Royal Canadian Mounted Police / Gendarmerie royale du Canada

Language selection

FR

Search

Royal Canadian Mounted Police

National Cybercrime Coordination Centre (NC3) and the Canadian Anti-Fraud Centre (CAFC)

On this page

Description

As National Police Services, and pursuant to RCMP Regulations, the National Cybercrime Coordination Centre (NC3) and the Canadian Anti-Fraud Centre (CAFC) contribute to safety and security in the digital age by combatting and reducing the threat, impact and victimization of cybercrime and fraud in Canada. The NC3 provides national leadership, operational coordination, intelligence analysis, advanced technical capabilities and other measures to enable and advance cybercrime investigations and other policing activities to combat or otherwise reduce the impact of cybercrime. The CAFC provides key operational services to combat traditional and cyber-enabled fraud in Canada, such as victim reporting at a national level, and works closely with partners to disrupt fraud and online scams, and recover financial losses for victims of fraud where possible. A PIA on NC3 activities was conducted in 2020 and a PIA on CAFC activities was conducted in 2016 and updated in 2017.

The National Cybercrime Solution (NCS)

The need for the NC3 and the CAFC to share an information technology solution to intake, triage and analyze cybercrime and fraud data, and coordinate cybercrime intelligence efforts across Canada's law enforcement community, was met by the establishment of a centralized system. The National Cybercrime Solution (NCS) was launched with limited functionality in the spring of 2023 and full implementation is expected in 2025. The NCS is housed within the RCMP, managed by the NC3 and enables the RCMP to coordinate and deconflict complex cybercrime and fraud cases, and produce comprehensive cybercrime and fraud intelligence packages for law enforcement and security partner organizations in Canada and abroad.

The NCS is comprised of three main sub-systems: a public reporting portal (referred to as the National Cybercrime and Fraud Reporting System or NCFRS); an external partner portal (referred to as the Police and Partner Portal or P3); and an internal case management and advanced data analytic system (referred to as the Internal Solution).

The National Cybercrime and Fraud Reporting System (NCFRS)

The National Cybercrime and Fraud Reporting System (NCFRS) is replacing certain CAFC mechanisms and was developed and implemented by the NC3 in close collaboration with the CAFC. The system data is obtained via online reports of victims and witnesses of cybercrime and fraud and is ingested by the NCS. The data and incident reports are shared with appropriate police services Footnote 1 based on the geolocation of the reporting and suspect devices and systems. The RCMP undertakes a number of measures to ensure that personal information and sensitive non-personal commercial information is collected, disclosed, retained and disposed of appropriately.

The Police and Partner Portal (P3)

The Police and Partner Portal (P3) is a secure portal for authorized access to data held within the NCS, and will be safeguarded by role-based access control and other security measures. The P3 will be accessed by authorized law enforcement (for example, Canadian provincial and municipal police organizations) and security partners (for example, Canadian Centre for Cyber Security) based on stringent terms and conditions, and usage will be audited by the NC3 and CAFC. The portal will be used by authorized partners to query, view and select public reports received via the NCFRS. Authorized partners may also import public reports into their distinct Records Management System to facilitate law enforcement action only when these can be associated to their authorized jurisdiction (for example, creation of a criminal occurrence at the local level). The P3 also allows authorized users to input data into the NCS as part of a service request (for example, request for guidance or assistance with an investigation, request for intelligence analysis) or to provide information for distribution and awareness. The NC3 and CAFC will have supporting policies and procedures (for example, Memoranda of Understanding, security markings, handling protocols, training) to cover roles and responsibilities for authorized partners to securely access the P3.

The Internal Solution

The Internal Solution system data is obtained through online reports of victims and witnesses of cybercrime and fraud (NCFRS) and via authorized law enforcement and security partners (P3). The Internal Solution is a centralized data repository offering automated analytical components to authorized users that triage, enrich and prioritize data and information according to established RCMP business rules. The Internal Solution securely stores lawfully collected data and information, such as identifiers/monikers, indicators of compromise, malware cross-reference reports, malware signatures, and computer and network logs in structured, unstructured and semi-structured formats. The system also captures data preservation requests from authorized users, and enables the NC3 and CAFC to manage the complete life cycle of these requests.

The NC3 and CAFC hold governance structures, policy instruments (for example, standard operating procedures, Memoranda of Understanding) and security protocols (for example, role-based access control) to administer secure access to the Internal Solution and its centralized data repository.

