Many Bollywood A-listers have been in the eye of the storm ever since the Narcotics Control Bureau acquired some of the WhatsApp chats about banned drugs. While this could have helped the authorities in probing the drug angle in Sushant Singh Rajput’s death case, the chat leaks have raised several questions about the security and privacy policies of WhatsApp.

Ever since actress Deepika Padukone’s chats have been leaked online, the netizens are in two minds about WhatsApp’s policies. It is no secret that all WhatsApp chats are end-to-end encrypted. This means that the chats can only be accessed or read by the sender and receiver and nobody in between. Not even WhatsApp can access the chats of its users. The end-to-end encryption is activated automatically and no one has the option of turning it off.

“Your messages are secured with locks, and only the recipient and you have the special keys needed to unlock and read your messages. For added protection, every message you send has a unique lock and key. All of this happens automatically: No need to turn on settings or set up special secret chats to secure your messages,” WhatsApp’s FAQ page says about the encryption feature. However, despite such policies, Deepika’s chat was leaked online. So what could have really happened?

However, WhatsApp has a different set of rules concerning the law enforcement authorities. The company states in its blog that there are various guidelines that the law enforcement officials seeking records from WhatsApp have to follow while filing a request. “We disclose account records solely in accordance with our terms of service and applicable law. Additionally, we will assess whether requests are consistent with internationally recognized standards including human rights, due process, and the rule of law. A Mutual Legal Assistance Treaty request or letter rogatory may be required to compel the disclosure of the contents of an account,” the WhatsApp blog says. The Facebook-owned messaging app takes various measures to preserve account records in connection with official criminal investigations for 90 days. However, requests submitted by non-law enforcement officials are not reviewed. This means that no news channel can write to WhatsApp and access the chats of users.

In Deepika and her manager Karisma’s case, this could not be the case. It was being speculated that Jaya Saha, through whom the drug chats between Deepika and Karisma dating back to 2017 were accessed, had backed up her chats history on the Google Drive or Apple’s iCloud. In such cases, WhatsApp notes that messages that are backed up on either Google Drive, iCloud, or any such platforms are not covered by WhatsApp’s end-to-end protection. So to access the unprotected chats, a law enforcement official only needs the suspect’s phone and can create a clone of it on another device using the phone cloning process. Through this process, the agencies and forensic experts can retrieve messages even if they are deleted from the device.

However, the easiest and most predictable way of leaking a chat can be screenshotting the chat and sharing it with others. But you can only take a screenshot if you know the password to someone’s phone and can access the chats. In any case, breaking the encryption is a lot harder than accessing the chats physically.