Office of the Privacy Commissioner of Canada

From LeakDirectory

Jump to: navigation, search

Contents

General Notes

Canada has some of the best laws for protecting individual Privacy. The Office of the Privacy Commissioner of Canada is relatively powerful, compared with the deliberately weakened schemes in other countries e.g. United Kingdom or, the vast majority of countries which have no such protection at all.

They now have a reasonably well encrypted Privacy Complaint web form with a registration / feedback mechanism

https://complaint-plainte.priv.gc.ca/en/

Using this Privacy Complaint web form, we pointed out to them that they were allowing deprecated SSL 2.0 protocol on their https:// secure website (vulnerable to cipher strength down grade attacks). This has now been rectified.

Contact Details

website: http://www.priv.gc.ca/cu-cn/index_e.asp

Press Enquiries

Media Relations

Contact: Anne-Marie Hayden Tel: (613) 995-0103

General Enquiries

Non-journalists are invited to contact our Information Centre. Please call 1-800-282-1376 (toll free) or (613) 947-1698 and ask to speak with an Information Officer.


Postal Address:

Address: 112 Kent Street Ottawa, ON K1A 1H3 Fax: (613) 995-1139

Social Media / Networks

Mainstream media print and broadcast journalists and politicians etc. i.e. influential people at which whistleblower leaks are targeted, are busy people, but can sometimes be enticed to read about whistleblower issues through Twitter or FaceBook or Blog RSS feeds etc.

Twitter

No

FaceBook

No

Blog

http://blog.privcom.gc.ca/

E-mail Newletter

http://www.priv.gc.ca/newsletter-bulletin/index_e.asp

Financial Donation methods

No - Canadian taxpayer funded

Currently accepting submissions of whistleblower leaks ?

Yes

Explicit promises about Anonymity, Privacy or Security

Yes - the OPCC is a pioneer in advocating the use of Privacy and Security audits and policies etc.

Restrictive legal Terms & Conditions

No

Practical Advice on preserving Whistleblower Anonymity

Some words of warning to delete the (.pdf) version of your Complaint if you are using a public internet cafe etc.

Leak Submission Encryption

Digital Certificate fingerprints published on their website:

No

Qualsys SSLLabs SSL Server Test rating:

https://www.ssllabs.com/ssltest/analyze.html?d=complaint-plainte.priv.gc.ca

Overall rating: **B [79]**

Overall rating: A [88]

Certificate: 100

Protocol Support: 85

Key Exchange 90

Cipher Strength: 90

Still allows the obsolete, deprecated SSL 2.0 protocol (which is vulnerable to cipher strength downgrade attacks) and is vulnerable to the BEAST man-in-in-the-middle attack.

The SSL ver 2.0 and BEAST vulnerabilities have now been rectified

PGP Public Encryption Key

No

TOR Hidden Service

No

I2P eepsite

No

PrivacyBox.de

No

Hushmail Secure Form

No

Content Delivery Network

Content Delivery Networks can provide scalable multimedia bandwidth and resistance to Denial of Service attacks, but sometimes this comes at the price of extra tracking and reduced anonymity for whisteblower sources.

Akamai

No

CloudFlare

No

Leak Submission Anonymity

Some of these techniques are appropriate for a normal website like this wiki, but not for whistleblower or tipoff websites, where potential whistleblower source anonymity protection should be paramount:

TOR users blocked from access

No

3rd Party or persistent tracking cookies or graphics

No

CAPTCHA graphics generated from another website e.g. GoogleRe-Captcha

No

Mixed mode non-SSL graphics or style sheets

No

Embedded video clips or deep linked graphics etc. from another website e.g. YouTube

No

Flash file uploader class

No

Communications / Acknowledgement back to the whistleblower via the website

Acknowledgement of receipt of information

e.g. file upload success indicator - has the leak message or upload actually been received successfully ?

Yes


Leak analysis work flow status reporting

e.g. Has anyone actually looked at what the whistleblower has submitted ?

No

Private message box

e.g for 2 way communications back to the anonymous whistleblower, asking for clarification, offering advice etc.

You need to provide an email address in order to register to fill out the form.

A "unique" Complaint identifier is reference is generated after the forma and any attachments have been submitted

Domain Name Resilience

The threats of legal court proceedings against Domain Name Registrars and Domain Name Service providers are lessons which WikiLeaks.org emulators should take note of:

Domain Name Registrar

IP address: 216.254.205.60 Host name: complaint-plainte.priv.gc.ca

Registrar: Internic.ca Inc.

Canadian Government website - unlikely to ever have legalistic problems with Domain Name etc.

Multiple Internet Service Providers, in different legal jurisdictions ?

No

Domain Name Server(s) & jurisdiction(s)

Canada

mag2.magmacom.com [206.191.0.140] mag1.magma.ca [206.191.0.210]

ns1.drenet.dnd.ca gocns-kedc.gc.ca 192.197.83.1 gocns-pdp.gc.ca 205.193.146.250 dns1.nrc.ca 132.246.161.100 dns2.nrc.ca 132.246.161.200

Alternate Domain Name aliases

No

Actual Physical Mirrors of the website:

No

Content available via BitTorrent etc P2P etc.

No

Hosting of Mirrors of other whistleblowing websites

No

Open Source software published

No

Personal tools