Everything You Want to Know About ThreadThat.com (TT)


SECURITY
Why should I be concerned about encryption?
How strong is the encryption used by TT?
Are all Threads on TT encrypted?
Are attachments encrypted?
How do I know TT is really encrypting my messages?
I forgot my account name and/or password. Can TT help me?
What is a Password Recovery File and why do I need one?
What is multi-factor authentication and does TT offer it?
Does TT have an automatic logout feature?
How many login attempts am I allowed?
Can I reset my password if I forget it?
What security risks should I be aware of?

PRIVACY and Threads
What is a Secure Thread?
What is the TT Console?
Are all Threads on TT encrypted?
What is the difference between "Unprotected" and "Protected" Threads?
What is the difference between "Untrusted" and "Trusted" Threads?
How does someone know I invited them to a Thread?
Why do my "New Thread" notifications sometimes bounce?
Can I create a draft Thread?
Does each person I share with need to create a TT account?
Who can read my Threads?
Does TT provide "sent" confirmations?
Does TT provide "read" confirmations?
Can I edit a post after it has been submitted?
How can I easily find the Thread I am looking for?
Where are my Threads stored?
How long will my Threads be available?
Can I delete a Thread?
What type of files can I attach to a Thread?
How many files can be attached to a Thread?
Will this service always be "free"?
Does the KeyBox compromise data security?
Can I delete a message from a Thread?
Who can invite others to a Thread after it has been created?
Can I create a "read-only" Thread?
Can I remove someone from a Thread?
How do I let others know what passkey I used to encrypt a Protected Thread?
What activity does TT log?
How can I turn on/off email and/or cell phone text notifications?
Can I delete my account?

EMAIL ADDRESSES
What does TT use my email address for?
Why do my "New Thread" notifications sometimes bounce?
What if I don't have an email account or have one, but don't want to reveal it?
Why would I register more than one of my email addresses?
Why is my address book empty?
What are contact lists and why do I want to use them?

PASSKEYS and KEYBOX
What is a passkey?
How many different passkeys do I need?
What is a KeyBox?
Does the KeyBox compromise data security?
How do I let others know what passkey I used to encrypt a Protected Thread?
What happens if I change one my passkeys?

ATTACHMENTS
What type of files can I attach to a Thread?
How many files can be attached to a Thread?
Are attachments encrypted?
Can attachments be modified?
Can I create a photo slideshow with TT?

MORE IMPORTANT INFORMATION
What languages does ThreadThat support?
How is using TT different from using secure email?
What makes TT unique?
What is the best resolution and browser to use for TT?
Is TT HIPAA-compliant?
Can I use TT for my business?
Can I purchase the TT application code, customize it and run it on my own servers?
Does using TT make my business HIPAA compliant?
What is TT's backup policy?
Besides the general public, who else can benefit from TT?
What happens to my Threads if TT stops offering this service?

SECURITY

Why should I be concerned about encryption? [Top]

Sending sensitive messages, documents and files over the Internet via email is like sending a postcard via U.S. Mail. Anyone that handles your email on route to its destination can read it. It doesn't matter whether you send your emails via public or private networks. Your message can be intercepted by anyone along the way. Even using a secure (SSL) connection to send your emails only insures that your emails can't be read while transmitting between your computer and your email server. When your email reaches your email server, it can be seen by your email service provider. Then your service provider typically forwards your email unencrypted to its destination.

Although most email traffic is not of a Unprotected nature, at times everyone has Unprotected or secret information they want to communicate to others. They want to protect that information from falling into the wrong hands. The only guaranteed way to prevent unwanted access to your private information is encryption. The easiest, most user-friendly way to get this encryption is ThreadThat.com

How strong is the encryption used by TT? [Top]

TT uses AES 256 encryption for SSL and for storing messages and files. AES provides strong encryption and was selected by The National Institute of Standards and Technology as a Federal Information Processing Standard in November 2001 (FIPS-197). Currently, there are no computers that could break the encryption key in a reasonable amount of time (it would take years). A password, or more precisely its hash (SHA 256), is used to protect the encryption key. For Protected Threads, neither the password nor its hash is stored anywhere. If the passkey provided by the reader is not correct, it will be impossible to get the encryption key and consequently impossible to decrypt the Threads.

Are all Threads on TT encrypted? [Top]

Yes. Every Unprotected Thread is encrypted by a unique key. Every Protected Thread is encrypted by a key which is itself encrypted by a passkey that only those accessing the Thread have knowledge of. Unprotected Threads can be opened by the initiator and any user that was invited to the Thread. No additional passkey or password is required to view or add to a Unprotected Thread. This makes Unprotected Threads easier to use, but they are inherently less secure than Protected Threads (See the FAQ regarding the difference between "Unprotected" and "Protected" Threads). You can also view a video I have created in an attempt to assure you that I am protecting the data you entrust with TT. As with anything on the Internet, there is always skepticism. I hope this rare look behind the scenes will elevate your trust in us. Please feel free to contact TT directly if you seek additional proof that I am serious about protecting your information.

Are attachments encrypted? [Top]

Yes. Attachments are encrypted using AES 256-bit encryption. The process used to encrypt and decrypt the files is very fast regardless of whether you are using Unprotected or Protected Threads. When using Protected Threads, the files you upload are encrypted and decrypted using the same passkey that is used for the Thread text. This makes your uploaded files as secure and private as the Thread itself. The files are stored on the server using an unrecognizable name. The actual file name is stored encrypted in the TT database. This insures that a hacker, if they somehow got access to the server, cannot view any file you upload. When using Protected Threads, your files cannot be decrypted unless you provide the passkey that was used to encrypt the Thread.

How do I know TT is really encrypting my messages? [Top]

Most website owners expect you to trust what you read on their site. I prefer that you can prove it to yourself. You can view a video I have created in an attempt to assure you that I am protecting the data you entrust with TT. If you are need more proof, have a friend create a TT account and send you a "Protected" Thread. From your account, attempt to read the Thread without supplying the passkey your friend used to encrypt the message. TT will display the encrypted version of the message. I want you to trust us, but I understand that you want to be sure.

I forgot my account name and/or password. Can TT help me? [Top]

Yes. Just click the "Forgot your Username or Password?" link on the login page. You will be taken to another page where you can request your username or request a password reset or recovery. You must enter an email address or mobile number that you own and have registered with TT. For username requests, TT will send the username associated with that registered email account or mobile number to that email address or mobile device. TT does not store account passwords in a format that is readable by either TT personnel or TT software. This is for your protection. To insure that you never have to reset your password, I recommend that you download a password recovery file from the Preferences page. As long as you have a current recovery file, you can retrieve your current password by clicking the "Recover My Password" button. If you do not have a recovery file, then your only other option is to click the "Reset My Password" button. In either case, an email or text message will be sent to you with a unique link or confirmation code that you can then use to return to the TT website and reset or recover your password. This is in lieu of providing answers to secret questions. TT does not ask you to provide such personal information when creating an account. Since your mobile device number (if entered in preferences), Keybox (if using Protected messaging) and notification template (if entered in preferences) are all ecrypted by your account password, resetting your password results in the loss of that data. This protects your privacy in the event that the email account associated to your TT account is compromised and the thief resets your TT password. Access to Protected Threads will require that the passkeys used to encrypt those Threads be re-entered. Unprotected Threads, however, will be accessible. For this reason, it is very important that you remember your account password or download a password recovery file and store it in a safe location.

