New Zealand Security Intelligence Service (NZSIS)
Who are we? The NZSIS is a government agency, responsible for giving the Government advice about matters relating to New Zealand’s security. The Service has approximately 200 staff, comprising:
intelligence officers support staff, and specialists (including linguists, technicians, legal and accounting staff and information professionals).
Our offices The Head Office is in Wellington and there are regional offices in Auckland, Wellington and Christchurch.
Our role The NZSIS is a civilian intelligence and security organisation. Its threefold roles are:
to investigate threats to security and to work with other agencies within Government, so that the intelligence it collects is actioned and threats which have been identified are disrupted to collect foreign intelligence, and to provide a range of protective security advice and services to Government.
The Public Contribution Form
is SSL / TLS encrypted
Unfortunately this web form also logs the IP address and other browser details
The rest of the NZ SIS website , for no good reason, tracks visitors using the US based commercial Google Analytics system, so these visitor statistics and web browser and IP address details are also available to at least the US Government as well as the New Zealand one.
The Public Contribution Form does generate unique reference number on completion.
Update 28th August 2011
Matthijs Koot updated his blog post to point out that
UPDATE 2011-08-25: it appears that NZSIS removed the PGP key  from the source of https://providinginformation.nzsis.govt.nz/vwi/
They are still, however tracking the remote_addr and http_user_agent web browser environment variables within this form and they are still using Google Analytics on the rest of the website.
- telephone: Free phone 0800 SIS 224 (0800 747 224)
Wellington Head Office
Defence House, 2-12 Aitken Street, Wellington
PO Box 900, Wellington
Phone: (04) 472 6170 Fax: (04) 472 8209
Social Networking publicity
Mainstream media print and broadcast journalists and politicians etc. i.e. influential people at which whistleblower leaks are targeted, are busy people, but can sometimes be enticed to read about whistleblower issues through Twitter or FaceBook or Blog RSS feeds etc.
Financial Donation methods
Not Applicable - New Zealand taxpayers
Currently accepting submissions of whistleblower leaks ?
Explicit promises about Anonymity, Privacy or Security
Any information you choose to supply through this website (including personal details) will be kept confidential. This is subject to the NZSIS’ statutory mandate to communicate information to any persons in the interests of security. The NZSIS is also permitted to provide information to the New Zealand Police or any other persons for the purpose of preventing or detecting serious crime.
Under no circumstances will the NZSIS provide your name or contact details to any private or commercial organisation.
Restrictive legal Terms & Conditions
Practical Advice on preserving Whistleblower Anonymity
Leak Submission Encryption
Digital Certificate fingerprints published on their website:
Qualsys SSLLabs SSL Server Test rating:
Overall rating: **A **
Protocol Support: 85
Key Exchange 80
Cipher Strength: 90
Strong RSA / 4096 bit private key but only SHA-1 digital signature No major cipher suite protocol weaknesses
Appears to be running on a DSL internet connection ? 203-97-204-25.dsl.clear.net.nz
PGP Public Encryption Key
email address: Virtual Walk-In [Public Submissions] <email@example.com>
PGP ID: 0xADE83D5F
Type: RSA 4096/4096
Cipher: AES 256 bit
PGP Fingerprint: DF53 D60E 492D 969E 8132 7D77 6076 35D9 ADE8 3D5F
Whether NZ SIS will ever reply to any emails sent to this address, with or without PGP encryption, remains to be seen.
TOR Hidden Service
Hushmail Secure Form
Leak Submission Anonymity
TOR users blocked from access
3rd Party or persistent tracking cookies or graphics
CAPTCHA graphics generated from another website e.g. GoogleRe-Captcha
The web form does use a CAPTCHA but this is pulled safely from the same SSL / TLS encrypted web server
Mixed mode non-SSL graphics or style sheets
Embedded video clips etc. from another website e.g. YouTube
Flash file uploader class
Communications / Acknowledgement back to the whistleblower via the website
The Public Contribution Form does ask for optional details such as: Home Address, Telephone Number, Mobile Phone Number, Email Address and Preferred Contact Details/Arrangements
If you choose to submit information to us, we may take steps to contact you if follow up is required.
Acknowledgement of receipt of information
e.g. file upload success indicator - has the leak message or upload actually been received successfully ?
Thank you. We appreciate your assistance towards supporting New Zealand's security.
Please record the reference number nnnnnn. This number is unique to your contribution and should be referenced in circumstances where further communication is required. The nature of the information you have provided will determine whether we seek further contact.
For security reasons we recommend closing this webpage browser.
Leak analysis work flow status reporting
e.g. Has anyone actually looked at what the whistleblower has submitted ?
Private message box
e.g for 2 way communications back to the anonymous whistleblower, asking for clarification, offering advice etc.
Domain Name Resilience
The threats of legal court proceedings against Domain Name Registrars and Domain Name Service providers are lessons which WikiLeaks.org emulators should take note of:
Domain Name Registrar
New Zealand Domain Name Registry Limited
Government Registrar, Department of Internal Affairs
Extremely unlikely that will be any legal injunctions etc. which affect this New Zealand government website
Multiple Internet Service Providers, in different legal jurisdictions ?
Domain Name Server(s) & jurisdiction(s)
Alternate Domain Name aliases
Actual Physical Mirrors of the website:
Content available via BitTorrent etc P2P etc.