Incident Response: CIP Activated in Response to Mass Violence Event in Perry, Iowa

Incident Response: CIP Activated in Response to Mass Violence Event in Perry, Iowa
4 January 2024 GIFCT
In News

Updated: January 9, 2024 at 14:30 EST

At 15:23 EST on January 5, 2024, the Global Internet Forum to Counter Terrorism (GIFCT) concluded its Content Incident Protocol (CIP) in response to the mass violence event in Perry (Iowa), United States.

Following the conclusion of the Content Incident Protocol, GIFCT is issuing the following summary of actions related to this event, in line with GIFCT’s Incident Response Framework:

  • At 15:50 EST on January 4, 2024, GIFCT activated the Content Incident Protocol (CIP) within its Incident Response Framework in response to a mass violence event in Perry, Iowa, US. (Please see original post below for more information on the criteria that activated the CIP).
  • GIFCT alerted all GIFCT member companies that the CIP had been activated. By this time, in line with our Incident Response Framework, communications were already underway between GIFCT and its members to share situational awareness about the offline violence in order to prepare for the potential that the event met the criteria to activate the CIP.
  • GIFCT also alerted the US government, key stakeholders, and partners, including GIFCT’s Independent Advisory Committee, that the CIP had been activated in response to the mass violence event.
  • GIFCT enabled GIFCT members to share hashes of the perpetrator-produced content depicting the attack, in video and image form.
  • Individual GIFCT members engaged in their own platform-specific enforcement operations, identifying and reviewing content in line with their respective terms of service, including instances of the content shared in a range of contexts.
  • At 15:23 EST on January 5, 2024, GIFCT concluded the CIP based on the time passed since the conclusion of the offline violent event and feedback from members on the level of attempts to upload new versions of the violating content on member platforms. New hashes of the perpetrator-produced content may be added to GIFCT’s hash-sharing database should member companies identify further versions of the content on their platforms.

At this time, we can provide the following information about hashes related to this event:

  • Between when GIFCT activated the CIP at 15:50 EST on January 4, 2024 and its conclusion at 15:23 EST on January 5, 2024, members added approximately seven hashes related to one distinct video and one distinct image to the GIFCT hash-sharing database.
    • What does this mean? GIFCT Members identified images and videos produced by the perpetrator relating to the attack, creating “digital fingerprints” of this content that were shared amongst members, allowing all member companies to quickly identify the same or similar content on their platforms. These included the original live-stream video, as well as images from the live-stream.
    • The number of hashes is not necessarily related to the virality or spread of content. For example, a single image or video can be shared an indefinite number of times, but may still result in only one hash being uploaded to the hash-sharing database. However, a small number of hashes created during a CIP is normally correlated with limited adversarial attempts to alter videos and images, which is what occurred for this event.
  • During the period of GIFCT’s activation of the CIP, copies of the live-streamed video were quickly identified and did not circulate widely on GIFCT member platforms.

Ongoing Work

After the conclusion of each CIP, GIFCT convenes multi-stakeholder debriefs with our members and global community to review the collective response and identify lessons and possible areas of improvement. This is an essential, final step in our operations when the Content Incident Protocol is activated.

For GIFCT and its members to further refine and strengthen our efforts, we continue to test our protocols and mature our Incident Response Framework through tabletop exercises, workshops, training sessions, and ongoing dialogue with our stakeholders in industry, government, and civil society.

The development of our Incidence Response Framework and the process of updating the hash-sharing database inclusion criteria have been informed by longstanding consultation with our critical multistakeholder community, including our Independent Advisory Committee. GIFCT is committed to transparency in this work and produces an annual Transparency Report to share the latest metrics and insights on the composition of the hash-sharing database.


 

First Published January 4, 2024  16:40 EST

At 15:50 p.m. Eastern Standard Time on Thursday, January 4, 2024, the Global Internet Forum to Counter Terrorism (GIFCT) activated the Content Incident Protocol (CIP) within its Incident Response Framework in response to a mass violence event in Perry, Iowa, United States.

The CIP was activated due to:

  • The existence of a live-streamed video of the mass violence event, apparently produced and distributed by the perpetrator,
  • The content depicting murder or attempted murder, and
  • The content appearing on multiple GIFCT member platforms.

As a result, hashes corresponding to the perpetrator-produced content depicting the attack, in video and image form, qualify to be added to the GIFCT hash-sharing database. This enables other GIFCT members to identify whether the same content has been shared on their platforms and address it in accordance with their respective platform policies.

As per our protocol, our key stakeholders have been notified. We will update this post to provide further updates as needed.