CorruptionWatch.org.za

From LeakDirectory

Jump to: navigation, search

Contents

General Notes

Corruption Watch is a South African civil society not-for-profit organisation. We gather and analyse information from the public; build alliances; and help people take a stand against corruption.

The organisation was initiated by the office bearers of the Congress of South African Trade Unions (Cosatu), who had been seeing a significant increase in complaints from members and from the public about corruption in South Africa.

Given that their corrupt political opponents have access to the local police and intelligence agencies and have gangs of armed supporters, the lack of anonymity and security techniques displayed by this website could literally put CorruptionWatch.org.za supporters and informants lives at risk.

Update 15th February 2012

Perhaps our advice to them via email may be slowly starting to take effect.

There is now a good Digital Certificate for https://corruptionwatch.org.za, but this currently only displays:

Temporary holding page for secure site at https://www.corruptionwatch.org.za

The webserver is configured to accept weak 40bit and 56bit cryptographic keys and other weaknesses, so it only merits a C rating of 61 by SSL Labs

https://www.ssllabs.com/ssldb/analyze.html?d=corruptionwatch.org.za

Contact Details

website: http://CorruptionWatch.org.za

Press Enquiries

Yes

General Enquiries

http://www.corruptionwatch.org.za/content/how-contact-us

  • email: info@corruptionwatch.org.za
  • Corruption Watch Office phone: 011 447 1472
  • mobile phone / SMS text message: short-code SMS, which costs R1 per message. Contact us on 45142
  • fax:

Postal Address:

Social Media / Networks

Mainstream media print and broadcast journalists and politicians etc. i.e. influential people at which whistleblower leaks are targeted, are busy people, but can sometimes be enticed to read about whistleblower issues through Twitter or FaceBook or Blog RSS feeds etc.

Twitter

https://twitter.com/corruption_sa

FaceBook

https://www.facebook.com/CorruptionWatch

Blog

No

Financial Donation methods

Funded by various charitable foundations and company s"social responsibility fund" sponsorships and by the Congress of South African Trade Unions (Cosatu)

http://www.corruptionwatch.org.za/content/funders-and-supporters

Currently accepting submissions of whistleblower leaks ?

Yes

http://www.corruptionwatch.org.za/content/make-your-complaint

Explicit promises about Anonymity, Privacy or Security

Yes !

While the information that you provide concerning the act of corruption that you experience will be available for all to see, your identity will be restricted to a confidential part of the form. You do not even have to fill in the confidential part of the form. In other words, you have the option to remain anonymous, or to give us your details. In the same way, you can name individuals you suspect of corrupt behaviour on the confidential part of the form, but you do not have to do so. Information on the confidential part of the form will only be accessible to a select number of Corruption Watch staff members. However, if you want to take your matter further with Corruption Watch, you will need to provide some form of contact details, a cell number or email address. These details will remain confidential.

These bold promises about confidentiality are not backed up by any use of anonymity or encryption techniques at all except for the misleading "Leave this field empty, if you want to stay anonymous." on their unencrypted web form.


Restrictive legal Terms & Conditions

No

Practical Advice on preserving Whistleblower Anonymity

No

Leak Submission Encryption

Digital Certificate fingerprints published on their website:

No, but here are the details anyway:

Certificate Authority: StartCom Class 2 Primary Intermediate Server CA

Certificate Serial Number: 00 aa e9

SHA1 fingerprint: de 62 90 77 67 4a 91 6c ee 2d bf 0b 19 25 69 57 78 c0 50 ca

Valid until: 01 February 2014 13:35:35

Qualsys SSLLabs SSL Server Test rating:

They now have a good Digital Certificate from StartCom Certification Authority, but it is not yet protecting any of the actual web forms or other content of the website.

https://www.ssllabs.com/ssldb/analyze.html?d=corruptionwatch.org.za

Overall rating: C 61

Certificate: 100

Protocol Support: 85

Key Exchange 40

Cipher Strength: 60


PGP Public Encryption Key

No

TOR Hidden Service

No

I2P eepsite

No

PrivacyBox.de

No

Hushmail Secure Form

No

Leak Submission Anonymity

Some of these techniques are appropriate for a normal website like this wiki, but not for whistleblower or tipoff websites, where potential whistleblower source anonymity protection should be paramount:

TOR users blocked from access

No

3rd Party or persistent tracking cookies or graphics

Yes

Google Analytics web bug even on the web form

Account: UA-28636268-1

CAPTCHA graphics generated from another website e.g. GoogleRe-Captcha

No

Mixed mode non-SSL graphics or style sheets

No (uses no SSL)

Embedded video clips or deep linked graphics etc. from another website e.g. YouTube

The web form forces you to pick a location from a Google Map (just filling in , say Cape Town is not permitted), before you can send it "anonymously", so all visitor web details are betrayed to Google.

Flash file uploader class

No

Communications / Acknowledgement back to the whistleblower via the website

Acknowledgement of receipt of information

e.g. file upload success indicator - has the leak message or upload actually been received successfully ?

No


Leak analysis work flow status reporting

e.g. Has anyone actually looked at what the whistleblower has submitted ?

No

Private message box

e.g for 2 way communications back to the anonymous whistleblower, asking for clarification, offering advice etc.

No

Domain Name Resilience

The threats of legal court proceedings against Domain Name Registrars and Domain Name Service providers are lessons which WikiLeaks.org emulators should take note of:

Domain Name Registrar

http://www.heztner.co.za

South Africa


Multiple Internet Service Providers, in different legal jurisdictions ?

No

corruptionwatch.org.za [197.221.14.16]

Domain Name Server(s) & jurisdiction(s)

ns1.host-h.net [196.40.99.254] ns2.host-h.net ns1.dns-h.com [41.204.201.2]

http://www.heztner.co.za

South Africa


Alternate Domain Name aliases

No

Actual Physical Mirrors of the website:

No

Content available via BitTorrent etc P2P etc.

No

Hosting of Mirrors of other whistleblowing websites

No

Open Source software published

No

Personal tools