Incident Response: CIP Activated in Response to Shooting in Louisville, Kentucky

Incident Response: CIP Activated in Response to Shooting in Louisville, Kentucky
10 April 2023 GIFCT
In News

Updated: April 24, 2023 at 4:30pm EDT

Following the conclusion of the Content Incident Protocol, GIFCT is issuing a summary of actions related to this incident. 

At 12:02 p.m. Eastern Daylight Time on Monday, April 10, 2023, the Global Internet Forum to Counter Terrorism (GIFCT) activated the Content Incident Protocol (CIP) within its Incident Response Framework in response to a shooting in Louisville, Kentucky, United States, and took the following steps:

  • Alerted all GIFCT members that the CIP had been activated. By this time, in line with our Incident Response Framework, communications were already underway between GIFCT and its member companies to share situational awareness about the offline violence in order to prepare for the potential that the event met the criteria to activate the CIP.
  • Enabled GIFCT members to share hashes of the perpetrator-produced content depicting the attack
  • Alerted the U.S. government, as the impacted government in this incident, GIFCT’s Independent Advisory Committee, and representatives of the European Union and Christchurch Call Crisis Response Protocols that the CIP had been activated in response to the shooting.

Simultaneously, individual GIFCT members engaged in platform-specific enforcement operations, identifying and reviewing content in line with their respective terms of service, including instances of the content shared in a range of contexts.

At 4:00 a.m. EDT on Tuesday, April 11, 2023, GIFCT concluded the activated CIP based on the time passed since the conclusion of the offline violent event and feedback from members on the level of attempts to upload new versions of the violating content on member platforms. New hashes of the perpetrator-produced content may continue to be added to GIFCT’s hash-sharing database as members identify and share them.

At this time, we can currently provide the following information from this event:

  • Between when GIFCT activated the CIP at 12:02 p.m. EDT on Monday, April 10 and its conclusion at 4:00 a.m. EDT on Tuesday, April 11, members added approximately 3 hashes related to one visually distinct video.

Next Steps:
GIFCT will convene a debrief in the coming weeks to review the steps taken as part of the response and identify lessons and improvements to be made. This debrief is an essential, final step in our operations when the Content Incident Protocol is activated in order to continue improving and strengthening our response work.

Research and insights from experts will be provided through the Global Network on Extremism and Technology (GNET), the academic network funded by GIFCT to research issues related to violent extremist behaviors and technologies.

 

First Update: April 10, 2023 at 1:21pm EDT

At 12:02 p.m. Eastern Daylight Time on Monday, April 10, 2023, the Global Internet Forum to Counter Terrorism (GIFCT) activated the Content Incident Protocol (CIP) within its Incident Response Framework in response to a shooting in Louisville, Kentucky, United States.

The CIP was activated due to the following criteria being met:

  • The existence of live streamed video of the shooting, apparently produced and distributed by the perpetrator
  • The video depicting attempted violence towards people, and
  • The video was shared on a GIFCT member platform.

As a result, hashes corresponding to the perpetrator-produced content depicting the attack, in video and image form, qualify to be added to the GIFCT hash-sharing database. This enables other GIFCT members to identify whether the same content has been shared on their platforms and address it in accordance with their respective platform policies.

For more information about GIFCT’s:

We will provide further updates on this post.