The Child Exploitation and Online Protection (CEOP) Centre is dedicated to eradicating the sexual abuse of children. That means we are part of UK policing and very much about tracking and bringing offenders to account either directly or in partnership with local and international forces.
N.B. it is actually illegal in some European Union countries like the United Kingdom, under their admittedly fairly toothless Data Protection laws, for anyone, including the Police, not to take proper precautions with Sensitive Personal Data e.g. to fail to properly encrypt online web forms
In this case c.f. the United Kingdom's Data Protection Act 1998 section 2 Sensitive personal data
Action taken over security flaw in online reporting form
News release: 15 September 2011
The Child Exploitation and Online Protection Centre (CEOP) and the Serious Organised Crime Agency (SOCA) - its parent organisation - have taken action after the discovery of a security flaw on CEOP’S website, the Information Commissioner’s Office (ICO) said today.
On 6 April, the ICO received a complaint from an individual who noticed that the information submitted using the online form on the CEOP website was not encrypted. The security problem meant that the details – some of which were sensitive – would have been vulnerable while they were being transmitted to CEOP’s servers.
The ICO’s investigation found that the form had been insecure for several months following the launch of the new CEOP website, although there was no evidence to suggest that any attempts had been made to access the information. Both organisations have now taken action to improve the security of the CEOP website in order to keep the personal information they handle secure.
Acting Head of Enforcement, Sally Anne Poole said: “Organisations must make sure that any personal data transmitted electronically is adequately protected. While there is no evidence to suggest that attempts have been made to access any of the information, it is highly likely that it would have been sensitive in nature and should not have been compromised by insufficient IT security measures.
“We are pleased that CEOP and SOCA have taken action to make sure that all of the information sent in by members of the public remains secure.”
Peter Davies, Chief Executive Officer of CEOP, and Trevor Pearce QPM, Director General of SOCA, have jointly signed an undertaking] to ensure that CEOP’s website is regularly tested so that the personal data they process remains secure and potential weaknesses are immediately identified. CEOP will also introduce recommendations included in a recent Information Security Review and continue to make sure that they are followed.
press officer telephone +44 (0)870 000 3434
- telephone: +44 (0)870 000 3344
- mobile phone / SMS text message:
- Contact web form: https://www.ceop.police.uk/Contact-Us/Contact-form/
Child Exploitation and Online Protection Centre
33 Vauxhall Bridge Road
London SW1V 2WG
Social Media / Networks
Mainstream media print and broadcast journalists and politicians etc. i.e. influential people at which whistleblower leaks are targeted, are busy people, but can sometimes be enticed to read about whistleblower issues through Twitter or FaceBook or Blog RSS feeds etc.
Financial Donation methods
No - UK taxpayer funded
Currently accepting submissions of whistleblower leaks or tip offs?
Explicit promises about Anonymity, Privacy or Security
No, but they do link to their own training material and websites which give advice about "online security", aimed at vulnerable children etc.
Restrictive legal Terms & Conditions
Practical Advice on preserving Whistleblower Anonymity
Leak Submission Encryption
Digital Certificate fingerprints published on their website:
Qualsys SSLLabs SSL Server Test rating:
Overall rating: A 
Protocol Support: 85
Key Exchange 90
Cipher Strength: 90
PGP Public Encryption Key
TOR Hidden Service
Hushmail Secure Form
Leak Submission Anonymity
Some of these techniques are appropriate for a normal website like this wiki, but not for whistleblower or tipoff websites, where potential whistleblower source anonymity protection should be paramount:
TOR users blocked from access
3rd Party or persistent tracking cookies or graphics
CAPTCHA graphics generated from another website e.g. GoogleRe-Captcha
Mixed mode non-SSL graphics or style sheets
Embedded video clips or deep linked graphics etc. from another website e.g. YouTube
Flash file uploader class
Communications / Acknowledgement back to the whistleblower via the website
The Public Contribution Form does ask for optional details such as: Home Address, Telephone Number, Mobile Phone Number, Email Address and Preferred Contact Details/Arrangements
Acknowledgement of receipt of information
e.g. file upload success indicator - has the leak message or upload actually been received successfully ?
Leak analysis work flow status reporting
e.g. Has anyone actually looked at what the whistleblower has submitted ?
Private message box
e.g for 2 way communications back to the anonymous whistleblower, asking for clarification, offering advice etc.
Domain Name Resilience
The threats of legal court proceedings against Domain Name Registrars and Domain Name Service providers are lessons which WikiLeaks.org emulators should take note of:
Domain Name Registrar
Cable and Wireless in the UK on behalf of the National Policing Improvement Authority (NPIA).
.police.uk is a Second Level Delegated domain:
Multiple Internet Service Providers, in different legal jurisdictions ?
Domain Name Server(s) & jurisdiction(s)
Alternate Domain Name aliases
Actual Physical Mirrors of the website:
Content available via BitTorrent etc P2P etc.