Cyber Tools

Cyber tools are procured or otherwise acquired (for example, open source) and developed (for example, custom built) by the NC3, and offered to authorized partners to enable and advance cybercrime and fraud investigations. These tools may include cryptocurrency analysis tools, digital forensics access tools, and internet attribution management infrastructure tools. When testing and deploying operational technologies, the RCMP ensures the tools have an operational need, provide a clear benefit to the public and meet privacy, legal, policy, and ethical standards.

Cryptocurrency tools

Blockchain analysis
In cases involving cryptocurrencies, blockchain analysis tools can trace transactions and uncover wallet addresses linked to threat actors.
Blockchain explorer
A blockchain explorer is a web-based tool that allows users to search and visualize transactions and data recorded on a blockchain. It provides a user-friendly interface to view transaction histories, wallet addresses, and related metadata for different cryptocurrencies. Users can trace the flow of funds and identify connections between addresses.
Transaction tracking
Cryptocurrency analysis tools enable tracking and monitoring of individual transactions across the blockchain. They can display details like the sender and receiver addresses, amount transferred, transaction fees, and timestamps. This information helps investigators follow the money trail.
Address clustering
These tools can group multiple addresses that are controlled by the same entity, such as an individual or a service. Address clustering helps uncover patterns of behavior and transactions associated with specific users or entities.
Wallet analysis
Cryptocurrency wallets hold digital assets and can be associated with different transactions. Analysis tools can identify wallet addresses and link them to specific users or organizations, shedding light on transaction histories.
Risk assessment
Many tools assign risk scores to addresses or transactions based on known patterns of suspicious or fraudulent behavior. High-risk addresses might be associated with darknet marketplaces, ransomware payments, or other illicit activities.
Exchange tracking
Cryptocurrency exchanges facilitate trading between cryptocurrencies and fiat currencies. Analysis tools can track transactions to and from exchanges, helping to identify points of entry and exit for fiat currency conversions.
Transaction graphs and data visualization
Visualization tools generate transaction graphs that show the relationships between addresses and transactions. These graphs help investigators understand complex transaction networks.
Anonymity de-anonymization
Some tools attempt to de-anonymize cryptocurrency transactions to reveal the real-world identities behind wallet addresses. This process involves analyzing transaction patterns, exchange interactions, and other data points.
Pattern recognition
Cryptocurrency analysis tools use algorithms to detect unusual patterns or behaviors, which could indicate fraudulent activities or money laundering attempts.

Digital Forensic Access Tools

Data extraction
These tools allow NC3 employees or other forensic experts to extract data from a wide range of digital devices, including smartphones, laptops, servers, USB drives, and more. They can recover deleted files, hidden data, and artifacts left behind by various applications.
Password recovery
Digital forensic access tools can help recover passwords, passcodes, and encryption keys from encrypted files, databases, and locked devices. This capability is essential for accessing protected data.
Evidence preservation
These tools facilitate the preservation of digital evidence by creating forensically sound copies of data without altering the original content. This ensures that evidence remains admissible in court and maintains its integrity.
Data analysis
Forensic access tools provide features to organize, search, and analyze large volumes of data efficiently. This helps investigators identify relevant information and patterns of behavior.
Metadata extraction
Metadata, which includes information about a file's creation, modification dates, and authorship, can be crucial for investigations. These tools extract and analyze metadata to reconstruct timelines and actions.
File carving
File carving tools can recover files that have been deleted or partially overwritten by searching for specific file signatures and reconstructing fragmented data.
Internet history Analysis
NC3 specialists can analyze web browsing histories, cached files, and cookies to reconstruct online activities, visits to specific websites, and user interactions.
Email and messaging analysis
These tools parse email messages, attachments, and chat logs to reconstruct communication patterns and retrieve potentially relevant content.
Image and multimedia analysis
Digital images, videos, and audio files are often sources of evidence. These tools can analyze these files for hidden information, metadata, and alterations.
Registry analysis
For Windows-based systems, forensic access tools can examine the Windows Registry to identify system configurations, software installations, and user activity.
Mobile device analysis
These tools are designed for mobile forensics can extract data from smartphones and tablets, including text messages, call logs, GPS data, and app usage.
Network traffic analysis
In cases involving cyber incidents, digital forensic access tools can analyze network traffic logs to identify intrusion attempts, malicious activities, and communication patterns.
Reporting and documentation
These tools provide capabilities to generate comprehensive reports that document the findings of the investigation. These reports are often used as evidence in legal proceedings.
Forensic imaging
These tools create forensic images of storage devices, preserving the exact state of the data for examination and analysis without altering the original data.
Encryption and decryption
These tools offer encryption and decryption capabilities to access encrypted files, containers, or partitions during investigations.

