Office of the Privacy Commissioner of Canada

From LeakDirectory

Revision as of 20:26, 25 September 2012 by Anonymous (Talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


General Notes

Canada has some of the best laws for protecting individual Privacy. The Office of the Privacy Commissioner of Canada is relatively powerful, compared with the deliberately weakened schemes in other countries e.g. United Kingdom or, the vast majority of countries which have no such protection at all.

They now have a reasonably well encrypted Privacy Complaint web form with a registration / feedback mechanism

Using this Privacy Complaint web form, we pointed out to them that they were allowing deprecated SSL 2.0 protocol on their https:// secure website (vulnerable to cipher strength down grade attacks). This has now been rectified.

Contact Details


Press Enquiries

Media Relations

Contact: Anne-Marie Hayden Tel: (613) 995-0103

General Enquiries

Non-journalists are invited to contact our Information Centre. Please call 1-800-282-1376 (toll free) or (613) 947-1698 and ask to speak with an Information Officer.

Postal Address:

Address: 112 Kent Street Ottawa, ON K1A 1H3 Fax: (613) 995-1139

Social Media / Networks

Mainstream media print and broadcast journalists and politicians etc. i.e. influential people at which whistleblower leaks are targeted, are busy people, but can sometimes be enticed to read about whistleblower issues through Twitter or FaceBook or Blog RSS feeds etc.






E-mail Newletter

Financial Donation methods

No - Canadian taxpayer funded

Currently accepting submissions of whistleblower leaks ?


Explicit promises about Anonymity, Privacy or Security

Yes - the OPCC is a pioneer in advocating the use of Privacy and Security audits and policies etc.

Restrictive legal Terms & Conditions


Practical Advice on preserving Whistleblower Anonymity

Some words of warning to delete the (.pdf) version of your Complaint if you are using a public internet cafe etc.

Leak Submission Encryption

Digital Certificate fingerprints published on their website:


Qualsys SSLLabs SSL Server Test rating:

Overall rating: **B [79]**

Overall rating: A [88]

Certificate: 100

Protocol Support: 85

Key Exchange 90

Cipher Strength: 90

Still allows the obsolete, deprecated SSL 2.0 protocol (which is vulnerable to cipher strength downgrade attacks) and is vulnerable to the BEAST man-in-in-the-middle attack.

The SSL ver 2.0 and BEAST vulnerabilities have now been rectified

PGP Public Encryption Key


TOR Hidden Service


I2P eepsite



Hushmail Secure Form


Content Delivery Network

Content Delivery Networks can provide scalable multimedia bandwidth and resistance to Denial of Service attacks, but sometimes this comes at the price of extra tracking and reduced anonymity for whisteblower sources.





Leak Submission Anonymity

Some of these techniques are appropriate for a normal website like this wiki, but not for whistleblower or tipoff websites, where potential whistleblower source anonymity protection should be paramount:

TOR users blocked from access


3rd Party or persistent tracking cookies or graphics


CAPTCHA graphics generated from another website e.g. GoogleRe-Captcha


Mixed mode non-SSL graphics or style sheets


Embedded video clips or deep linked graphics etc. from another website e.g. YouTube


Flash file uploader class


Communications / Acknowledgement back to the whistleblower via the website

Acknowledgement of receipt of information

e.g. file upload success indicator - has the leak message or upload actually been received successfully ?


Leak analysis work flow status reporting

e.g. Has anyone actually looked at what the whistleblower has submitted ?


Private message box

e.g for 2 way communications back to the anonymous whistleblower, asking for clarification, offering advice etc.

You need to provide an email address in order to register to fill out the form.

A "unique" Complaint identifier is reference is generated after the forma and any attachments have been submitted

Domain Name Resilience

The threats of legal court proceedings against Domain Name Registrars and Domain Name Service providers are lessons which emulators should take note of:

Domain Name Registrar

IP address: Host name:

Registrar: Inc.

Canadian Government website - unlikely to ever have legalistic problems with Domain Name etc.

Multiple Internet Service Providers, in different legal jurisdictions ?


Domain Name Server(s) & jurisdiction(s)

Canada [] []

Alternate Domain Name aliases


Actual Physical Mirrors of the website:


Content available via BitTorrent etc P2P etc.


Hosting of Mirrors of other whistleblowing websites


Open Source software published


Personal tools