News: How We Implement Our Mission and Our Incident Response Framework

News: How We Implement Our Mission and Our Incident Response Framework
1 November 2023 GIFCT
In News

GIFCT’s mission is to prevent terrorist and violent extremist exploitation of digital platforms. We work with our tech company members to identify and help prevent the spread of known terrorist and violent extremist content online, respond to terrorist and violent extremist incidents, and adapt to adversarial shifts.

Following the March 2019 attacks in Christchurch, New Zealand, we established GIFCT’s Incident Response Framework (IRF) to respond quickly, effectively, and in a coordinated manner to terrorist and mass violence events and activate the highest level, the Content Incident Protocol, when the perpetrators livestream violence as part of their attack. Developed to address scenarios like the Christchurch attack, the IRF is not intended to address every instance of violence but focuses on mitigating deliberate efforts to misuse technology as a part of, or to further amplify, a terrorist or violent extremist attack. The IRF has been carefully crafted to enable GIFCT and its members to respond in fast-moving and potentially uncertain situations, while respecting freedom of expression and access to information, and engage with other international crisis response protocols, including the European Union and Christchurch Call.

The IRF directs how GIFCT supports our members to identify online content produced by the perpetrators and accomplices of an offline violent attack, which might activate the Content Incident (CI) or Content Incident Protocol (CIP) levels of the IRF. When these levels are activated, the IRF enables our members to swiftly add hashes of the content — understood as a digital fingerprint for a piece of content in the form of alpha-numeric codes — to GIFCT’s hash-sharing database. These hashes can then be used by other tech company members to detect the same perpetrator-produced content on their platform and action it in line with their policies. In line with our commitment to transparency and agreed-upon protocols with member companies, GIFCT issues a public notification when either the CI or CIP level of the IRF is activated, and publishes the composition of the hash-sharing database in our annual transparency report.

Originally limited to images and videos produced by entities on the United Nations Security Council’s 1267 Consolidated Sanctions List, GIFCT has expanded the taxonomy, or inclusion criteria, for the hash-sharing database several times since its launch in 2017.  Expanding the taxonomy for the hash-sharing database does not affect member companies’ terms of use or policies but enables members to share a wider range of hashed content. In 2019, with the development of the Incident Response Framework, the taxonomy was expanded to include hashes of content produced by the perpetrators or accomplices of an offline attack live-streaming or recording their violence (i.e., to share hashes of content resulting from a CIP). Most recently, in response to GIFCT’s multi-stakeholder 2021 Taxonomy Report, comprising recommendations from global experts including members of GIFCT’s Independent Advisory Committee, and our tech company members, the taxonomy expanded further to include hashes of terrorist and violent extremist attacker manifestos, publications, and URLs that direct people to where the content addressed in GIFCT’s taxonomy is hosted.

To date, the hash-sharing database contains approximately 400,000 unique and distinct items, with approximately ⅔ of those being images and ⅓ video, with few instances of texts. Overall there are currently approximately 2.3 million hashes.  This is the result of the ongoing work of our members continuing to add hashes related to new versions of terrorist and violent extremist content as they enforce their respective platform policies. Hashes are added routinely by members, including but not limited to when GIFCT activates the highest levels of the IRF. The vast majority of hashes in GIFCT’s database have been added outside the times when the CIP or CI are activated, enabling ongoing industry cooperation. 

To deliver on its mission, GIFCT diligently follows international security dynamics, to keep our members abreast of emerging risks of terrorist and violent extremist activity that may appear on their platforms through regular cross-platform information sharing. This work is essential to our broader work developing resources and identifying new challenges to solve at the nexus between technology and terrorism. It allows GIFCT to deliver expert analysis to support our members to address and quickly adapt to adversarial shifts in the terrorist and violent extremist threat landscape. To that end, our academic network, the Global Network on Extremism and Technology (GNET), has published 12 research insights since October 7 on a range of pressing topics across the globe.

Since the October 7 attacks perpetrated by Hamas and the ongoing violence against Israeli and Palestinian civilians, GIFCT has worked with members and stakeholders to monitor the evolving conflict, and provide members with in-depth situational analysis, research, and bespoke knowledge products to support their teams.  In addition to continued work to respond to the conflict in Israel and Palestine, GIFCT and our members have also shared situational awareness about attacks or unrest in ten other countries across Europe, North America, Asia and North Africa, including attacks claimed by ISIS or racially and ethnically motivated groups and networks. Alongside this day-to-day work, we remain prepared for the ever-present possibility of the need to activate the CI or CIP level of our Incident Response Framework when content meets the agreed criteria.

As the terrorism and violent extremism threat landscape and collective international efforts to address them evolve, GIFCT will continue to work with our members, Independent Advisory Committee, partners, and stakeholders to deliver on our mission amidst the rapidly-evolving dynamics of the conflict and their broader impacts on terrorism and violent extremism online.