Internet Attribution Management Infrastructure Tools

IP Address verification
IAMI tools often rely on the IP address to identify the origin of cyber activities. IP addresses serve as unique identifiers for devices connected to the internet, allowing analysts to narrow down geographical locations or network providers associated with suspicious activities.
Geolocation analysis
These tools employ geolocation data to map IP addresses to physical locations. While not always precise, geolocation analysis can provide valuable insights into the general region or country from which cyberattacks originated.
Digital footprint analysis
IAMI tools analyze an attacker's digital footprint, including online profiles, social media interactions, and other online activities, to piece together information that could lead to attribution.
Malware analysis
In cases involving malware or cyberattacks, these tools examine the code, behavior, and techniques used by the malicious software to identify similarities with previously known campaigns or threat actor tactics.
Honeypots and decoys
IAMI tools can set up honeypots or decoy systems to attract and observe potential attackers. By analyzing the tactics, techniques, and procedures (TTPs) used in these interactions, analysts can gain insights into the attackers' methods and intentions.
Infrastructure analysis
Cybercriminals often reuse infrastructure, such as command and control servers or domain names, across multiple attacks. IAMI tools can identify patterns in infrastructure usage to link different attacks to the same threat actor.
Threat intelligence feeds
These tools can integrate with threat intelligence feeds that provide information about known threat actors, their capabilities, and their preferred attack vectors. This information helps analysts connect new incidents to existing threat actors.
Collaboration and data sharing
IAMI tools enable information sharing and collaboration among cybersecurity professionals, law enforcement agencies, and other stakeholders. This collective effort enhances the ability to attribute cyber activities accurately.
Artifact analysis
IAMI tools often work in tandem with digital forensic tools to analyze artifacts left behind by attackers. This includes examining log files, file metadata, and other traces of activity.
Behavioral analysis
By studying the behavioral patterns and tactics of threat actors, IAMI tools can identify similarities and link different incidents to the same group or individual.

Media aggregation services

Source diversity
Media aggregation services gather content from a wide range of sources, including social media platforms (such as X, Facebook, and Instagram), news websites, blogs, forums, video-sharing platforms, and more. This diversity ensures comprehensive coverage of digital media landscape.
Data feeds
These tools employ methods like saving data from the web, application programming interfaces (APIs), and other data feeds to collect content from various sources in real time or near-real time.
Content organization
Media aggregation services organize collected content into categories, topics, keywords, and other relevant metadata, making it easier for NC3 and RCMP officials to navigate and search for specific information.
Investigative insights
By analyzing aggregated media content, NC3 officials can gain insights into criminal activities, trends, patterns, and potential leads related to ongoing investigations.
Open source intelligence (OSINT)
OSINT, such as OSINT third party tools and services, provide NC3 and CAFC analysts with publicly available information from digital sources (for example, cybercrime marketplaces, forums, public online messaging services) aiding in developing intelligence, identifying suspects, and gathering context.
Emergency response
In crisis situations, the NC3 and CAFC can use media aggregation services to gather real-time information about incidents, locations, and potential threats to inform their response strategies.

Why a privacy impact assessment was completed

In keeping with RCMP and TBS requirements, the RCMP initiated a PIA in relation to the NC3 at the time of its establishment. That process continued throughout 2023, in keeping with principles of privacy-by-design, to influence and inform the development and implementation of the NCS and NCFRS. This PIA includes a review and assessment of the NC3's core programming and activities, an evaluation of the NCS (including the NCFRS and P3 portal), and a summary assessment of the NC3's core cyber toolkit.

Additional information

Summary of Risk Assessment

Following a risk assessment of the core program activities of the NC3 and CAFC, the implementation of the National Cybercrime Solution (NCS) and the use of cyber tools for law enforcement purposes are likely to present a moderate risk to the privacy of individuals, such as victims of cybercrime and fraud. Many potential risks are inherent to law enforcement operational activities and the lawful collection and use of personal information, and some risks may involve the use of cyber tools to capture personal information about subjects of interest (suspects) associated with cybercrime and fraud.

