Incident Response: CIP Activated in Response to Shooting in Buffalo, New York

Incident Response: CIP Activated in Response to Shooting in Buffalo, New York
14 May 2022 GIFCT
In News

Updated 17 May 2022 7:08pm EDT

Following the conclusion of the Content Incident Protocol, GIFCT is issuing the following summary of actions related to this incident.

At 4:52pm Eastern Daylight Time on Saturday, May 14, 2022, the Global Internet Forum to Counter Terrorism (GIFCT) activated the Content Incident Protocol (CIP) within its Incident Response Framework in response to a shooting in Buffalo, New York, United States, and took the following steps:

  • Alerted all GIFCT members that the CIP had been activated. By this time, in line with our Incident Response Framework, communications were already underway between GIFCT and its member companies to share situational awareness about the offline violence in order to prepare for the potential that the event met the criteria to activate the CIP.
  • Enabled GIFCT members to share hashes of the perpetrator-produced content depicting the attack, in video and image form, along with content featuring the manifesto.
  • Alerted the U.S. government, as the impacted government in this incident, and GIFCT’s Independent Advisory Committee that the CIP had been activated in response to the shooting.

Simultaneously, individual GIFCT members engaged in platform-specific enforcement operations, identifying and reviewing content in line with their respective terms of service, including instances of the content shared in a range of contexts.

At 6:31pm Eastern Daylight Time on Sunday, May 15, 2022, GIFCT concluded the activated CIP based on the time passed since the conclusion of the offline violent event and feedback from members on the level of attempts to upload new versions of the violating content on member platforms. New hashes of the perpetrator-produced content will continue to be added to the GIFCT hash-sharing database as members identify and share them.

While members continue to add new hashes to the database, we can currently provide the following information from this event:

    • Between when GIFCT activated the CIP at 4:52pm EDT on Saturday, May 14 and its conclusion at 6:31pm EDT on Sunday, May 15, members added approximately 870 visually distinct items to the GIFCT hash-sharing database. These related to:
      • approximately 740 visually distinct images
      • approximately 130 visually distinct videos

Ongoing Work:
In order for GIFCT and its members to be as prepared as possible for violent extremist and terrorist related incidents with a significant online dimension, we continue to test our protocols and mature our Incident Response Framework, including the CIP. As recently as last Tuesday, May 10, GIFCT ran a tabletop exercise with its members and participants from its multistakeholder Crisis Response Working Group and Independent Advisory Committee to test our processes and operations in a scenario where the CIP was activated. We will provide further insights from the tabletop exercises we’ve carried out so far this year in July when we publish the outputs from Year 2 of GIFCT Working Groups.

Next Steps:
GIFCT will convene a debrief in the coming weeks to review the steps taken as part of the response and identify lessons and improvements to be made. This debrief is an essential, final step in our operations when the Content Incident Protocol is activated.

Research and insights from experts will be provided through the Global Network on Extremism and Technology (GNET), the academic network funded by GIFCT to research issues related to violent extremist behaviors and technologies.


First Published 14 May 2022 6:04pm EDT

Content Incident Protocol Activated in Response to Shooting in Buffalo, New York United States

At 4:52pm Eastern Daylight Time on Saturday, May 14, 2022, the Global Internet Forum to Counter Terrorism (GIFCT) activated the Content Incident Protocol (CIP) within its Incident Response Framework in response to a shooting in Buffalo, New York, United States.

The CIP was activated due to:

  • The existence of live streamed video of the shooting, apparently produced and distributed by the perpetrator
  • The video depicting attempted violence towards people, and
  • The video appeared on GIFCT member platforms.

As a result, hashes corresponding to the perpetrator-produced content depicting the attack, in video and image form, along with the identified manifesto qualify to be added to the GIFCT hash-sharing database. This enables other GIFCT members to identify whether the same content has been shared on their platforms and address it in accordance with their respective platform policies.

For more information about GIFCT’s:

We will update this post to provide further updates.