From LeakDirectory

Jump to: navigation, search


General Notes

The Child Exploitation and Online Protection (CEOP) Centre is dedicated to eradicating the sexual abuse of children. That means we are part of UK policing and very much about tracking and bringing offenders to account either directly or in partnership with local and international forces.

N.B. it is actually illegal in some European Union countries like the United Kingdom, under their admittedly fairly toothless Data Protection laws, for anyone, including the Police, not to take proper precautions with Sensitive Personal Data e.g. to fail to properly encrypt online web forms

In this case c.f. the United Kingdom's Data Protection Act 1998 section 2 Sensitive personal data

Action taken over security flaw in online reporting form

News release: 15 September 2011

The Child Exploitation and Online Protection Centre (CEOP) and the Serious Organised Crime Agency (SOCA) - its parent organisation - have taken action after the discovery of a security flaw on CEOP’S website, the Information Commissioner’s Office (ICO) said today.

On 6 April, the ICO received a complaint from an individual who noticed that the information submitted using the online form on the CEOP website was not encrypted. The security problem meant that the details – some of which were sensitive – would have been vulnerable while they were being transmitted to CEOP’s servers.

The ICO’s investigation found that the form had been insecure for several months following the launch of the new CEOP website, although there was no evidence to suggest that any attempts had been made to access the information. Both organisations have now taken action to improve the security of the CEOP website in order to keep the personal information they handle secure.

Acting Head of Enforcement, Sally Anne Poole said: “Organisations must make sure that any personal data transmitted electronically is adequately protected. While there is no evidence to suggest that attempts have been made to access any of the information, it is highly likely that it would have been sensitive in nature and should not have been compromised by insufficient IT security measures.

“We are pleased that CEOP and SOCA have taken action to make sure that all of the information sent in by members of the public remains secure.”

Peter Davies, Chief Executive Officer of CEOP, and Trevor Pearce QPM, Director General of SOCA, have jointly signed an undertaking] to ensure that CEOP’s website is regularly tested so that the personal data they process remains secure and potential weaknesses are immediately identified. CEOP will also introduce recommendations included in a recent Information Security Review and continue to make sure that they are followed.

Contact Details


Press Enquiries

press officer telephone +44 (0)870 000 3434


General Enquiries

Postal Address:

Child Exploitation and Online Protection Centre

33 Vauxhall Bridge Road

London SW1V 2WG

Social Media / Networks

Mainstream media print and broadcast journalists and politicians etc. i.e. influential people at which whistleblower leaks are targeted, are busy people, but can sometimes be enticed to read about whistleblower issues through Twitter or FaceBook or Blog RSS feeds etc.






Financial Donation methods

No - UK taxpayer funded

Currently accepting submissions of whistleblower leaks or tip offs?


Explicit promises about Anonymity, Privacy or Security

No, but they do link to their own training material and websites which give advice about "online security", aimed at vulnerable children etc.

Restrictive legal Terms & Conditions


Practical Advice on preserving Whistleblower Anonymity


Leak Submission Encryption

Digital Certificate fingerprints published on their website:


Qualsys SSLLabs SSL Server Test rating:

Overall rating: A [88]

Certificate: 100

Protocol Support: 85

Key Exchange 90

Cipher Strength: 90

PGP Public Encryption Key


TOR Hidden Service


I2P eepsite



Hushmail Secure Form


Leak Submission Anonymity

Some of these techniques are appropriate for a normal website like this wiki, but not for whistleblower or tipoff websites, where potential whistleblower source anonymity protection should be paramount:

TOR users blocked from access


3rd Party or persistent tracking cookies or graphics


CAPTCHA graphics generated from another website e.g. GoogleRe-Captcha


Mixed mode non-SSL graphics or style sheets


Embedded video clips or deep linked graphics etc. from another website e.g. YouTube


Flash file uploader class


Communications / Acknowledgement back to the whistleblower via the website

The Public Contribution Form does ask for optional details such as: Home Address, Telephone Number, Mobile Phone Number, Email Address and Preferred Contact Details/Arrangements

Acknowledgement of receipt of information

e.g. file upload success indicator - has the leak message or upload actually been received successfully ?


Leak analysis work flow status reporting

e.g. Has anyone actually looked at what the whistleblower has submitted ?


Private message box

e.g for 2 way communications back to the anonymous whistleblower, asking for clarification, offering advice etc.


Domain Name Resilience

The threats of legal court proceedings against Domain Name Registrars and Domain Name Service providers are lessons which emulators should take note of:

Domain Name Registrar

Cable and Wireless in the UK on behalf of the National Policing Improvement Authority (NPIA). is a Second Level Delegated domain:

Multiple Internet Service Providers, in different legal jurisdictions ? [] is hosted by in Staines, in the United Kingdom (UK)

Domain Name Server(s) & jurisdiction(s) [] [] [] is part of based in Milton Keynes under the jurisdiction of the United Kingdom

Alternate Domain Name aliases


Actual Physical Mirrors of the website:


Content available via BitTorrent etc P2P etc.


Personal tools