BritiLeaks false start

From LeakDirectory

Jump to: navigation, search

The original website made so many potentially critical anonymity and security mistakes that it has now, thankfully, been replaced by what should be a much better infrastructure when it officially re-launches:

Current BritiLeaks website notes and analysis

Our notes and comments on the original website will be preserved here below, to educate potential whistleblowers and whistleblower site operators about some mistakes to avoid


General Notes

Our Mission Statement: strives to be the most recognised media body in the UK that deals specifically with leaked information that alleges corruption, wrong-doing, lies, deceit etc.

Our number one aim is to get sensitive information to the public whilst respecting and maintaining the privacy of our source. We do this by purposely not knowing the source of our disclosure from the very beginning and taking measures to make sure the traceability of our source is almost impossible.

We believe that the British public, and humanity at large, deserve nothing more than the truth itself. We will stop at nothing to accomplish this.

Could this be a Honeypot to spy on potential whistleblowers ?

It is utterly irresponsible to be already soliciting both whistleblower leaks and volunteers, without providing any anonymity or security whatsoever on the / website.

The web pages are also currently "web bugged" through Quantserve

The use of the email address means that the UK authorities can obtain the Communications Traffic Data of any correspondents, without any warrant or court order.

They have now changed to, which is no more "secure" from a whistleblower's point of view.

This interview gives a few more details and vague promises, but no compelling reason for whistleblowers or volunteers to trust them rather than their rivals

Update 17th July 2011

"Briti McLeaky" now say that they are not yet soliciting any leaks until they have some anonymity and security systems in place.

Update 23rd July 2011

1) They have now added Google Analytics tracking of every visitor to their free webspace

They are now betraying the details of every potential volunteer and whistleblower to at least two US commercial web tracking organisations and therefore also the US Government.

This is totally unacceptable for a website which claims to protect the anonymity of its sources and volunteers.

2) It is hard to think of an example of a more incompetent "publication" of a public PGP Encryption Key - it does not actually belong to them and they do not have access to the Private Key at all!

Perhaps they think that if you simply attach the Public Key block to an email, it will somehow magically encrypt it ?

Update 2nd August 2011 have now removed the link to the PGP Key (PGP ID = 1A3F797B ) which they have never controlled, after 10 days of passing it off as their own. have now made several Twitter promises of a new website, with a "Secure Submission" system - it does not need to be very secure to be a vast improvement over the current one.

You would need to have been following their twitter feed to know that they are planning to launch a new "secure" website. This is not obvious to search engine directed visitors to the current website.

Contact Details

Press Enquiries
email: was now
General Enquiries
telephone: none
fax: none
email address: was now


Postal Address:

Social Networking publicity



Blog / RSS

Financial Donation methods


Currently accepting submissions of whistleblower leaks ?

Yes ! even though they have not bothered to secure their website or email etc. at all.

As of 17 July 2011, they are no longer soliciting Leaks, just Volunteer and Media contacts, for now.

Planned Submission system launch date ?

Restrictive legal Terms & Conditions

Practical Advice on preserving Whistleblower Anonymity


Leak Submission Encryption


Digital Certificate fingerprints published on their website:


Qualsys SSLLabs SSL Server Test rating:

Not applicable

PGP Public Encryption Key

No !

They really have no clue about PGP at all.

On 21st July 2011 they published

The display of this PGP Key block is mangled by the content management system

They should have used the <PRE> and </PRE> HTML tags to display the block correctly and, ideally, should also have published it as a link to a simple .txt or .asc text file on their own website / webspace.

This problem also affected, say, the Filtradas whistleblower website, but they have now fixed this.

As a backup to provide resilience against denial of service attacks or legal or illegal censorship of the main website, it is a good idea to publish the public PGP Key to a PGP Key Server e.g. like this

pub 2048R/1A3F797B 2011-07-17 Fingerprint=7844 9D79 1A3F 6071 A481 279B B790 7961 1A3F 797B

uid BritiLeaks contact ( <>

Version: SKS 1.1.1


N.B. Anybody can publish a PGP Key to any public PGP Keyserver, so they are useful as backups, but they cannot be the only method of establishing trust in the validity of a particular PGP key.

This is the same PGP public Key block which have published on their website and it mentions the etc. details, but this is not their PGP key at all ! do not have access to the corresponding Private Key so anybody who does succeed in unpicking the misplaced carriage Returns / Linefeeds etc. from their web page, will not be able to send them anything that they can de-crypt.

Whistleblower websites should publish the PGP ID and / or PGP Fingerprints and the Expiry Date details on the website itself, in addition to publishing it to PGP Keyservers and elsewhere.

TOR Hidden Service


I2P eepsite



Hushmail Secure Form


Leak Submission Anonymity

TOR users blocked from access


3rd Party or persistent tracking cookies or graphics

Yes !

Quantserve Javascript and "web bug" graphics betray most visitors' web browser and IP address details to this commercial web tracking company in the USA

With their new graphics logo, launched on 21st July 2011, they seem to have enabled Google Analytics on their free website.

Google Analytics account: UA-7870337-1

They are now betraying the details of every potential volunteer and whistleblower to at least two US commercial web tracking organisations and therefore also the US Government.

This is totally unacceptable for a website which claims to protect the anonymity of its sources and volunteers.

CAPTCHA graphics generated from another website e.g. Google Re-Captcha


Mixed mode non-SSL graphics or style sheets


Embedded video clips etc. from another website e.g. YouTube


Flash file uploader class


Communications / Acknowledgement back to the whistleblower via the website

Acknowledgement of receipt of information

e.g. file upload success indicator - has the leak message or upload actually been received successfully ?


Leak analysis work flow status reporting

e.g. Has anyone actually looked at what the whistleblower has submitted ?


Private message box

e.g for 2 way communications back to the anonymous whistleblower, asking for clarification, offering advice etc.


Domain Name Resilience

Domain Name Registrar [] is in the United States of America (USA) [] is in the United States of America (USA)

USA based registrar Enom Inc.

Multiple Internet Service Providers, in different legal jurisdictions ?


Domain Name Server(s) & jurisdiction(s)

All in the USA legal jurisdiction

Web Server hosting jurisdiction(s) [] is in the United States of America(USA)

Alternate Domain Name aliases

Actual Physical Mirrors of the website:


Content officially available via BitTorrent etc P2P etc.


Personal tools