: Is this the beginning of the end for the messenger's integrity, or a strategic move to secure its future in the B2B sector?

audio-thumbnail
Podcast Threema sold
0:00
/289.970958

Investment vs. Identity

The recent acquisition of Threema by Comitis Capital, a German Private Equity firm, has caused a stir in the security community. Comitis replaces the previous investor, Affinum. For the technically inclined, this can be framed in two cleaner ways: like a human body whose cells are replaced over time yet is treated as the same person due to biological and psychological continuity; or like a software system that is refactored line by line, remaining “the same program” as long as its behavior and history persist, even though none of the original code remains.

Threema was founded on a core principle: data minimisation and verifiable security, partly as a reaction to the Snowden revelations. Comitis Capital, however, has a diverse portfolio ranging from "The Tofu Company" to premium dog food. At first glance, this seems incongruous with high-security cryptography. However, a deeper look reveals that the previous investor, Affinum, successfully pushed the development of Threema Work—the enterprise version now used by the Swiss military and the state of Baden-Württemberg.

The fear is that a Private Equity firm, typically seeking a >10% annual return, might force the "monetization" of user data. However, the business logic here suggests otherwise. Threema's unique selling point (USP) is the absence of data collection. If this "plank" were removed, the ship would sink immediately, taking the lucrative B2B contracts with it.

Metadata: The Real Goldmine

To understand why the user base is worried, one must distinguish between content and metadata. Most modern messengers (WhatsApp, Signal, Telegram via Secret Chats) use End-to-End Encryption (E2EE). This means the content (the payload) is mathematically inaccessible to the provider.

However, the metadata—the "who, when, and how often"—is often not encrypted.

  • Social Graphs: By analyzing metadata, providers can construct high-fidelity social graphs. A 2013 Facebook study demonstrated that romantic partners could be identified solely through interaction frequency and timing, without reading a single message.
  • Threema's Approach: Unlike Signal or WhatsApp, Threema does not require a phone number or email for the hashing process during registration. instead, a randomly generated 8-digit Threema ID is created. This ID serves as the public key fingerprint, decoupling the user's identity from their physical device or SIM card.

From a forensic perspective, this renders the construction of a social graph significantly harder, as the nodes in the graph are pseudonymous and not automatically linked to the user's real-world identity (unless the user voluntarily links them).

The Economic Paradox: One-Time Pay vs. SaaS

The input analysis highlights a critical economic challenge: "Enshittification," a term coined by Cory Doctorow. Platforms often follow a cycle: surplus to users -> surplus to business customers -> surplus to shareholders -> death.

Threema charges a one-time fee (~€5-7). In the software world, a one-time payment for a service requiring ongoing server maintenance (push notifications, relaying messages) is a liability. A user acquired in 2014 is now a cost center, not a revenue source.

The B2B Firewall:
This is where Threema Work and Threema OnPrem come into play. The growth strategy under Comitis is likely focused entirely on the enterprise sector.

  • Threema Work: SaaS model with recurring revenue.
  • Threema OnPrem: Allows companies to host the message server within their own DMZ or intranet, offering complete sovereignty over data traffic.

For the private user, this is good news. The private app acts as a marketing tool and a proof-of-concept for the enterprise solution. Compromising the privacy of the consumer app would destroy the trust required to sell the enterprise solution to clients like the Swiss Army or German authorities.

Trust, Code, and the Cloud Act

A significant advantage of Threema is the jurisdiction. Being a Swiss company, it is not subject to the US CLOUD Act, which forces US companies (like Signal or Meta) to disclose data to US authorities regardless of where the server is physically located.

However, a limitation remains: Threema is "partially" Open Source.

  1. The Client: The apps are open source. The reproducible builds can be verified by anyone to ensure the installed binary matches the published source code.
  2. The Server: The backend code is proprietary (unless one licenses the OnPrem version).

Users must trust the external audits that Threema commissions. While the risk is mitigated by the E2EE architecture (the server shouldn't know the private keys), a theoretical "evil update" could be pushed to specific targets.

The Ultimate Alternative: Self-Hosted Matrix

For those who find the "trust me, I'm Swiss" argument insufficient, or who are uncomfortable with private equity ownership, there is a superior technical solution: Matrix.

Matrix is an open standard for decentralized communication. Unlike Threema, where one relies on a central server (even if it is Swiss), Matrix allows the operation of a personal homeserver. This ensures that no metadata leaves the user's own infrastructure.

For a technically savvy user, setting up a Synapse server (the reference implementation of a Matrix homeserver) is the gold standard of sovereignty.

Beyond Signal: Regaining Control with a Self-Hosted Matrix Server
Recent messenger outages highlight a key weakness. In this guide I demonstrate how to build a selfhosted, resilient chat service.
Meister-Tech-BlogMichael Meister

By using Matrix, the reliance on an investment firm's ethical compass is replaced by reliance on one's own Linux administration skills.

Conclusion

The sale of Threema to Comitis Capital is not necessarily the death knell for the messenger. The economic incentive clearly points towards the B2B market, where security and Swiss jurisdiction are the primary assets. Paradoxically, the need to satisfy high-security enterprise customers likely protects the privacy of consumer users. However, for those who view any centralized ownership as a risk, the path leads away from app stores and towards a self-hosted Matrix infrastructure.