What is a Password Recovery File and why do I need one? [Top]

TT does not store your password. I cannot tell you what your password is if you forget it unless you download a Password Recovery File. You can do this from the Preferences page at any time you are logged in. You must store this file somewhere safe so that if you forget your password, you can provide the encrypted version of your password from the recovery file. TT will decrypt that string and create an MD5 hash of it. If that MD5 hash matches the MD5 hash of your current password, then TT knows that recovery file has your current password and will provide it to you. You must first prove you own the account by requesting a challenge email and then clicking the link in that email or providing your registered mobile number in which case you will receive a confirmation code via SMS text messaging. That will allow you to recover your password. Storing the recovery file on your computer is safe because it contains an encrypted version of your password. If someone were to get that file, it would not allow them to discover your password unless they also compromised the email account you use for TT. Being able to recover your password instead of resetting it is especially important if you use Protected messaging. This is because your passkeys are stored in your KeyBox and your Keybox is encrypted by your account password. Resetting your password causes your KeyBox to be deleted and you would then have to rebuild it - assuming you remember what passkeys you used. This protects you in the event that the email account associated to your TT account is compromised and the thief resets your TT password. If you are using Protected Threads, the thief would also need the passkeys used to encrypt those Threads. The thief would, however, have access to any Unprotected Threads. Resetting the password also results in the loss of your mobile device number and notification template (if entered in preferences) as they are also encrypted by your account password.

What is multi-factor authentication and does TT offer it? [Top]

Multi-factor authentication is a system wherein two different factors are used in conjunction to authenticate. Typically, this involves something you know (e.g. password) and something you have (e.g. mobile device, email account). TT uses multi-factor authentication when it detects that you are logging in from a location you have never logged in from before. This is similar to how other sites use this technology (some examples are banks, Twitter, Gmail and Facebook). You can enable this feature via Preferences. If you decide to use it, you will be required to verify your identity when attempting to log in from an untrusted location. In the event that TT detects someone is attempting to access your account from a new "untrusted" location, a link will be emailed to your default TT email account or a confirmation code will be texted to your registered mobile device. You verify your identity by logging into your email account and clicking the unique link provided or entering the confirmation code sent to your mobile device. This single-use code can be entered on the login page. Successful login using either method results in the new location being trusted. Activating this option is your best defense against hacking because the hacker would need to have access to either your default TT email account or your mobile device to successfully hack into your account. You can delete all previously trusted locations from the Preferences page. You can further protect your account by selecting the "Disable Password Resets" option. This will prevent anyone (including yourself) from resetting the password on your account. If someone compromises the email account you use for TT, this option prevents them from using that email account to reset your TT password.

Does TT have an automatic logout feature? [Top]

By default, TT will log you out after 60 minutes of inactivity. You can change this setting in your preferences. It can range anywhere from 1 minute to 999 minutes.

How many login attempts am I allowed? [Top]

You are allowed 10 tries to log in. On the 10th failed attempt, your account will be locked. You must then reset your account password to gain access to your account.

Can I reset my password if I forget it? [Top]

Yes, assuming you have not disabled that feature. If you forget your password, just click the "Forgot your Username or Password?" link from the login page. You will be taken to the "Username and Password Assistance" page where you must provide an email address or mobile number that is associated to your TT account. An email will be sent to that account with a link that you must click or a confirmation code will be sent to your mobile device. That link will take you to the password reset page where you can then enter a new password. If you enter a registered mobile number, you will be taken directly to the password reset page where you can enter the confirmation code sent to that device. Although this is a convenient feature, allowing it exposes you to the possible takeover of your account by anyone that compromises that email account. If you are concerned about this possibility, you can disable the password reset feature for your account by visiting the Preferences page and checking the "Disable Password Reset" option. Beware that this will prevent anyone from resetting your TT password - including you! As insurance against the loss of your TT password, I encourage you to download a password recovery file and store it in a safe place. Otherwise, if you lose your password and you have disabled password resets, you will lose everything on your account because the only option is to have TT Customer Support delete your account so you can create a new one.

What security risks should I be aware of? [Top]

No web application is 100% secure. My goal is to make available a web application that balances risk mitigation and ease of use. TT's risk mitigation only protects you up to the point where information is delivered to your desktop. After that, it is up to you to protect that information by not saving it on your local computer or disseminating it to others using unsecure methods. Given that, the following is the Security Risk Assessment for TT:

