Those who find a weak spot are rewarded
When data protection was still a foreign concept for many, Christopher Bick and Felix Ferchland founded stashcat GmbH. A highly secure messenger that advertised itself as being data protection-compliant and, above all, particularly secure.
10 years after the company was founded, it is part of the secunet Security Networks AG Group with more than 1000 employees and the topic of data protection and secure communication is on everyone's lips. In this interview, CEO Christopher Bick tells us about the company's beginnings, dealing with hackers and stashcat's plans in the Middle East.
Mr. Bick, at 34, you belong to the Facebook generation. Do you remember the first time you used a messenger service?
I grew up in Schmarrie, a village in Lower Saxony, where there are more cows than inhabitants. In 2002, our village got fast Internet, which meant I was suddenly incredibly well connected compared to my classmates. That was great. Back then, I googled homework for school.
I used the messenger service ICQ most regularly. Back then, we even had a client called "Trillian", which not only supported ICQ, but also combined several messenger accounts. In principle, what we are trying to do today was already possible back then: An app that combines several messengers and connects Threema and stashcat, for example.
When did you realize that we had created something that could be useful for society in particular?
Founders often think that they are changing the world with their idea. We thought: All students and teachers must love this messenger service. But that wasn't the case at first. The long bureaucratic processes made it difficult for us to become known in schools. Thanks to the support of the Madsack Media Group, we had the necessary tailwind to conquer the school market. After a short time, we had already equipped 1,200 schools with our schul.cloud. Due to the pandemic-related homeschooling, we now supply over 6,000 schools with schul.cloud.
In 2016, you received a call from the Office for the Protection of the Constitution, what was your first thought?
We thought: They want to monitor us and have an interface to read along. (laughs)
But that was nonsense. They actually came to us and told us that they were looking for a high-security messenger service for the Lower Saxony police. At the time, some of the police communicated via their private cell phones during operations, which was clearly too insecure. If a police force uses a US provider Messenger in a large-scale operation and creates groups for this purpose, I cannot control from the top down who is the administrator and who can add others to the group. This is how the press can manage to get into such groups. This is what happened in Belgium. Naturally, the Office for the Protection of the Constitution wanted to get ahead of this here in Germany.
We took part in the tender and developed a messenger for the Lower Saxony police that specifically addresses the needs of officers.
Other state police forces are now also using stashcat, e.g. the police in Hesse and Mecklenburg-Western Pomerania.
In 2020, the Federal Cartel Office conducted a sector inquiry into messenger and video services. It found that "end-to-end encryption is still far from being standard for all messenger providers".
stashcat is a pioneer in end-to-end encryption and has been offering this service for some time.
At that time, in 2015/16, a market need for end-to-end encryption crystallized. We then built it into our product and were the first to implement it on the commercial side in Europe - alongside Threema. Threema is a technological role model for us, but our focus is actually on commercial use.
The mandatory interoperability required by the EU's Digital Markets Act, which comes into force on May 2, 2023, also poses difficulties. Some services suspect that this poses a threat to end-to-end encryption. Secure messengers such as Threema or Signal do not want interoperability at all because they see the security of their messengers' communication at risk. stashcat 2.0 is already interoperable, how does that work despite the highest security standards?
Yes, we beat them to it and are already interoperable with stashcat 2.0. At the beginning of 2022, we made the fundamental decision as to whether or not to go down the Threema route. Threema's argument is "interoperability harms security". And that's true: if different products are to communicate with each other, there has to be a common denominator. Security is usually graded and end-to-end encryption is removed at one point and re-linked.
We have decided that the matrix protocol is the perfect solution for us. This means that we make stashcat interoperable and use a protocol that does not need to be broken in order to communicate with others. So yes, we are interoperable, but only with other messengers that also use a matrix protocol.
The designated federal government promises a "right to encryption" in its coalition agreement. In 2021, the state interior ministers called on the federal government to amend the Network Enforcement Act in order to be able to report illegal content in messenger services. This means that end-to-end encryption would have to be bypassed. What do you think of chat control?
Basically, we have not built a messenger for consumers. We at stashcat GmbH see ourselves as a service provider for public authorities. If customers want real end-to-end encryption, they get it. However, this is not desired in all areas. Especially in the employer-employee relationship (with the police) there is an obligation to audit. For this reason, the police can also ensure that a third person is present in the chat with advance notice, who can potentially monitor whether a police officer is violating their duty of supervision.
How do you define the success of stashcat?
For us, success means when many police officers in a federal state use the messenger. In Lower Saxony, we have 25,000 police officers and 19,000 of them use stashcat. That's already enormous!
Nevertheless, we know that there won't be one messenger that makes all police forces and all federal states equally happy.
Why is that?
Because the countries all have different requirements. And the "one size fits all" approach hasn't worked in an area that we know very well: the school market. Our attempt was to invent a large learning platform that would make all types of schools and providers happy. We then had to admit to ourselves that there is no such thing as a one-size-fits-all solution. In the end, the lean tools will prevail: WhatsApp, Dropbox or similar. That's why we won't be able to map all the requirements that the police have.
We are now focusing on interoperability so that different police forces can exchange their data and use their "own" services in conjunction with our product.
According to the Bundeskartellamt's sector inquiry, many messenger providers "do not make it clear at first glance in which country the servers are located, and in some cases the providers use several locations." The location of the servers is essential in order to obtain information about which data protection law the communication data is subject to.
Where are the stashcat servers located?
All our servers are located in the south of Germany.
Do high-profile customers such as politicians, police and authorities make stashcat more vulnerable to cyber attacks?
Our biggest hack attacks come from the school market. It's often ambitious students who try to paralyze the school platform. We find out and implement countermeasures.
Do you then target the hackers specifically?
We actually use these attacks to make acquisitions: If we find out that there has been an attack, then we approach the students. We are always on the lookout for new developers.
So there are no punishments?
No, from my point of view you can't do that. Anyone who finds a vulnerability is rewarded.
(Source: Sector inquiry by the Federal Cartel Office)
The storage of long-term secrets and other sensitive data is another security-relevant issue
Mr. Bick, what options does stashcat offer to ensure that the storage of sensitive data and message histories cannot be viewed?
With our exclusive end-to-end encryption, we can completely rule out man-in-the-middle attacks. Because the metadata is stored exclusively in encrypted form.
Nevertheless, there are always opportunities to multiply data in the form of screenshots etc. That's why we also provide documents in simple language with the program that teach users about data security and train them to pay attention to security.
What is your biggest vision for the coming years?
We want to go international. We have our first projects in the Middle East and the European security authorities have already expressed interest in stashcat. Our core market is currently in Germany, but the demand for secure means of communication that stand out from US providers is high.
We also want to further expand interoperability - it should practically be like "back then" when I used the Trillian client in Schmarrie. We want to develop a large marketplace at stashcat. So that I can get what I need every day, whether I'm a police officer or a doctor, in a one-stop store. Whether it's access to a patient file or a search tool, everything should be in one place. Our vision is to become a pioneer in the niche markets in which we operate.
Wir helfen gerne weiter.