Incident Response: CIP Activated in Response to Violent Extremist Event in Eskişehir, Türkiye

Incident Response: CIP Activated in Response to Violent Extremist Event in Eskişehir, Türkiye
13 August 2024 GIFCT
In News

Updated: August 14, 2024 at 14:47 EST

Following the conclusion of the Content Incident Protocol, GIFCT is issuing the following summary of actions related to this event.

At 18:22  Eastern Daylight Time on August 12, 2024, the Global Internet Forum to Counter Terrorism (GIFCT) activated the Content Incident Protocol (CIP) within its Incident Response Framework in response to a stabbing  in Eskişehir, Türkiye, and took the following steps:

  • Identified early reports of offline-violence and perpetrator-produced online content  present on member platforms. GIFCT contacted relevant member platforms on which the perpetrator-produced content was discovered, and began to assess the situation against our Incident Response Framework criteria.
  • Alerted all GIFCT member companies that the CIP had been activated. By this time, in line with our Incident Response Framework, communications were already underway between GIFCT and its member companies to share situational awareness about the offline violence in order to prepare for the potential that the event met the criteria to activate the CIP.
  • Enabled GIFCT members to share hashes of the perpetrator-produced content depicting the attack, in video and image form.
  • GIFCT members engaged in platform-specific enforcement operations, identifying and reviewing content in line with their respective terms of service, including instances of the content shared in a range of contexts.
  • GIFCT requested the support of the UN in relaying the information to the affected government (Türkiye), notified the Independent Advisory Committee, and alerted key partners, including The Christchurch Call, about the activation of the CIP.

At 13:43 EDT on August 13, 2024, GIFCT concluded the activated CIP based on the assessed conclusion of the offline violent event and feedback from members on the level of attempts to upload new versions of the violating content on member platforms. New hashes of the perpetrator-produced content may be added to GIFCT’s hash-sharing database as members identify and share them.

We can currently provide the following information from this event:

  • Between when GIFCT activated the CIP at 18:22 EDT on August 12, 2024 and its conclusion at 13:43 EDT on August 13, 2024, members added approximately 910 signals to the GIFCT hash-sharing database. These related to:
    • approximately 12 hashed images
    • approximately 897  hashed videos
    • approximately 1 hashed pdf

After concluding the CIP, GIFCT will convene multi-stakeholder debriefs with our members and community to review the steps taken as part of the response and identify lessons and improvements to be made.

Ongoing Work:

In order for GIFCT and its members to further refine and strengthen our efforts, we continue to test our protocols and mature our Incident Response Framework, including the CIP.

The Global Network on Extremism and Technology (GNET), the academic research network funded by GIFCT, has contributed insights in response to this attack and will continue to provide research from experts on issues and questions related to violent extremist behaviors and technologies.

Individual member companies will still continue their own operational efforts in alignment with their terms of service despite the deactivation of this CIP. GIFCT is continuing collaborative efforts with member companies, and may consider seeking reactivation of this CIP if member companies report a substantial rise in the spread of the corresponding perpetrator-produced content.


First Published August 13, 2024 16:16 EST

At 18:22 ET on August 12, 2024, the Global Internet Forum to Counter Terrorism (GIFCT) activated its Content Incident Protocol (CIP) in response to the livestreamed stabbing attack in Eskişehir, Türkiye.

The CIP was activated based on information available at the time which met the criteria for activation of our Incidence Response Framework, including the following:

  • The existence of a live-streamed video of the violent event, produced by the perpetrator, and related materials,
  • The content depicted violence during and from the attack, and
  • The content appeared on multiple GIFCT member platforms, and was broadly available online so that wider distribution appeared inevitable

GIFCT member platforms have been alerted to the incident and can take action following their terms of service and platform policies. As a result of the CIP activation, hashes corresponding to the perpetrator-produced livestream content depicting the violent extremist event, in video and image form, qualify to be added to the GIFCT hash-sharing database. Versions of the perpetrator’s manifesto also qualify to be added to the database. This enables other GIFCT members to identify whether the same content has been shared on their platforms and address it in accordance with their respective platform policies.

As per our protocol, our key stakeholders have already been notified. We will update this post to provide further information as needed.