Corruption Watch is a South African civil society not-for-profit organisation. We gather and analyse information from the public; build alliances; and help people take a stand against corruption.
The organisation was initiated by the office bearers of the Congress of South African Trade Unions (Cosatu), who had been seeing a significant increase in complaints from members and from the public about corruption in South Africa.
Given that their corrupt political opponents have access to the local police and intelligence agencies and have gangs of armed supporters, the lack of anonymity and security techniques displayed by this website could literally put CorruptionWatch.org.za supporters and informants lives at risk.
Update 15th February 2012
Perhaps our advice to them via email may be slowly starting to take effect.
There is now a good Digital Certificate for https://corruptionwatch.org.za, but this currently only displays:
Temporary holding page for secure site at https://www.corruptionwatch.org.za
The webserver is configured to accept weak 40bit and 56bit cryptographic keys and other weaknesses, so it only merits a C rating of 61 by SSL Labs
- email: email@example.com
- Corruption Watch Office phone: 011 447 1472
- mobile phone / SMS text message: short-code SMS, which costs R1 per message. Contact us on 45142
Social Media / Networks
Mainstream media print and broadcast journalists and politicians etc. i.e. influential people at which whistleblower leaks are targeted, are busy people, but can sometimes be enticed to read about whistleblower issues through Twitter or FaceBook or Blog RSS feeds etc.
Financial Donation methods
Funded by various charitable foundations and company s"social responsibility fund" sponsorships and by the Congress of South African Trade Unions (Cosatu)
Currently accepting submissions of whistleblower leaks ?
Explicit promises about Anonymity, Privacy or Security
While the information that you provide concerning the act of corruption that you experience will be available for all to see, your identity will be restricted to a confidential part of the form. You do not even have to fill in the confidential part of the form. In other words, you have the option to remain anonymous, or to give us your details. In the same way, you can name individuals you suspect of corrupt behaviour on the confidential part of the form, but you do not have to do so. Information on the confidential part of the form will only be accessible to a select number of Corruption Watch staff members. However, if you want to take your matter further with Corruption Watch, you will need to provide some form of contact details, a cell number or email address. These details will remain confidential.
These bold promises about confidentiality are not backed up by any use of anonymity or encryption techniques at all except for the misleading "Leave this field empty, if you want to stay anonymous." on their unencrypted web form.
Restrictive legal Terms & Conditions
Practical Advice on preserving Whistleblower Anonymity
Leak Submission Encryption
Digital Certificate fingerprints published on their website:
No, but here are the details anyway:
Certificate Authority: StartCom Class 2 Primary Intermediate Server CA
Certificate Serial Number: 00 aa e9
SHA1 fingerprint: de 62 90 77 67 4a 91 6c ee 2d bf 0b 19 25 69 57 78 c0 50 ca
Valid until: 01 February 2014 13:35:35
Qualsys SSLLabs SSL Server Test rating:
They now have a good Digital Certificate from StartCom Certification Authority, but it is not yet protecting any of the actual web forms or other content of the website.
Overall rating: C 61
Protocol Support: 85
Key Exchange 40
Cipher Strength: 60
PGP Public Encryption Key
TOR Hidden Service
Hushmail Secure Form
Leak Submission Anonymity
Some of these techniques are appropriate for a normal website like this wiki, but not for whistleblower or tipoff websites, where potential whistleblower source anonymity protection should be paramount:
TOR users blocked from access
3rd Party or persistent tracking cookies or graphics
Google Analytics web bug even on the web form
CAPTCHA graphics generated from another website e.g. GoogleRe-Captcha
Mixed mode non-SSL graphics or style sheets
No (uses no SSL)
Embedded video clips or deep linked graphics etc. from another website e.g. YouTube
The web form forces you to pick a location from a Google Map (just filling in , say Cape Town is not permitted), before you can send it "anonymously", so all visitor web details are betrayed to Google.
Flash file uploader class
Communications / Acknowledgement back to the whistleblower via the website
Acknowledgement of receipt of information
e.g. file upload success indicator - has the leak message or upload actually been received successfully ?
Leak analysis work flow status reporting
e.g. Has anyone actually looked at what the whistleblower has submitted ?
Private message box
e.g for 2 way communications back to the anonymous whistleblower, asking for clarification, offering advice etc.
Domain Name Resilience
The threats of legal court proceedings against Domain Name Registrars and Domain Name Service providers are lessons which WikiLeaks.org emulators should take note of:
Domain Name Registrar
Multiple Internet Service Providers, in different legal jurisdictions ?
Domain Name Server(s) & jurisdiction(s)
ns1.host-h.net [18.104.22.168] ns2.host-h.net ns1.dns-h.com [22.214.171.124]
Alternate Domain Name aliases
Actual Physical Mirrors of the website:
Content available via BitTorrent etc P2P etc.
Hosting of Mirrors of other whistleblowing websites
Open Source software published