Risk           Mitigation
An attacker eavesdroppping on your Internet connection. Your session is protected by 256 bit SSL encryption provided by AlphaSSL. The attacker will only see encrypted information. TT also uses Perfect Forward Secrecy (PFS) where supported by the browser in use at the time. PFS guards against the recording of SSL traffic for the purpose of later decryption. Each SSL exchange is encrypted by a different key making possession of TT's private SSL key useless to attackers. All pages in TT that require SSL to protect your content first check to insure the connection is an HTTPS connection and, if not, redirects the session to an HTTPS connection. This prevents SSL-stripping man-in-the-middle attacks that attempt to force your session to an unencrypted protocol for the purpose of capturing your content in a usable format.
An attacker gaining access to the TT key server but not the data server. Data encryption keys for Protected threads are encrypted by passkeys known only by you. No Thread data is stored on the keys server. If the attacker does not get access to the data server, then possession of the keys is of no value to the attacker.
An attacker gaining access to the TT data server but not the key server. All Thread data is encrypted using AES 256 symmetric key encryption. The keys are not stored on the data server. If the attacker does not get access to the key server, then possession of the encrypted data is of no value to the attacker. The only information that is not encrypted on the data server is your email address and account name.
An attacker gaining access to both the TT data server and the key server. Access to both the key and data server may allow the attacker to decrypt Unprotected messages and attachments, but not sercret messages and attachments. This is because the data encryption keys used to encrypt Protected Threads are encrypted by passkeys known only by you and those you share your passkeys with. So, Unprotected Threads are at risk if an attacker can gain access to both servers, but Protected Threads are safe. To get access to your encrypted Thread attachments, an attacker must also gain access to TT's secure web server. Note that all TT database connection information (i.e. login credentials) are encrypted in such a way that they can only be decrypted while executing code on TT's application server.
An attacker taking control of TT's web server after you have accessed your Threads. Although very remote, there is a chance that your decrypted messages could exist in memory on the server even after you log off. In this case, an attacker might gain access to the Thread you were viewing when the attack took place. TT's web server is scanned daily for security vulnerabilities to reduce the potential of such an attack.
An attacker controlling TT's web server while you are accessing your Threads. In the unlikely event that this occurs, you are not protected. However, as mentioned above, TT's web server is scanned daily for security vulnerabilities to reduce the potential of such an attack.
An attacker gaining control of your local computer after you have accessed your Threads. An attacker will likely have access to your account if you have not logged out of TT. Be sure to either click the Logout link in the upper right corner of any page or close all browser windows when you are done with TT. That is the only sure way to prevent unauthorized use of your account on your computer.
Your computer getting infected with a virus that records your keystrokes without your knowledge. There is nothing that TT can do to prevent this from happening. If it does, then an attacker may gain access to your account after you have entered your account password and it is recorded and sent to the attacker. You can prevent a stolen password from allowing access to your TT account if you activate multi-factor authentication for your account (described above).
You allow "Untrusted" access to a Thread by users without a TT account. If you choose this option when creating a Thread, you acknowledge that that Thread can be accessed by anyone in possession of the unique link provided in the notification emails and is, therefore, inherently untrusted. Not only will they be able access the Thread associated with the link they possess, but successful access to any unprotected Thread will result in access to all other unprotected Threads accessible by that email account. Therefore, I strongly recommend the use of Protected messaging when allowing "Untrusted" access and further recommend using something other than email to communicate the passkey to the recipients of the Thread. This makes unintended access less likely, but does not prevent it. The most secure way to use TT is using "Protected/Trusted" Threads.
The email account you use for TT is compromised. Email accounts get hacked every day. Once in control of your email account, the perpetrator can use that account to reset the password on other accounts associated with it (e.g. Twitter, Facebook, bank accounts, etc). By default, TT allows password resets via any email account you associate with TT. If you are concerned that someone might get control of your TT account, you can prevent password resets. This option is available in your Preferences. Beware that activating this option prevents anyone from resetting your password including you. As such, I encourage you to download a password recovery file (also available from the Preferences page) just in case you lose your TT password. Also, never use the same password for both TT and the email accounts you associate to it.
[Added 11/9/13] The SSL certificate used to encrypt in-flight content is compromised. It has been widely publicized that SSL may not be as secure as once believed. TT could be targeted by the U.S. government and required to provide its SSL certificate to facilitate decryption of captured in-flight content without notifying its user community. Thanks to the NSA and in the spirit of transparency, this risk must be listed here. [Updated 12/28/2013] The TT server has been reconfigured to use Perfect Forward Secrecy (PFS) where possible. Most modern browsers support PFS. PFS has slightly more overhead when negotiating SSL communications and that is why most sites do not use it. The advantage of PFS is that every exchange of information between your browser and the server uses a different key. This makes it impossible for any organization in possession of TT's SSL private key to decode previous or current SSL traffic. PFS is being adopted by more companies in light of the revelation that the NSA has been recording SSL traffic of well known sites with the intent of decoding it later using the SSL key that encrypted it. Google uses PFS for Gmail, Twitter uses it for all traffic. The difference is that these organizations store user content in plain text once it is received. TT does not.

[Added 11/9/13] The passkey used to protect your Threads is compromised. If you are sharing your passkeys via email, then you risk making those passkeys available to hackers, law enforcement and government agencies. It has been widely publicized that Internet Service Providers and email providers like Yahoo, Google and Microsoft are compelled to provide email metadata and content to law enforcement and government agencies upon request - sometimes without a court order. While email is an easy way to share your passkeys, it is important to realize the risk. If the NSA, for example, were to present Safe T Services with a secret order and supplied the passkey(s) protecting Threads accessed by a targeted individual, Safe T Services would be compelled to cooperate and provide whatever content could be decrypted with those passkeys. To mitigate this risk, you should never use the option that causes your passkeys to be sent to recipients via email. Instead, use an ecrypted text messaging application, snail mail or a phone call.

[Updated 5/14/16] Your account password is compromised by TT. The TT software has access to your plain text password in encrypted session state while you are logged in. The software uses your password when it needs to decipher your passkeys and mobile device number. If you are going to use TT, you must trust that the software is doing exactly what the site says. I realize this requires a leap of faith. But then, you must take that leap with just about any site that you entrust your private information to - like financial institutions for example. I don't care how big or how well known the organization is, there's always the possibilty that one could introduce code (or be compelled to introduce code) that captures your plain text password for nefarious or legal purposes. Again, it has been well publicized recently that the U.S. government could compell software providers to modify their code to get the information they are after. If I was able to, without being arrested or fined, I would shut down the site rather than complying. It is very likely, however, that I would not be given that option. So, user beware. If you are using TT to avoid the eyes of those 3-letter agencies, I suggest looking elsewhere. End-to-End encryption is the closest you will get to absolute protection. However, as we saw in the Apple vs. FBI case in 2016, the FBI often gets what it wants - even if it takes millions in taxpayer money to do so.
[Added 11/9/13] TT will not be allowed to divulge that the entire site is compromised as the result of implementing a secret court order. If not prevented from doing so by a secret order, I will remove the "secret order" warning from the site. However, if I am specifically ordered not to under penalty of law, then it is possible the site could be compromised without warning to any users. So, again, user beware. If you are using TT to avoid the eyes of those 3-letter agencies, I suggest looking elsewhere.


PRIVACY and Threads

What is a Secure Thread? [Top]

A secure thread is a series of exchanges between two or more individuals arranged in one convenient continuous conversation. All messages and files are encrypted while in-transit and while at-rest and can only be accessed by other authorized ThreadThat users. Threads only exist on ThreadThat servers, never on an end-user computing device.

What is the TT Console? [Top]

The TT Console is the where you will create and view Threads. There are 4 windows in the console as follows:

  • Thread list - this window displays all Threads you have initiated and all Threads others have invited you to. This window refreshes every 10 seconds if you turn Auto Refresh on. Threads are selected by clicking anywhere on the row.  By default, your new TT account is set up to display only Threads that have had activity in the last 7 days plus all Threads you have not read or that have had updates since you last read them regardless of when they were updated.  You can change this behavior by updating your preferences.
  • Message list - when a Thread is selected, the messages for that Thread are displayed in order, starting with the most recent. This is a display only window and it refreshes every 10 seconds if you turn Auto Refresh on.
  • User list - this window displays the username of each person that was invited to the Thread. There is an icon that indicates whether that person is logged into the TT Console and whether they are viewing that Thread. This list is refreshed every 10 seconds if you turn Auto Refresh on. If you are viewing a Thread that you initiated, there will also be a red X next to each user that can be clicked to remove that person from the Thread.
  • Attachment list - this window displays a list of files that have been uploaded to the Thread. Three icons appear next to the file name. Clicking these icons allow you to download, view or delete the files. If you initiate a Thread, you will be allowed to delete any file that is uploaded regardless of who uploaded it.

Are all Threads on TT encrypted? [Top]

Yes. Every Unprotected Thread is encrypted by a unique key. Every Protected Thread is encrypted by a key which is itself encrypted by a passkey that only those accessing the Thread have knowledge of. Unprotected Threads can be opened by the initiator and any user that was invited to the Thread. No additional passkey or password is required to view or add to a Unprotected Thread. This makes Unprotected Threads easier to use, but they are inherently less secure than Protected Threads (See the FAQ regarding the difference between "Unprotected" and "Protected" Threads). You can also view a video I have created in an attempt to assure you that I am protecting the data you entrust with TT. As with anything on the Internet, there is always skepticism. I hope this rare look behind the scenes will elevate your trust in TT. Please feel free to contact TT directly if you seek additional proof that I am serious about protecting your information.

What is the difference between "Unprotected" and "Protected" Threads? [Top]

The primary difference is that TT has access to the keys used to encrypt and decrypt Unprotected Threads. I make every effort to protect these keys. The data and keys are stored on different database servers, there is physical security at each server location, and the database servers are password protected with different passwords. This makes it impossible for an information thief to get both the encrypted data and the keys to decrypt that data unless they have insider assistance.

However, I have access to both database servers. Although I would never intentionally compromise your Unprotected data, TT as a company could be compelled to provide your Unprotected Threads to law enforcement agencies given they serve the proper warrants. Since TT doesn't store your name or any other identifying information, any law enforcement agency would be required to provide TT with your account name or email address. Given that they produced a valid account name or email address, TT could provide that law enforcement agency with all decrypted Unprotected Threads in the database for that account at that time.

Protected Threads provide a higher degree of protection from any attempt to breach your privacy. To create a Protected Thread, you must create a passkey which is then known only to you and those you communicate with on TT. Before anyone you invite to your Protected Thread can view it, they must provide the passkey that was used to encrypt it. Your passkeys are automatically stored in your TT Keybox and your Keybox is encrypted by your plain text account password. So, without your plain text account password, which is not stored on TT's servers, your passkeys cannot be decrypted, which means your data encryption keys cannot be decrypted, which means your data and attachments cannot be decrypted. That said, TT is to be used for legal purposes only. You must abide by the Terms of Service for ThreadThat.com. You can be certain that if you use TT for illegal purposes and you are investigated by law enforcement and TT is served with authentic court orders to cooperate, I will cooperate to the extent required by the law. If you are only using TT for legal purposes, then you can be assured that your privacy will be protected. Beware: TT is not providing a safe harbor to conduct criminal activity!

You can change your default privacy level from Preferences. If you want "Protected" to be your default privacy level, visit Preferences and check the box labeled "Make passkey protection my default".

What is the difference between "Untrusted" and "Trusted" Threads? [Top]

If you want Thread invitees to be able to view and respond to the Thread without creating an account or logging in, you can check the "Make this Thread accessible to users without an account" option. A unique link to the Thread will be sent to each invitee which they can simply click to access the Thread. Since they are not required to log in, you cannot trust that they are actually the owner of the account to which the link was sent. This option may make it easier to get others to participate in your use of TT, but it assumes a level of trust on your part. You are trusting that those you invite will not share their link with someone that was not invited. Possession of a link to an "untrusted" Thread may allow access to other "untrusted" Threads addressed to that email address. Untrusted passkey-protected Threads require the associated passkey regardless. If you want to be certain that the Thread is only accessed by a trusted party, then you should NOT use the "Make this Thread accessible to users without an account" option. Recipients then must log in to TT to access the Thread. For "Untrusted" Threads (Threads that do not require the user to log into a TT account), the "Added By" and "Read By" information will include a designation of "(T)" or "(U)" to denote whether the user logged into a TT account (T)rusted or used a link to access the Thread (U)ntrusted.

The following table describes the 4 possible combinations of Thread protection and Thread access:

      Unprotected Protected
UnTrusted
  • Each new Thread is encrypted in the database using a unique key that is always available to TT in plain text.
  • Invited participants are NOT required to log in to view or post content even if they have a TT account.
  • Lowest privacy and security option. Anyone with a valid access link to the Thread can read and reply to it. Encrypted content can be deciphered without the entry of a password or passkey. Safe T Services can be compelled by a court or government order to provide Unprotected content to legal and government authorities.
  • Each new Thread is encrypted in the database using a unique key that is only accessible to TT when provided the exact passkey that the Thread originator used to protect the Thread.
  • Invited participants are NOT required to log in to view or post content even if they have a TT account.
  • This option offers slightly better privacy and security because possession of the access link alone does not allow a user to gain access. Both the link and the passkey specified by the Thread originator are required to decipher the Thread content. Without the passkey(s), Safe T Services could not decipher Protected Thread content stored in TT's database even if served with an order to do so. See the Security Risk Analysis for additional info.
Trusted
  • Each new Thread is encrypted in the database using a unique key that is always available to TT in plain text.
  • Invited participants MUST have a TT account and MUST log in to view or post content.
  • Better privacy and security than either Untrusted option. Users must be logged into TT and be invited to Thread before they can read and reply to it. However, encrypted content can be deciphered without the entry of a passkey. Therefore, Safe T Services can be compelled by a court or government order to provide Unprotected content to legal and government authorities.
  • Each new Thread is encrypted in the database using a unique key that is only accessible to TT when provided the exact passkey that the Thread originator used to protect the Thread.
  • Invited participants MUST have a TT account and MUST log in to view or post content even if they have a TT account.
  • This is the best option for privacy and security because users must be invited, logged into TT and provide the passkey used to protect the Thread. Without the passkey(s), Safe T Services could not decipher Protected Thread content stored in TT's database even if served with an order to do so. See the Security Risk Analysis for additional info.

How does someone know I invited them to a Thread? [Top]

By default, each recipient of a Thread is notified at the email address you specified when you created the Thread. Each individual gets a copy of the notification addressed only to them. The actual "From" address is always noreply@threadthat.com. The display "From" address on that email depends on your Preference setting for revealing your email address.

  • If you are allowing TT to share your email address and/or mobile number, then the notification will appear to come from your email address or mobile device. The exception to this is if either party has checked the "Anonymize All Inbound and Outbound Email Notifications" option in preferences. In this case, nothing will be used in creating the notification that could link the two parties (no email address, mobile number or user name).
  • If you have elected not to share your email address and/or mobile number, then the notification will come from noreply@threadthat.com with a display name of "Identity Protected". In addition, when that user logs into TT to read the Thread, your email address will display as "Identity: Restricted". Note that while this provides you anonymity, it also increases the likelihood that the notification email will be ignored by the recipient unless they have been forewarned that it is coming.

You have an opportunity to customize the notification before it is sent. You also have the option of bypassing the notification step if you so desire. When an existing Thread is updated, notifications are automatically sent to all parties of that Thread who subscribe to Thread update notifications. Users also have the option of receiving all notifications via SMS text messaging. Notification preferences can be updated by logging into your TT account and clicking the Preferences tab. Other than "New Threads" all notifications are addressed from customer.support@threadthat.com.

