Updated: May 21, 2025 at 14:33 EST
Following the conclusion of the Content Incident Protocol, GIFCT is issuing the following summary of actions related to this event.
At 10:13 Eastern Daylight Time on May 20, 2025, the Global Internet Forum to Counter Terrorism (GIFCT) activated the Content Incident Protocol (CIP) within its Incident Response Framework in response to a stabbing attack in Pirkkala, Finland, and took the following steps:
- Identified early reports of offline-violence and perpetrator-produced online content present on member platforms. GIFCT contacted relevant member platforms on which the perpetrator-produced content was discovered, and began to assess the situation against our Incident Response Framework criteria.
- Alerted all GIFCT member companies that the CIP had been activated. By this time, in line with our Incident Response Framework, communications were already underway between GIFCT and its member companies to share situational awareness about the offline violence in order to prepare for the potential that the event met the criteria to activate the CIP.
- Enabled GIFCT members to share hashes of the perpetrator-produced content depicting the attack and the perpetrator’s published manifesto.
- GIFCT members engaged in platform-specific enforcement operations, identifying and reviewing content in line with their respective terms of service, including instances of the content shared in a range of contexts.
- GIFCT notified the affected government (Finland), notified the Independent Advisory Committee, and alerted key partners, including the European Union Internet Forum and Europol, about the activation of the CIP.
At 12:39 EDT on May 21, 2025, GIFCT concluded the activated CIP based on the assessed conclusion of the offline violent event and feedback from members on the level of attempts to upload new versions of the violating content on member platforms. New hashes of the perpetrator-produced content may be added to GIFCT’s hash-sharing database as members identify and share them.
We can currently provide the following information from this event:
- Between when GIFCT activated the CIP at 10:13 EDT on May 20, 2025 and its conclusion at 12:39 EDT on May 21, 2025, members added 53 signals, all of which were hashes of video content, to the GIFCT hash-sharing database.
After concluding the CIP, GIFCT will convene multi-stakeholder debriefs with our members and community to review the steps taken as part of the response and identify lessons and improvements to be made. Our thoughts remain with the victims and affected communities.
Ongoing Work:
In order for GIFCT and its members to further refine and strengthen our efforts, we continue to test our protocols and mature our Incident Response Framework, including the CIP.
The Global Network on Extremism and Technology (GNET), the academic research network funded by GIFCT, will contribute insights in response to this attack and will continue to provide research from experts on issues and questions related to violent extremist behaviors and technologies.
Individual member companies will still continue their own operational efforts in alignment with their terms of service despite the deactivation of this CIP. GIFCT is continuing collaborative efforts with member companies, and may consider seeking reactivation of this CIP if member companies report a substantial rise in the spread of the corresponding perpetrator-produced content.
First Published May 20, 2025 11:26 EST
At 10:13 EDT on May 20th, 2025, the Global Internet Forum to Counter Terrorism (GIFCT) activated its Content Incident Protocol (CIP) in response to the stabbing attack in Pirkkala, Finland.
The CIP was activated based on information available at the time, which met the criteria for activation of our Incident Response Framework, including the following:
- The existence of a video of the violent event, produced by the perpetrator, and related materials,
- The content depicted attempted murder, and
- The content appeared on multiple GIFCT member platforms, and was broadly available online so that wider distribution appeared inevitable.
GIFCT member platforms have been alerted to the incident and can take action following their terms of service and platform policies. As a result of the CIP activation, hashes corresponding to the perpetrator-produced livestream content depicting the violent extremist event, in video and image form, qualify to be added to the GIFCT hash-sharing database. Versions of the perpetrator’s manifesto also qualify to be added to the database. This enables other GIFCT members to identify whether the same content has been shared on their platforms and address it in accordance with their respective platform policies.
As per our protocol, our key stakeholders have already been notified. We are working with our members and partners to monitor developments, and we will update this post to provide further information as needed. Our thoughts are with the victims and affected communities at this time.