Summary of Program Controls

The RCMP has adopted key measures and controls to mitigate the privacy impacts associated with the collection, use, disclosure, retention and disposal of personal information in core program activities of the NC3 and CAFC. The RCMP has been open and transparent about the establishment of the NC3, its implementation plans for the NCS and has made specific information about its policies and practices relating to the management of personal information publicly available on the Internet. For example, the submission of a report via the NCFRS includes a formal privacy notice for the public. External NC3 and CAFC webpages with frequently asked questions and answers (FAQ) will also be maintained, and a personal information bank (PIB) will be registered with Treasury Board of Canada Secretariat for activities of the NC3 and CAFC. In addition, the NC3 and CAFC will complete an Algorithmic Impact Assessment on the artificial intelligence (AI) capabilities of the NCS and NCFRS, such as machine learning and natural language processing capabilities for data extraction, text classification and data pattern recognition.

In addition, the RCMP holds internal protocols, policies and controls to ensure the protection and proper handling of personal information. For example, the RCMP has established and documented the authorities under which its programs and partners operate NCS and cyber tools, and ensures that the collection, usage and disclosure of personal information occurs within its mandate and authorities. Personal information collected or used by the NC3 and CAFC will not be accessed by unauthorized users and the RCMP has established limits on the disclosure of personal information to authorized partners via formal information sharing arrangements. All NCS data will be encrypted at rest and during transit, and secured in a manner commensurate with its sensitivity. Aggregated and de-identified data may be used for purposes such as policy development, program evaluation and reporting, research and statistics.

The NC3 and CAFC will retain all personal information collected for administrative purposes for a minimum of 10 years (including two years from last administrative use) and will securely destroy data that has no further business value in accordance with RCMP IM and operational policy and retention standards. The NC3 and CAFC will establish data review protocols to determine the longer-term business value of retained personal information. Based on RCMP research on cybercrime and fraud trend analysis, it has been determined that a maximum 20-year retention from date of entry should be applied to NCS content. The NC3 and CAFC may also retain anonymized data and non-identifiable information indefinitely for historical reporting purposes.

Table 1:
Issue Risk rating Risk mitigation Compliance issue action plan
Openness (PIB and AIA) Moderate It is recommended that the RCMP uncouple the activities of the NC3 with those of its police service groups in InfoSource and develop and publish a new, standalone PIB, specific to the program activities of the NC3 and CAFC.

In Progres

As part of the present PIA, the NC3 and CAFC developed a new personal information bank describing the use and disclosure of personal data in relation to its work. As per subsection 11(1) of the Privacy Act, the PIB will include a statement of the purposes for which personal information in the bank is to be collected or compiled, and a description of the purposes for which the information may be used or disclosed. The PIB will also include a statement of the NC3 and CAFC retention and disposal standards, as applied to personal information within the bank. The NC3 and CAFC will work with RCMP ATIP Branch and TBS to publish the new PIB.

In addition, the NC3 and CAFC plan to complete an Algorithmic Impact Assessment on the NCS and NCFRS. The NC3 and CAFC aim to complete the Algorithmic Impact Assessment in 2025, including transparency measures for publishing the assessment online.
GBA+ Analysis Moderate (Policy Requirement) It is recommended that the NC3 record and monitor operational data pertaining to key operating activities, and that it periodically assesses the impact of those activities on equity and equity seeking groups.

In Progres

GBA plus considerations including sex and gender, age groups, and region of residence, continue to be assessed as the NC3 moves into full operating capability. The implementation of the NCS and NCFRS include specific elements of GBA plus which look to support the NC3 and CAFC in ensuring its services meet the needs of Canadians. The NC3 and CAFC have also included measures to have a positive impact on key demographics and groups, such as victims of cybercrime (for example, senior citizens) and women in the cyber security workforce.

The NC3 and CAFC continue to collect data from reporting Canadians on their gender and identity, Indigenous identity, age, languages spoken, ethnicity and potential heightened risk factors for victimization - such as newcomers to Canada, or those from lower income groups - to help inform policies and operational approaches. Note, in alignment with best practices for privacy, the collection of this information is optional/voluntary and based on the informed consent of the reporting entity.

Related personal information banks

National Cybercrime Coordination Centre (NC3) and the Canadian Anti-Fraud Centre (CAFC) Personal Information Bank (PIB) - RCMP PPU 202 - Pending TBS Approval

For more information about this privacy impact assessment

RCMP Access to Information and Privacy (ATIP) - Privacy Management Division at atippolicy_politiqueaiprp@rcmp-grc.gc.ca

Date modified: