When data protection was still a foreign word for many, Christopher Bick and Felix Ferchland founded stashcat GmbH. A high-security messenger that advertises itself as being data-protection compliant and, above all, extremely secure.
10 years after the company was founded, it is part of the secunet Security Networks AG group with more than 1,000 employees and the topic of data protection and secure communication is on everyone’s lips. In this interview, CEO Christopher Bick tells us about the company’s beginnings, dealing with hackers and stashcat’s plans in the Middle East.
Mr. Bick, at 34 years old, you are part of the Facebook generation. Do you remember the first time you used a messenger service?
I grew up in Schmarrie, a village in Lower Saxony – there are more cows here than inhabitants. In 2002, our village got fast Internet, which meant that I was suddenly incredibly well connected compared to my classmates. That was great. Back then, I Googled homework for school.
The messenger service I used most regularly was ICQ. We even had a client called “Trillian” back then that not only supported ICQ, but combined multiple messenger accounts. In principle, what we are trying to do again today was already possible then: An app that unites several messengers and connects e.g. Threema and stashcat.
What motivated you and co-founder Felix Ferchland to develop a messenger service?
Felix and I met in high school in 2004 and were inseparable. In the 11th grade we founded a band and our classmates were already betting that we would later found a company together.
Felix then studied IT in Lüneburg and developed a messenger that was interesting for the school market. With my studies in digital media, I then brought Felix’s idea to the market and we founded stashcat GmbH in 2012.
When did you realize: we have created something that could become useful, especially for society?
Often founders think they are changing the world with their idea. We thought: All students and teachers must love this messenger service. But that wasn’t the case at first. The long bureaucratic channels made it difficult for us to become known at schools. Thanks to the support of the Madsack Media Group, we had the necessary tailwind to conquer the school market. After a short time, we had already equipped 1200 schools with our school cloud. Due to pandemic homeschooling, we now supply over 6,000 schools with the school cloud.
Then in 2016 you got a call from the Office for the Protection of the Constitution, what was your first thought?
We thought: They want to monitor us and have an interface to read along. (laughs)
But that was nonsense. In fact, they came by our office and revealed that they were looking for a high-security messenger service for the Lower Saxony police. Back then, the police sometimes communicated via their private cell phones during operations, which was clearly too insecure. If a police force uses a US provider messenger in a large-scale operation and creates groups for it, I can’t control from top down who is an administrator and who can add others to the group. So the press can succeed in getting into such groups. This is a super-GAU that happened in Belgium. Naturally, the constitutional protection agency here in Germany wanted to forestall this.
We took part in the tender and developed a messenger for the Lower Saxony police that specifically addresses the needs of officers.
In the meantime, other state police forces are also using stashcat, e.g. the police forces of Hesse and Mecklenburg-Western Pomerania.
In 2020, the German Federal Cartel Office conducted a sector inquiry into messenger and video services. It found that “end-to-end encryption is far from being standard among all messenger providers.”
stashcat is a pioneer in end-to-end encryption and has been offering this service for some time.
Back in 2015/16, a market need for end-to-end encryption crystallized. We then built it into our product and were the first on the commercial side in Europe – along with Threema – to implement this. Threema is a technological role model for us, – but our focus is really on commercial use.
The mandatory interoperability required by the EU’s Digital Markets Act, which comes into force on May 2, 2023, also poses difficulties. Some services suspect a threat to end-to-end encryption here. Secure messengers like Threema or Signal don’t want interoperability at all because they see the security of their messenger’s communication in danger. stashcat 2.0 is already interoperable, how does that work despite the highest security standards?
Yes, we are ahead of that and already interoperable with stashcat 2.0. In early 2022, we made the fundamental decision whether to go the Threema route or not. Threema’s argument is “interoperability hurts security.” And that’s true: if different products are to communicate with each other, there has to be a common denominator. That’s where security is usually tiered, and where end-to-end encryption is removed at one point and re-linked.
We made the decision that the matrix protocol was the perfect solution for us. That means we are making stashcat interoperable, using a protocol that doesn’t have to be broken up to communicate with others. So: yes, we are interoperable, but only with other messengers that also use a matrix protocol.
A “right to encryption” is promised by the designated federal government in its coalition agreement. In 2021, the interior ministers of the German states called on the federal government to amend the Network Enforcement Act to allow illegal content in messenger services to be reported. This means that end-to-end encryption would have to be bypassed. What do you think about chat control?
Basically, we have not built a messenger for consumers. We at stashcat GmbH see ourselves as a service provider for public authorities. If customers want real end-to-end encryption, they get it. However, this is not desired in all areas. Especially in the service relationship (with the police) there is an auditing obligation. Therefore, in the case of the police, it can also be ensured with advance notice that a third person is present in the chat who can potentially monitor whether a policeman or policewoman is violating his or her duty of supervision.
How do you define the success of stashcat?
For us, success means when many police officers in a federal state use the messenger. In Lower Saxony, we have 25,000 police officers and 19,000 of them use stashcat. That is already enormous!
Nevertheless, we know that there won’t be one messenger that makes all police forces and all states equally happy.
Because countries all have different requirements. And the principle of an egg-laying pillow has already not worked in the area we also know very well: the school market. Our attempt was to invent the one big learning platform that would make all types of schools and providers happy. We then had to admit to ourselves that there will be no such thing as an egg-laying lizard. In the end, the lean tools prevail: WhatsApp, Dropbox or the like. That’s why we won’t be able to map all the requirements that the police have.
Now we are focusing on interoperability, so that different police forces can exchange their data and use their “own” services alongside in conjunction with our product.
According to the Bundeskartellamt’s sector inquiry, however, with many messenger providers “it is not apparent at first glance in which country the servers are located, and in some cases the providers use multiple locations.” The location of the servers is essential in order to obtain information about which data protection laws the communication data are subject to.
Where are the stashcat servers located?
All our servers are located in the south of Germany.
Do high-profile customers like politics; police; government agencies make stashcat more vulnerable to cyberattacks?
Our biggest hack attacks come from the school market. It’s often ambitious students who try to cripple the school platform. We get that out and sprinkle countermeasures.
Do you then target the hackers specifically?
We actually use these attacks to make acquisitions: If we find out there’s been an attack, then we approach the students. We’re always looking for new developers.
So there are no punishments?
No, you can’t do that from my point of view. Whoever finds a vulnerability will be rewarded.
Mr. Bick, what options does stashcat offer to ensure that the storage of sensitive data and message histories cannot be viewed?
With our exclusive end-to-end encryption, we can completely rule out man-in-the-middle attacks. Because the metadata is stored exclusively in encrypted form.
Nevertheless: There are always possibilities to multiply data in the form of screenshots etc.. That’s why we also issue documents in simple language with the program, which teach users about data security and train them to pay attention to security.
What is your biggest vision for the coming years?
We want to go international. We have initial projects in the Middle East and European security authorities have already expressed interest in stashcat. Currently, our core market is in Germany, but there is a high demand for secure communications that stand out from U.S. vendors.
We also want to further expand interoperability – it should practically be like “”back then”” when I used the Trillian client in Schmarrie. We want to develop a large marketplace at stashcat. So that I can get what I need on a daily basis, whether I’m a police officer or a doctor, in a one-stop-shop. Whether it’s access to a patient record, or a search tool: it should all be in one place. The vision is that we will be the pioneer in the niche markets we are in.
This interview was conducted in German and translated into English.