Incident Response: Debrief on Buffalo, New York CIP Activation

Incident Response: Debrief on Buffalo, New York CIP Activation
23 June 2022 GIFCT
In News

Following the attacks in Christchurch, New Zealand in March 2019, GIFCT members developed the Content Incident Protocol (CIP), a centralized communications mechanism to share information about ongoing violent events that might result in the online spread of content produced by the perpetrators or accomplices. Today, this work is guided by our Incident Response Framework, which makes an official debrief process a final and essential step in our efforts.

Since establishing our Incident Response Framework, GIFCT and our member companies have initiated communications in response to more than 270 offline terrorist or mass violence events in 41 countries across six continents, sharing situational awareness and information as quickly as possible to identify any online dimension to the offline violence. As part of this work, the CIP has been activated three times – in October 2019 in response to the attack in Halle, Germany, in May 2020 in response to the attack in Glendale, Arizona, and, most recently, in response to the attack in Buffalo, New York, in May 2022.

This blog post provides our full stakeholder community with information from the debrief that followed GIFCT activating the CIP in response to the tragedy in Buffalo and the online content produced and disseminated by the perpetrator.

GIFCT Incident Response Framework and the Content Incident Protocol

In 2021, GIFCT enhanced our Incident Response Framework, establishing three levels of response to offline terrorist events with an online aspect based on different sets of criteria:

  1. Content Incident Protocol (CIP):
    1. An ongoing terrorist or mass violence event;
    2. Live-streamed or recorded video by perpetrator or accomplice;
    3. Depicting murder or attempted murder;
    4. On a member platform (or so broadly available online its spread is inevitable).
  2. Content Incident (CI):
    1. An ongoing terrorist or mass violence event;
    2. Other content (ex. photo, audio, or text) by perpetrator or accomplice;
    3. Depicting murder, attempted murder, or violence from the attack;
    4. On a member platform (or so broadly available online it is inevitable)
  3. Incident (I):
    1. An ongoing terrorist or mass violence event, threat, or attempt; and
    2. Content related to the terrorist attack but unclear whether depicting murder, attempted murder, violence, or bystander footage from a terrorist attack, OR
    3. Gaining international media attention or appearing to have a significant online element.

These levels reflect an assessment of the severity of the threat of exploitation of digital platforms, and that GIFCT’s critical focus remains on stemming the spread of terrorist and violent extremist content online. In cases where either the Content Incident (CI) or Content Incident Protocol (CIP) levels are activated, GIFCT enables its members to contribute hashes of associated content so that each member can assess instances of the content shared on their platforms as efficiently as possible in line with their respective terms of service.

The Content Incident Protocol (CIP) is the highest level of our Incident Response Framework. This reflects the heightened threat this situation poses for GIFCT member companies, including potential exploitation of their digital platforms and to support them in stemming the spread of content associated with the incident, which may be manipulated for maximized dissemination online.

Content Incident Protocol Activated in Response to Shooting in Buffalo

GIFCT activated the CIP at 4:52 p.m. Eastern Daylight Time on Saturday, May 14, and took the following steps in line with the processes established in our Incident Response Framework:

  • Alerted all GIFCT members that the CIP had been activated. By this time, communications were already underway between GIFCT and member companies to share situational awareness about the offline violence in order to prepare for the identification of online content and potential that the event met the CIP criteria.
  • Once the CIP was activated, GIFCT enabled members to share hashes of the perpetrator-produced content depicting the attack, in video and image form, along with content featuring the attacker’s manifesto.
  • Alerted the U.S. government, as the impacted government in this incident, and GIFCT’s Independent Advisory Committee that the CIP had been activated in response to the shooting.

At 6:31 p.m. Eastern Daylight Time on Sunday, May 15, GIFCT concluded the activated CIP based on the time passed since the conclusion of the offline violent event and feedback from members on the level of attempts to upload new versions of the violating content on member platforms. Conclusion of the CIP still allows new hashes of the perpetrator-produced content to be added to the GIFCT hash-sharing database as members identify and share them.

Hash Sharing

Between when GIFCT activated the CIP and its conclusion, members added approximately 870 visually distinct items to the GIFCT hash-sharing database. These related to:

  • approximately 740 visually distinct images
  • approximately 130 visually distinct videos

An image or video found by a member company is “hashed” in its raw form, ensuring there is no link to any source original platform or user data. Hashes appear as a numerical representation of the original content, which means they cannot be easily reverse-engineered to recreate the image and/or video. The term “visually distinct items” means clusters of hashed content that are visually identical or near-identical to the human eye. 870 visually distinct items relate to 870 of these clusters of hashes; 870 different signals that GIFCT member companies can use to identify images or videos that relate to the perpetrator-produced content from the attack in Buffalo. While this does not show how far the content reached, how many times it was viewed, or how many times the content was uploaded and shared, this metric does show that there were significant adversarial attempts to produce many variants of the original content.

Testing Our Preparedness

Throughout the year, we work to test and finetune our protocols, our readiness, and our systems so that when we are responding to an attack, we and our member companies are positioned to respond quickly and effectively. Since 2019, we have convened and participated in exercises to test our protocols in order to identify where gaps may exist, as well as to establish understandings and expectations for how GIFCT’s Incident Response Framework works in relationship to other international crisis response protocols, including the EU Crisis Protocol and the Christchurch Call Crisis Response Protocol. Already in 2022, we’ve conducted two tabletop exercises to test different aspects of our framework. In the first, we worked to understand how an attack and our response can impact the human rights of online users, victims, and others. In the second, we convened our member companies to evaluate the current state of our centralized communications mechanism.

