National Cybercrime Coordination Unit

Executive summary

This report examines the privacy impacts associated with the collection, use, disclosure and retention of personal information by the Royal Canadian Mounted Police (RCMP) in the operation and administration of the National Cybercrime Coordination Unit (NC3). This assessment fulfills the requirements to conduct a Privacy Impact Assessment (PIA) under the Treasury Board Secretariat (TBS) Policy on Privacy Protection and complies with the standards for performing a PIA as set out in the TBS Directive on Privacy Impact Practices.

Overview

The NC3 is a National Police Service stewarded within the RCMP. The NC3 will coordinate and deconflict intelligence for cybercrime investigations across all levels of policing and enable efficient law enforcement activities of national and international police partners as they relate to cybercrime, including apprehending and disrupting cybercriminals. Ultimately, the NC3 is intended to reduce the threat, impact and victimization of cybercrime in Canada and contribute to achieving the Government of Canada's long-term vision of safety and security in the digital age.

Budget 2018 earmarked $137.5 million over five years, and $23 million ongoing for the creation of the NC3. The larger part of the NC3 initiative and the majority of the funding is to build/acquire a new robust IM/IT system to allow the NC3 to carry out the various parts of its mandate. This system is referred to as the National Cybercrime Solution (NCS). The NCS will include a Public Reporting Website, a NC3 Internal Solution, and a Police and Partner Portal (P3).

Public Reporting Website

The Public Reporting Website will provide an easy-to-use website, for victimized individuals, and businesses to report a wide spectrum of cybercrimes, including pure cybercrime (e.g., malware, hacking), and financially-motivated cybercrime (e.g., cyber fraud, identity theft, forgery, extortion). The reports will be ingested by the NC3 Internal Solution where various analytics, coordination and de-confliction components will add value through data enrichment. The reports will be shared with appropriate police services^{Footnote 1} for the incident based on geolocation of the reporting and suspect devices and systems. The RCMP will undertake a number of measures to ensure that personal information and sensitive non-personal commercial information is collected, disclosed, retained and disposed of appropriately.

The RCMP has partnered with Canadian Digital Services (CDS) to develop the Public Reporting Website using an agile and user-centered approach to design. This includes ongoing assessments of the Website. The agile software development methodology includes four key stages:

• 1 - Discovery (research)
• 2 - Alpha (testing and prototyping)
• 3 - Beta (build and iterate with users)
• 4 - Live (full operational use)

The Discovery and Alpha stages were completed in FY 2019-20. These stages included testing and development of prototypes for the new reporting website. The next stage, Beta, will further test and iterate the prototype in a production setting to monitor and assess user reporting from individual and business victims of cybercrime and fraud. Beta testing is scheduled to commence in early 2020, and will involve the collection, administration and use of victim complaints (including personal information) in a controlled setting to iterate and develop the Public Reporting Website prototype. The Beta stage will involve information sharing, pursuant to informed consent by the user. Personal information may be shared with domestic law enforcement partners to inform law enforcement operations and potential cybercrime investigations. Non-personal information (e.g., aggregate data for statistical purposes stripped from any personal identifiers or high severity cyber threat intelligence such as indices excluding any personal identifiers) may be shared with other security partners, such as the Canadian Centre for Cyber Security, to inform Government of Canada cyber security response measures. Non-personal and aggregate information (i.e., summary analysis on the results of reported information) may be shared with the Canadian Digital Service to inform the ongoing development of the Public Reporting Website prototype.

The collection and use of personal information through Beta testing will be consistent with personal information that is currently collected and used through the Canadian Anti-Fraud Centre (CAFC).

NC3 Internal Solution

The NC3 Internal Solution will contain a centralized data repository containing cybercrime investigative data, incidents and intelligence, data preservation requests, and mutual legal assistance requests to facilitate coordination of multi-jurisdictional law enforcement activities. Canadian cybercrime investigators from all jurisdictions will be able to discover if they are investigating the same suspects, and linking information from domestic and international law enforcement partners.

The NC3 Internal Solution will securely store, search and analyze cybercrime data and information such as monikers/identifiers, malware signatures, lists of malicious IP addresses, malware cross-reference reports, indicators of compromise, as well as computer and network logs in structured, unstructured and semi-structured formats. The NC3 will have governance structures, supporting policy instruments (e.g., standing operational policies, information sharing arrangements) and technical / security protocols (e.g., role-based access controls, deployment of two-factor security authentication where required) to administer access to the NC3 Internal Solution and its centralized data repository.

Police and Partner Portal

The Police and Partner Portal (P3) will be provided to authorized law enforcement (Canadian provincial and municipal police agencies) and security partners (i.e. Canadian Centre for Cyber Security (CCCS), Canadian Radio-television and Telecommunications (CRTC), and the Competition Bureau Canada) to access the NC3 Internal Solution and its centralized data repository based on defined role-based access controls, query, search, and information exchange capabilities. This will be based on stringent terms and conditions of access stipulated in information sharing agreements and will require training by the end user. In addition, there will be a capacity to audit who has accessed the centralized data repository, to verify that all access has been authorized. The functionality provided via the P3 will be based on the role of the user, i.e., Role-Based Access Control (RBAC).

Through the P3, authorized law enforcement and security partners will have the ability to query, view and select public reports (complaints received via the Public Reporting Website) via the P3 as well as import victim reported incidents into their local Records Management System to facilitate law enforcement action (i.e., creation of a criminal occurrence at the local level). Law enforcement agencies will only be capable of importing victim complaint reports that link to the police service's authorized jurisdiction.

Law enforcement and authorized partners will be responsible for the accuracy of information provided to the NC3, and the NC3 will be responsible for defining and administering user access, terms and conditions in either Memoranda of Understandings (MOUs) or Information Sharing Agreements (ISAs) or both.

Summary of privacy issues identified

Based on the present assessment, privacy risks arising from the activities of the NC3 are considered to be moderate. However, if recommendations from this PIA were fully adopted, the risks would be reduced to an acceptable or low level.

Privacy issues identified through the PIA process include:

• Risk of a technical attack against NC3's National Cybercrime Solution
• Risk of unauthorized access to the databases
• Risk of compromised database
• Risk of further data dissemination by third parties
• Risk of inadvertently identifying individuals
• Risks inherent to long-term retention of personal information

The NC3 will develop and implement a management action plan to address those risks. The action plan will indicate a specific timeframe for remedying or mitigating each risk and, where possible, naming a specific person or staff position to be responsible for taking action.

The protection of privacy is a pillar of NC3's operations. Every effort will be made within NC3's operating procedures and policies to ensure that operational benefits are proportionate to privacy impacts and to help achieve a balance between an individual's right to privacy and the need for collecting personal information to inform law enforcement operations, activities and priorities. Information collected by the NC3 will be used for authorized purposes only and secured in a manner commensurate with its sensitivity.

The RCMP will implement policies, protocols and controls to ensure the protection and proper handling of personal information collected by the NC3. A comprehensive analysis of the RCMP's obligations under the Privacy Act with respect to the operation and administration of NC3's core activities was completed as part of this PIA.

Date modified:

2020-08-21