Following the "revelation" of #WhatsApp chats of Bollywood actors, a short #thread on the #tech, #encryption #surveillance and #law. How did the police access the chats and what it means for privacy. 1/n

Messaging apps like #WhatsApp and @signalapp offer end-to-end #encryption. Incidentally, the protocol for both was designed by one of my favourite engineers and genius @moxie and his group.

Two key things to remember about accessing data -- is the data at rest (on your device) or in transit (when you hit the send message). If it's in transit, then e-to-e encryption makes its difficult to intercept. Only 10 agencies in India are notified to do this interception

When data is at rest in your device, this is a lot easier to access by police/intelligence. In India, in most cases, the police puts enormous pressure on suspects and the accused to share passwords of device or cloud where the data is stored.

In the current case where WhatsApp data is being accessed, this is a case of data at rest that was accessed by the police. Probably, by asking suspects/accused to share their pass keys. Is it legal? Probably not. Article 20(3) of the Constitution actually prohibits it.

You can't be forced to share data that can lead to self incrimination. But my lawyer friends will be able to share more - @MenakaGuruswamy @arundhatikatju @kazimriz -- can share more on these legal aspects of accessing data at rest by forcing the password out if you

Remember the Apple Vs @FBI case? In that case Apple didn't share the passkey to the device, but FBI found a jailbreak to the device. Apple later patched the vulnerability that FBI used to access the data. But coming back to India -- if you have WhatsApp --

It all depends on what your device data storage policy is. If the device policy allows the even deleted data to be stored, then even if you delete the message, then it is likely to be retrieved by using forensic tools. That seems to be have happened in the Bollywood case.

Can this be used as evidence in a court of law. Much depends on how the court will view the chain of custody on digital data as defined under the Indian Evidence Act, including issues like the Hash value, Mac address of the device etc.

If you use a e-to-e service that also allows messages to "disappear" after a while, your data is a lot safer. WhatsApp doesn't have that feature right now. The big question is how is the media getting these chats since it is a serious privacy violation even before trial starts?

Remember, the govt argued in the Supreme Court that #privacy is *NOT* a fundamental right. But in the #Puttuswamy judgement the nine-judge bench SC unanimously ruled that privacy is a fundamental right. But with the PDP Bill still pending, there's little protection right now

Finally, are your #WhatsApp chats safe when it is in transit. Yes, it is. Even if the company hands over the chats under an MLAT request -- it will be encrypted and not plain text.

Some will say that #privacy isn't important while investigating crime. That's as good as saying that law and procedures aren't important while investigating crimes. If you weaken laws, you weaken your rights. It will come back to bite to you. So be careful of what you wish for.