Why do my "New Thread" notifications sometimes bounce? [Top]

"New Thread" notifications are created from noreply@threadthat.com with your email address (e.g. you@gmail.com) displaying in the "From:" field. SPAM detection is fierce these days. Anything that even "smells" of SPAM will either be rejected or redirected to the recipients JUNK or SPAM folder. TT follows several best practices required by the email industry to help receiving email systems trust that emails claiming to be sent from TT are in fact sent from TT's mail server. Never-the-less, there are reasons why emails sent from TT will be returned undeliverable. The most common reason is that you, the user, mistyped an email address. In any case where a notification email is returned, it will come to the noreply@threadthat.com mailbox. TT systematically scans that mailbox every 5 minutes for bounced emails. If any are found, a thread is created for the thread owner listing the email address that bounced. If the thread owner has notifications set on in preferences, they will be notified that an email bounced within 5 minutes of sending the thread. In the unlikely event that notifications are bounced for a correctly spelled email address, work-arounds include:

  • Ask the recipient to add noreply@threadthat.com to their address book. This is often all that is required for an email system to trust that emails from TT are not SPAM.
  • Ask the recipient if they have an alternate email account you could use which might not have the same level of SPAM detection.
  • Ask the recipient to create a TT accpount and register their mobile device with TT and have them check the Preference that allows Threads to be addressed to that mobile device. Then you can address Threads to their mobile device number and they will receive "New Thread" notifications as SMS text messages. Note that not all mobile providers support SMS text via email. So, this is remediation is not available to everyone.

Can I create a draft Thread? [Top]

Yes. There are two ways a draft thread can be created. On the New Thread page, one of the buttons at the bottom of the page is "Save as Draft". The only data required to create a draft thread is the thread subject. Another way a draft thread can be created is if your session times out while you are on the New Thread page. After they are saved, draft threads can be edited by opening the thread and clicking the pencil icon. Draft threads are always displayed in the thread list in bold type. When opened, the word "Draft" is displayed to the left of the thread subject.

Does each person I share with need to create a TT account? [Top]

No. You have the option to allow access to Threads by invitees without a TT account. When allowing users without an account to access a Thread, the email notification sent to users without an account will contain a unique link back to that Thread. This method of sharing is not as secure as requiring users to have an account because anyone with that link can access the associated Thread. Since no authentication is required, TT cannot verify who is accessing the Thread. Users anonymously accessing Threads will have the ability to reply to the Thread and upload files. To create new Threads, they must create an account. A link will be provided in the notification email that they can click to quickly create their account (unless you create a custom notification, in which case, no new account link is provided).

Who can read my Threads? [Top]

When you create a Thread, you invite others to read the Thread by adding their email addresses to the recipient list. The message you enter on the Thread is never sent to anyone via email. Only a notification is sent to each email address or mobile number with a short message (that you can customize) and a link that, when clicked, directs that user to the TT site. Unless you choose to allow access to recipients without a TT account, all recipients must log in to TT to read the Thread. If you created a Protected Thread, then they must also provide the passkey that you used to create the Thread. If you allow access to Threads by invitees that do not have a TT account, they will each receive a unique link in their notification email or text message that, when clicked, will result in direct access to the Thread without logging into TT. If the Thread is a "PassKey Protected" Thread, the user will be prompted for the passkey used to encrypt the Thread. This can automatically be sent in a separate email or text message via TT or you can provide it via some other means.

Does TT provide "sent" confirmations? [Top]

Yes. You must first check the option "When I post a new Thread" in the Email Notification Preferences section of Preferences page. Then anytime a new Thread is sent, you will receive an email with a copy of the notification that was sent and a list of the email addresses to which it was sent.

Does TT provide "read" confirmations? [Top]

Yes. When you create a new Thread or post a new message to any Thread, you can check the box indicating that you want to be notified when anyone new reads your post for the first time. You can be notified by email, SMS text messaging or both. Visit the Preferences page to choose you preferred delivery method.

Can I edit a post after it has been submitted? [Top]

Yes. So long as no one has read the posted message, you will see a pencil icon next to the "Added By" information. Click this icon to open the edit window. You can make changes to the message and save them. If while you are changing the message, someone reads it, you will get an error message when you try to save it. You will then be required to click the Discard button to continue. You will then see who has read your message.

How can I easily find the Thread I am looking for? [Top]

On the TT Console, the default Thread order starts with the most recently updated Thread first. You can also filter the Thread list by entering a word or phrase in the filter box below the Username or Subject column heading and clicking the filter icon. If you want to search the body of all of your Threads, click the "Print All" button. This will display every Thread in its entirety in a new browser window. Then you can use the browser's search function to find what you are looking for.

Where are my Threads stored? [Top]

Thread data is stored on database servers that are physically located in Texas. For more information on the Arvixe datacenter, click here

How long will my Threads be available? [Top]

There is no automatic purge process for Threads. They will remain on your account until you delete them individually or delete your account. The exception to this is the self destruct option. When creating a new Thread, you can specify that the Thread must self-destruct upon a specified event and/or elapsed time.

If you delete your account, all Threads initiated, posts on any Thread and any files uploaded by your account will be permanently deleted.

Deleted messages and files cannot be recovered or restored!

Can I delete a Thread? [Top]

Yes. You can delete any Thread by clicking the red "X" next to the Thread. If you created the Thread, then deleting it removes the Thread text, all replies and any Thread attachments from TT's web server. If you did not create the Thread, then deleting it only removes the Thread from your Thread list, but does not remove it from the server. All replies or attachments you posted to the Thread remain visible to anyone else that has access to the Thread. If you want to remove all TT activity from the server including all posts and attachments added to Threads you do not own, you must delete your TT account. This will remove all traces of your account from TT. You can then recreate your account if you wish to continue using TT. I regret that there is no mass delete option on TT other than deleting your account. You can, however, use the self-destruct option when creating your Threads. You have the option for TT to automatically delete Threads a specified amount of time after the Threads are either sent, read by all recipients or inactive. When a Thread self-destructs, no notifications are sent and the delete is irreversible.

What type of files can I attach to a Thread? [Top]

All file extensions are supported. File uploading works best on Windows-based computing devices although mobile and tablet devices are also supported. To open a file, the device to which the file is downloaded must have an application that can display the file content.

How many files can be attached to a Thread? [Top]

There is currently no limit to the number of files that can be attached to a Thread.

Will this service always be "free"? [Top]

Yes!

Does the KeyBox compromise data security? [Top]

No. TT cannot access your KeyBox without your login password. TT does NOT store your login password. TT stores only a "salted" MD5 hash of your password. That allows TT to determine if you have entered the correct value, but makes it impossible for TT (or any hacker for that matter) to determine what the password is. If you forget your account password the only option is to RESET or RECOVER it. RECOVERING your password requires a password recovery file which you can request from the Preferences page. If you are using Protected messaging, I strongly recommend that you download and save a password recovery file in a safe place. RESETTING your password also deletes your Keybox as it can only be opened using the password you forgot. This protects you in the event that the email account associated to your TT account is compromised and the thief uses that email account to reset your TT account password. After a password RESET, you must add your passkeys back to your Keybox. Having a password RECOVERY file will help you avoid such a situation. Note that TT support will never ask you for your password!