GIFCT’s Crisis Response Working Group helps us continue this work to conduct tabletop exercises and analyze our protocols, and we continue to incorporate feedback and recommendations based on their input. Expanding our Incident Response Framework to incorporate protocols for responding to perpetrator-produced still images in addition to livestreams – established with the Content Incident (CI) level of our framework – and building a debrief process into our efforts when we activate the CIP, are both thanks to the important work of the participants in our Crisis Response Working Group.

Situational Awareness

GIFCT’s mission is to prevent terrorists and violent extremists from exploiting digital platforms and in the work to develop and deploy our Incident Response Framework, GIFCT and its members are strengthening our collective ability to respond to a threat that is both significantly rare and high risk. The two most recent activations of the CIP took place two years apart, but the attacks and their ensuant perpetrator-produced content were horrific and required a robust and collective response.

With a clear-eyed understanding of this dynamic, GIFCT focuses on the continual work to expand our situational awareness capacity, practice our protocols with our members, and identify where we can progress our work in ways that strengthen the collective response we can have for the online ecosystem.

We use and develop systems that will help us, in as close to real-time as possible, identify the instances of when an offline violent event is taking place in which the perpetrators or accomplices of the attack are attempting to exploit digital platforms as part of their violence. Knowing when and where terrorist and mass violent attacks are happening, and the impacts and online aspects of those attacks, is a critical component of what GIFCT and our members do.

A robust situational awareness system that helps us to quickly identify and share this information is crucial to this work. While GIFCT grows and develops as a non-profit organization with its own team of technology and counterterrorism experts, we are a small organization with limited capacity, making it all the more important to establish a robust system that allows us to gain situational awareness through online tools, strong working relationships with our members, and communications channels with stakeholders, including government and law enforcement. Over the last year, we’ve trialed several technology services to aid our efforts to surface information and alerts about emerging offline terrorist and mass violent attacks that may have an online dimension. We look to mature the element of situational awareness of our capabilities in the coming months.

Combating the Spread of Terrorist and Violent Extremist Content Online

Stemming the spread of terrorist and violent extremist content online is GIFCT’s northstar and, as our Incident Response Framework illustrates, is critical in our efforts to respond to a terrorist or mass violent attack. To date, we’ve seen meaningful impacts from the ability for member companies to hash videos and images of the perpetrator-produced content when we activate the CIP but we know our impact can be greater.

Last year we announced that we would expand the taxonomy of our hash-sharing database to include three new categories of hashes, prioritized based on feedback from global experts, our Independent Advisory Committee, and our member companies about how the threat manifests online. These three categories are:

  1. Manifestos from terrorist and violent extremist attackers in PDF form;
  2. Terrorist publications that use specific branding and logos for the organization;
  3. URLs identified by our partner Tech Against Terrorism where specific terrorist content exists and that are often shared and amplified on other platforms.

While we have been working diligently to implement these expansions, they were not in place when we activated the CIP in response to the attack in Buffalo last month. These are important expansions to our database for our day-to-day work but can be particularly impactful when the CI or the CIP is activated to address how attempts to exploit the online ecosystem continue to be developed by bad actors in this adversarial environment. Hashed URLs will provide GIFCT and member companies with greater ability to address attempts to share the perpetrator-produced livestream when shared on a member platform as a URL where the video is being hosted on a non-GIFCT member platform. PDF hashes on the perpetrator’s manifesto are equally critical as these attacks continue to demonstrate the powerful and influential role manifestos play in not only giving the perpetrator the ability to narrate and justify their violence, but to be used to inspire and motivate others to conduct future violence. We are aiming to have these expansions implemented later this summer and will share an update accordingly.

Our Work Continues

In addition to implementing these additional categories of hashes to our hash-sharing database and increasing our technical capacity for situational awareness that alerts us to developing attacks, we are committed to carrying out a range of efforts that will strengthen our response when we activate the CIP.

Engaging with our stakeholders from government, civil society, and tech is both a responsibility and an opportunity to learn and improve. We will continue to meet with stakeholders to understand how they are impacted by violent attacks that prompt GIFCT and its members to activate the CIP in order to gain greater knowledge on how we can share pertinent information that does not limit GIFCT’s capabilities to maintain our priority of supporting members to respond to online dimensions of the attack. We will continue to convene our stakeholders and our members to test our protocols through exercises, and evaluate our systems in our Crisis Response Working Group.

Along with our stakeholders, our partner organizations – Tech Against Terrorism and the Global Network on Extremism and Technology (GNET) – are vital contributors to this work. GNET has already produced three insights from its global network of experts and researchers on pertinent aspects of the Buffalo attack:

In partnership with Tech Against Terrorism, we work to support tech companies interested in becoming members of GIFCT as they seek to meet our criteria to join. We will continue to explore and develop ways to understand and address the full online threat landscape but crucial to our ability is to have companies, committed to our mission and doing their part, join our shared work.

We are grateful to our member companies for their commitment and determination in their response to the tragedy in Buffalo and to our stakeholders for providing information, feedback and participating in this debrief process. In just over three years, we have made important progress in our collective efforts, and are eager to continue making progress.