From LeakDirectory

Jump to: navigation, search


General Notes

Corruption Watch is a South African civil society not-for-profit organisation. We gather and analyse information from the public; build alliances; and help people take a stand against corruption.

The organisation was initiated by the office bearers of the Congress of South African Trade Unions (Cosatu), who had been seeing a significant increase in complaints from members and from the public about corruption in South Africa.

Given that their corrupt political opponents have access to the local police and intelligence agencies and have gangs of armed supporters, the lack of anonymity and security techniques displayed by this website could literally put supporters and informants lives at risk.

Update 15th February 2012

Perhaps our advice to them via email may be slowly starting to take effect.

There is now a good Digital Certificate for, but this currently only displays:

Temporary holding page for secure site at

The webserver is configured to accept weak 40bit and 56bit cryptographic keys and other weaknesses, so it only merits a C rating of 61 by SSL Labs

Contact Details


Press Enquiries


General Enquiries

  • email:
  • Corruption Watch Office phone: 011 447 1472
  • mobile phone / SMS text message: short-code SMS, which costs R1 per message. Contact us on 45142
  • fax:

Postal Address:

Social Media / Networks

Mainstream media print and broadcast journalists and politicians etc. i.e. influential people at which whistleblower leaks are targeted, are busy people, but can sometimes be enticed to read about whistleblower issues through Twitter or FaceBook or Blog RSS feeds etc.





Financial Donation methods

Funded by various charitable foundations and company s"social responsibility fund" sponsorships and by the Congress of South African Trade Unions (Cosatu)

Currently accepting submissions of whistleblower leaks ?


Explicit promises about Anonymity, Privacy or Security

Yes !

While the information that you provide concerning the act of corruption that you experience will be available for all to see, your identity will be restricted to a confidential part of the form. You do not even have to fill in the confidential part of the form. In other words, you have the option to remain anonymous, or to give us your details. In the same way, you can name individuals you suspect of corrupt behaviour on the confidential part of the form, but you do not have to do so. Information on the confidential part of the form will only be accessible to a select number of Corruption Watch staff members. However, if you want to take your matter further with Corruption Watch, you will need to provide some form of contact details, a cell number or email address. These details will remain confidential.

These bold promises about confidentiality are not backed up by any use of anonymity or encryption techniques at all except for the misleading "Leave this field empty, if you want to stay anonymous." on their unencrypted web form.

Restrictive legal Terms & Conditions


Practical Advice on preserving Whistleblower Anonymity


Leak Submission Encryption

Digital Certificate fingerprints published on their website:

No, but here are the details anyway:

Certificate Authority: StartCom Class 2 Primary Intermediate Server CA

Certificate Serial Number: 00 aa e9

SHA1 fingerprint: de 62 90 77 67 4a 91 6c ee 2d bf 0b 19 25 69 57 78 c0 50 ca

Valid until: 01 February 2014 13:35:35

Qualsys SSLLabs SSL Server Test rating:

They now have a good Digital Certificate from StartCom Certification Authority, but it is not yet protecting any of the actual web forms or other content of the website.

Overall rating: C 61

Certificate: 100

Protocol Support: 85

Key Exchange 40

Cipher Strength: 60

PGP Public Encryption Key


TOR Hidden Service


I2P eepsite



Hushmail Secure Form


Leak Submission Anonymity

Some of these techniques are appropriate for a normal website like this wiki, but not for whistleblower or tipoff websites, where potential whistleblower source anonymity protection should be paramount:

TOR users blocked from access


3rd Party or persistent tracking cookies or graphics


Google Analytics web bug even on the web form

Account: UA-28636268-1

CAPTCHA graphics generated from another website e.g. GoogleRe-Captcha


Mixed mode non-SSL graphics or style sheets

No (uses no SSL)

Embedded video clips or deep linked graphics etc. from another website e.g. YouTube

The web form forces you to pick a location from a Google Map (just filling in , say Cape Town is not permitted), before you can send it "anonymously", so all visitor web details are betrayed to Google.

Flash file uploader class


Communications / Acknowledgement back to the whistleblower via the website

Acknowledgement of receipt of information

e.g. file upload success indicator - has the leak message or upload actually been received successfully ?


Leak analysis work flow status reporting

e.g. Has anyone actually looked at what the whistleblower has submitted ?


Private message box

e.g for 2 way communications back to the anonymous whistleblower, asking for clarification, offering advice etc.


Domain Name Resilience

The threats of legal court proceedings against Domain Name Registrars and Domain Name Service providers are lessons which emulators should take note of:

Domain Name Registrar

South Africa

Multiple Internet Service Providers, in different legal jurisdictions ?

No []

Domain Name Server(s) & jurisdiction(s) [] []

South Africa

Alternate Domain Name aliases


Actual Physical Mirrors of the website:


Content available via BitTorrent etc P2P etc.


Hosting of Mirrors of other whistleblowing websites


Open Source software published


Personal tools