Can I delete a message from a Thread? [Top]

Yes. If you created the Thread, you can delete any posted message by clicking the red "X" next to the "Added By". If you didn't start the Thread, you can only delete your own posts. If you started the Thread, you can also do this by deleting the user that posted the reply by clicking the red "X" next to their username. You will be given the option of deleting all replies they posted and attachments they uploaded to the Thread. You can also use the Clear function to do mass removal of messages and attachments from a Thread without deleting the Thread itself. If you did not start the Thread, you can only remove the content you posted. This is an easy way to clear a Thread so you can re-use it.

Who can invite others to a Thread after it has been created? [Top]

When a Thread is created, the initiator has the option of allowing anyone they invite to that Thread to also extend an invitation to others to join the Thread. That option then extends to those others who are invited. You cannot change this setting once the Thread has been created. If you invite someone that does not have a TT account, a link will be provided in their notification email that they can click to quickly create an account.

Can I create a "read-only" Thread? [Top]

Yes, when you create a new Thread there is an option to allow replies to the Thread. This is checked by default. If you do not want recipients to be able to reply to the Thread, then uncheck this box before clicking the OK button. You cannot change this setting once the Thread has been created.

Can I remove someone from a Thread? [Top]

Yes. If you initiated the Thread, then you can remove a participant by clicking the red X next to that user in the User list window. This removes only that one user. Other users that joined the Thread using an invitation from the user that was removed are not affected. You will have the option of removing all replies that user posted and any attachments they uploaded to that Thread.

How do I let others know what passkey I used to encrypt a Protected Thread? [Top]

The answer to this depends on whether the Protected Thread is "Trusted" or "Untrusted". For "Protected/Trusted" Threads, the simplest way would be to include the passkey with the notification email or text message that is sent to each specified recipient. Including the passkey in that email or text message does not compromise the security of your Threads even though it is sent in plain text. Possession of the passkey alone does not grant the holder access to your Threads. You must have also granted the passkey holder access to the Thread. They must have a TT account and you must have included their email address or mobile number in the access list. If a user already has that passkey in their KeyBox, then TT will automatically decrypt your Thread and they will not need to know which passkey you used. You also have the option of sending the passkey in a separate email or text message or not sending it at all. Choose whichever option seems best for your situation.

For "Untrusted" Threads (those Threads accessible via a link), you have all the same options available. However, be aware that those you invite to a "Protected/Untrusted" Thread do not need to prove their identity to view and respond to the Thread. As such, sending the passkey via email or text message gives an attacker everything they need to access the Thread. If you are comfortable with that risk, then include the passkey via one of the email options. If you are not comfortable with that risk, choose some other means to communicate the passkey.

What activity does TT log? [Top]

While using TT, some events are logged (login, logout, pages accessed, etc). This information is only kept for 2 days. It is used for problem solving purposes only.

How can I turn on/off email and/or mobile device text notifications? [Top]

After logging into the TT Console, click the Preferences link on the navigation bar. There you will find instructions on changing your email and SMS options.

Can I delete my account? [Top]

Yes. Deleting your account will cause everything you have done in TT to be erased including your threads, posts you made on other's threads and files you uploaded. Your registered email address(es) and mobile number will be removed from all TT address books. That's right! TT deletes you from every TT user's address book. TT does not retain any record of your account! If you decide after deleting your account that you still want to use TT, just create a new account. You can reuse the same username you deleted if it is still available. Since there is no "lookup" or "search" feature in TT, the only way someone will know that you are a TT user is if you notify them. This protects your privacy. Note that database backups are done twice a day. So, even though you delete your account, your information will be in the most recent backup file for up to 12 hours. Only one backup file is retained.


EMAIL ADDRESSES

What does TT use my email address for? [Top]

Your email address is used for sending and receiving notifications. When you create a Thread, those you allow access to the Thread are notified via email that you've included them on a Thread. The notification will have your email address in the "From:". When someone posts to one of your Threads, you will be notified via email that your Thread was updated. You can disable this feature from Preferences. When another ThreadThat user creates a Thread and gives you access, you will receive a notification with their email address in the "From:". You can also disable this feature from Preferences. Your email address is only used for notifications. No Thread content is ever included in these emails.

Why do my "New Thread" notifications sometimes bounce? [Top]

"New Thread" notifications are created with your email address (e.g. you@gmail.com) in the "From:" field, but are sent from TT's email server domain of "@threadthat.com". This discrepancy between the "From:" domain and the server domain breaks the rules in some SPAM detection software. Depending on the recipient's email client, "New Thread" notifications may be rejected or directed to the recipient's email SPAM or JUNK folder. Bounced emails will be returned to your email account. Work-arounds include:

  • Forward the bounced email to the recipient from your account.
  • Ask the recipient if they have an alternate email account you could use which might not have the same level of SPAM detection.
  • Ask the recipient to register their mobile device with TT and have them check the Preference that allows Threads to be addressed to that mobile device. Then you can address Threads to their mobile device number and they will receive "New Thread" notifications as SMS text messages. Note that not all mobile providers support SMS text via email. So, this is remediation is not available to everyone.
  • In your preferences, check the "Anonymize All Inbound and Outbound Email Notifications" which will cause all notifications to and from your TT account to be sent from noreply@threadthat.com. Since the "From:" email domain then matches the TT email server domain, the emails should not bounce. This option, however, affects all inbound and outbound notifications.

What if I don't have an email account or have one, but don't want to reveal it? [Top]

Email accounts are not required to use TT. You can also use a mobile device or no external communication services. Every TT user is assigned a virtual account (yourusername@threadthat.com) which can be used by other users to address Threads to you. Choosing this option provides maximum anonymity, but disables many of the convenient features in TT unless you also register an email address for notifications. TT will have no way to notify you when you are added to a Thread or when someone reads one of your Threads or replies to your Threads. You also won't be able to reset your password if you forget it. So, this option should be used cautiously. If you change your mind after creating your account, you can add email addresses and your mobile number at any time. Just because you register an email address does not mean you need to share it. You can use your @threadthat.com address for sending and receiving Threads and still get notifications. TT will automatically search for a real email address to use for notifications. That option provides both anonymity and the convenience of notifications.

Why would I register more than one of my email addresses? [Top]

As mentioned above, notifications for new Threads you create will have your email address or mobile number in the "From:". If you have multiple addresses, you can register them by clicking the "My Addresses" button on the Thread console after you log in. You can specify which of your email addresses is your "Default". When creating new Threads, all of your registered email addresses will be displayed in a dropdown list. The "Default" will always display first. You can choose which email address is to be used in the notifications for each Thread you create. You might have, for example, a personal email and a work email. It would make sense that you would select your work email for work related Threads and your personal email when creating Threads for family and friends. Or select your @threadthat.com address if you want to keep your email address private.

Why is my address book empty? [Top]

Your address book will start out empty. As you create new Threads, all email addresses and mobile numbers to which your Threads are addressed will automatically be added to your address book. When you address new Threads, matching email address book entries will be suggested as you type. The more characters you type the shorter the suggestion list will get. You can select one email address or mobile number at a time from the automatic suggestion list or you can open your address book and select multiple addresses using the standard Windows file selection technique (CNTL or SHIFT keys).

What are contact lists and why do I want to use them? [Top]

A contact list is a group of email addresses and mobile numbers from your address book. You can address a new Thread to a list instead of to each individual. You can combine contact lists and individuals when addressing a Thread or inviting users to an existing Thread. To create a contact list, click on "My Addresses", then click the "Contact Lists" button. The first time you go to this page, the dropdown list of contact list names will be empty. Just enter a name in the "New Contact List" field and then select the members you want in that list. Contact List names cannot contain blanks, "@" or "(". Any blanks in the name will automatically be changed to the underscore "_" character. Once you have checked the members you want in the list, scroll to the end of the address book and click the "Add/Update" button. Once you have created a list it will appear in the dropdown at the top of the page. You can update or delete a list by first selecting it from the dropdown, selecting or unselecting members and then clicking the appropriate button at the bottom of the page. ThreadThat.com has a an Automatic Address Book. If any ThreadThat user in your address book changes their email address or mobile number, your address book is automatically updated with their new address or mobile number. You never have to manually update your address book! If you change your email address or mobile number, you don't need to notify other ThreadThat users. When a user changes their email address or mobile number, all Threads to which that user has access will immediately display their new email address or mobile number (except where the user has requested that their email address or mobile number be kept private).


PASSKEYS and KEYBOX

What is a passkey? [Top]

To create a Protected Thread, you must supply a passkey. This is a string of 8 to 400 characters that will be used to encrypt the Thread's encryption key. It could be a combination of random characters or a phrase that is simple to remember or something like a patient identifier or account number. Optionally, you can request TT to generate a 383 character (3,064 bit) passkey on your behalf. The passkey is generated using Microsoft's RSACryptoServiceProvider. There is no known technology that can crack a passkey this size. passkeys are automatically stored in your KeyBox, so you will not be required to type the passkey each time you create a new Protected Thread or open a Protected Thread. Optionally, TT will provide this passkey in a separate email or text message from the notification email or text message to reduce the liklihood of someone intercepting both the passkey and a link to TT. This is especially important when using the "Make this Thread accessible to users without an account" option because because then both emails or text messages are required to gain access to the Thread. You can use some other means if you do not want to use email (e.g. text message or phone call).

How many different passkeys do I need? [Top]

Technically, you only "need" one passkey. The main purpose of a passkey is to prevent access to your Protected Threads by TT without express user permission. Providing someone with your passkey does not give them access to all of your Protected Threads. Users only have access to those Threads they are invited to participate in.

You may prefer, however, to have different passkeys for different audiences. This is perfectly acceptable and you can use your KeyBox to manage all of your passkeys.

What is a KeyBox? [Top]

Protected Threads require the use of passkeys. There is no limit to the number of passkeys you can create. You might have different passkeys for work, family, friends, clients, etc. They also will have passkeys that you will need to use to open Protected Threads that they invite you to participate in. That's potentially a lot of keys to manage. The KeyBox is a repository for all of your passkeys. When you create a new passkey, it will automatically be added to your KeyBox. Your KeyBox is protected by your account password. Your KeyBox can only be opened by the TT software if you supply the correct password at login.

When you log into the TT Console, the TT software will utilize all of the passkeys in your KeyBox to decrypt the Threads in the Thread List window. Protected Threads have encrypted subjects. Without the appropriate passkey, TT cannot display the subject or messages in a Protected Thread. If a suitable passkey cannot be found to decrypt a Thread, the message "passkey required. Click lock to open." will appear in the subject. When you click on the lock icon, you will be required to supply the passkey for that Thread. Either you will receive the passkey in an email or text message or the Thread initiator will supply the passkey to you some other way. Once you have it, you can add it to your KeyBox and forget it. If the owner changes their passkey, you will need to update that passkey in your KeyBox with the new passkey value. Otherwise, you will not be able to open any Thread in your Thread List window that was encrypted with the old passkey.

Does the KeyBox compromise data security? [Top]

No. TT cannot access your KeyBox without your login password. TT does NOT store your login password. TT stores only a "salted" MD5 hash of your password. That allows TT to determine if you have entered the correct value, but makes it impossible for TT (or any hacker for that matter) to determine what the password is. If you forget your account password the only option is to reset it or recover it. Recovering you password requires a password recovery file which you can request from the Preferences page. If you are using Protected messaging, I strongly recommend that you download and save a password recovery file in a safe place. Resetting your password also deletes your Keybox as it can only be opened using the password you forgot. This protects you in the event that the email account associated to your TT account is compromised and the thief uses that email account to reset your TT account password. After a password reset, you must add your passkeys back to your Keybox. Having a password recovery file will help you avoid such a situation. Note that TT support will never ask you for your password!

How do I let others know what passkey I used to encrypt a Protected Thread? [Top]

The simplest way is to use the option that sends your passkey to each recipient in an email or text message separate from the notification email or text message that is sent whenever you create a new Thread. The level of risk when sending the passkey in an email or text message varies depending on whether you chose the "Make this Thread accessible to users without an account" option when creating the Thread. If not, possession of the passkey alone does not grant the holder access to your Threads. You must have also granted the passkey holder access to the Thread. They must have a TT account and you must have included their email address or mobile number in the access list. If a user already has that passkey in their KeyBox, then TT will automatically decrypt your Thread and they will not need to know which passkey you used. If the "Make this Thread accessible to users without an account" option was selected, then possession of the unique link to a Thread along with the passkey that protects that Thread is all that is required to get access. It is NOT recommended that such "Untrusted" access be used for highly sensitive Threads.

What happens if I change one my passkeys? [Top]

You do have the option of changing a passkey at any time. If you do, all Protected Threads created using that passkey become inaccessible to anyone but you. You will need to communicate your new passkey to anyone that you want to have access to those Threads.


ATTACHMENTS

What type of files can I attach to a Thread? [Top]

All file extensions are supported.

How many files can be attached to a Thread? [Top]

There is currently no limit to the number of files that can be attached to a Thread, however, the maximum individual file size TT supports is 100MB.

Are attachments encrypted? [Top]

Yes. Attachments are encrypted using AES 256-bit encryption. The process used to encrypt and decrypt the files is very fast regardless of whether you are using Unprotected or Protected Threads. When using Protected Threads, the files you upload are encrypted and decrypted using the same passkey that is used for the Thread text. This makes your uploaded files as secure and private as the Thread itself. The files are stored on the server using an unrecognizable name. The actual file name is stored encrypted in the TT database. This insures that a hacker, if they somehow got access to the server, cannot view any file you upload. When using Protected Threads, your files cannot be decrypted unless you provide the passkey that was used to encrypt the Thread.

Can attachments be modified? [Top]

Anyone with access to the Thread has access to all attachments on the Thread. Users can download or view an attachment. If changes are made to an attachment, the updated file can be uploaded to the Thread using the same or a different name. If you use the same name, the original file will be replaced unless the "Allow Duplicate File Names" box is checked.

Can I create a photo slideshow with TT? [Top]

Yes. All image files (bmp, gif, jpg and png) are automatically displayed as a slideshow in TT's picture player when you click on the play Play symbol. Your images are decrypted one at a time, resized if necessary and streamed to the browser. Images display quickly regardless of their original size. Your images are never stored unencrypted on TT's web server. Sites like Shutterfly, Picasa, Flickr, Pinterest and Instagram store your images and descriptions unencrypted on their servers using your original file name. Anyone with access (server admins, intruders, etc.) can view your images and descriptions on these sites. TT prevents your images from being viewed by anyone not authorized by you. If you started the Thread or you uploaded the image file, you can add a description for the image by clicking on the Add Text Add Text symbol. There is a limit of 1,000 characters per image. In keeping with TT's promise of privacy protection, all image descriptions are encrypted using the same key that was used to encrypt the Thread. Pictures are played in the order they are listed in the Attachments window. You can change the order in which the pictures play from the "Upload and Encrypt Files" page.


MORE IMPORTANT INFORMATION

What languages does ThreadThat support? [Top]

Although the only language currently displayed on the site is English (prompts, tooltips, etc), you can write your Threads in any language.

How is using TT different from using secure email? [Top]

There are many commercially available packages and service providers for secure email. These solutions may be too costly or require that your company have skilled personnel to install and support such packages or services. That aside, TT distinguishes itself from the competition by offering a richer communication experience. For example:

  • Unlike email, whose delivery times are unpredictable, updated Threads are available the instant you or another party to the Thread adds a new message. If the parties to your Thread are logged into the TT Console and are viewing that Thread, they can see your new message instantly.
  • Unlike email, which does not allow you to determine who is reading it, the TT Console shows you, in real time, which parties are logged in and viewing any Thread you select from your Thread list.
  • Unlike email, in which one can alter previous conversations, TT does not allow messages on a Thread to be altered. TT maintains message order on a Thread regardless of the number of participants or their location.
  • Unlike email, which typically can be forwarded to anyone, the initiator of a Thread controls who can view that Thread. Optionally, the initiator can allow those individuals to invite others.
  • Unlike email, whose dissemination cannot be controlled once it is sent, the initiator of a Thread can revoke access to that Thread by any party at any time. The initiator always has control over who can access a conversation.
  • Unlike email, which is often used to distribute attachments such as pictures and video (usually not encrypted and often very large), TT Threads provide a single point of control for attachments. There is only one copy attached to a Thread that all Thread participants share.

The only use of email by TT is to notify users of Thread activity or to verify email addresses and access locations.

What makes TT unique? [Top]

To describe what makes TT unique, I find it best to describe it relative to other web technologies that you are probably familiar with.

  • TT is not an email application, although your existing email accounts are used to provide notifications regarding Thread activity, email account verification, location verifications and password resets.
  • TT is not a message board, although the concept is very similar in that a discussion takes place in the form of a string of posted messages. It is different, however, in that participants must be invited to the Thread and, for Protected Threads, must provide the appropriate passkey to access it.
  • TT is not a chat application, although messages and attachments added to a Thread are instantly available to anyone viewing that Thread. The TT Console automatically refreshes the content in the Message window if you turn Auto Refresh on, so added messages display within 10 seconds of being added.
  • TT is not a collaboration tool, although files can be attached to a Thread. Files can be viewed in the browser or downloaded. Any Thread participant can download a file, modify it and replace the original version unless the "Allow Duplicate File Names" box is checked.
  • What makes TT unique is that it combines all of the above technologies into one application that gives you the ability to conduct online, bi-directional, Protected, encrypted, anonymous communication.

What is the best resolution and browser to use for TT? [Top]

TT has been tested and is supported on most of the major browsers (IE, Firefox, Google Chrome, Opera and MAC Safari) and operating systems (Windows XP, Windows Vista, Windows 7, Windows 8 and Mac OS X). The site was designed to be used with a minimum resolution of 1024x768. Lower resolutions will require significant scrolling to view TT pages. The site is also smart phone friendly (e.g. iPhone, Droid, any device using Opera Mini). All functionality on the site is available with the exception of file uploads. Some pages may appear slightly different when accessing them via a mobile device.

Is TT HIPAA-compliant? [Top]

Yes. However, only when using Protected Threads. TT complies with all security requirements specified in the HIPAA Security Guidance for Remote Use of and Access to Electronic Protected Health Information. The key to achieving the required level of data security is to implement a data store that uses the most robust encryption technologies available and in use by institutions that require high levels of security. The security features that are built into TT meet and often exceed those required for HIPAA compliance.

Can I use TT at work? [Top]

Unless your company or organization blocks all internet access through their firewall, ThreadThat.com should be available to you. ThreadThat.com is a perfect companion to email for conducting business communications that require absolute secrecy. All parties taking part in the communication must have ThreadThat.com accounts. It take less than a minute to create an account and you can use any email address you own.

Can I purchase the TT application code, customize it and run it on my own servers? [Top]

Yes. ThreadThat.com was developed to be easily portable to any Windows server environment. Contact TT by email and I will provide you with the hardware and software requirements and pricing. The application was designed for multi-language support and I can provide customization, enhancement and maintenance services. The advantage of running your own instance of ThreadThat.com (under whatever name you choose) is that you can customize the application and you own the databases.

Does using TT make my business HIPAA compliant? [Top]

TT warrants that this service will meet or exceed the requirements for encryption of authentications and identifications as set forth within the following Department of Health & Human Services HIPAA Security Standards documents (specifically sections 164.310, 164.312):

Using TT to protect sensitive business communications will help you be HIPAA compliant but does not, in itself, make your business HIPAA compliant. TT is meant to be used a part of your compliance program with regards to communicating Electronic Personal Health Information (ePHI).

What is TT's backup policy? [Top]

TT database is backed up daily at 6:00 am and 6:00 pm EST. Should a catastrophic failure occur, you would lose at most 1/2 day of Thread activity. Only the latest backup is retained. If you delete your account, TT still has a record of you in the backup file. This will disappear when the next backup runs.

Besides the general public, who else can benefit from TT? [Top]

TT can be used by anyone, but is especially suited to situations where the user is obligated by organizational policy or by law to protect the privacy of those with whom they communicate. In particular, the following will find TT particularily useful:

Whistle Blowers and Journalists
Therapists and Social Workers
Attorneys and Paralegals
Accountants and CPAs
Entrepreneurs and Inventors
Medical Researchers
Realtors and Rental Agents
Anyone Seeking Privacy Protection

What happens to my Threads if TT stops offering this service? [Top]

In the event that I decide to discontinue this service, I will notify all users and allow 60 days for you to copy all of your Threads and attachments to your desktop for archiving.