Get in Touch

    Follow us

    Content Incident Protocol

    The Content Incident Protocol (CIP) is a process by which GIFCT member companies quickly become aware of, assess, and address potential content circulating online resulting from a offline terrorist or violent extremist event.

    The GIFCT Content Incident Protocol (CIP) is activated when all four of the following conditions are met:

    1.

    A real-world terrorist, violent extremist, or mass violence event;

    2.

    Has been recorded or broadcast via livestream;

    3.

    Depicting murder or attempted murder;

    4.

    Is being distributed on GIFCT member platforms or so broadly online that such distribution appears inevitable.

    How does it work?

    No one individual or organization can activate the Content Incident Protocol. Rather, the protocol is based on the existence of content online relating to the terrorist or violent extremism event, and distribution of that content, including a live stream of murder or attempted murder produced by the attack’s perpetrator or an accomplice.

    Once the GIFCT Operating Board declares a CIP, all hashes of an attacker’s video and other related content is shared in the GIFCT hash database for all other GIFCT member platforms to detect if the content is being shared on their respective platforms. Furthermore, communications and situational awareness updates are established among all GIFCT members to identify and address risks and needs during an active CIP.

    A CIP is only activated after following a multi-step process that includes the formal decision to activate the CIP. Following that decision, GIFCT works to communicate the decision, review content assets, and inform GIFCT member companies and relevant governments that content from the offline violent incident is manifesting online. A CIP formally concludes when GIFCT members can confirm that the volume of content, and the potential impact of such content, has noticeably decreased.

    Following a CIP activation, a formal debriefing process is launched to review GIFCT and member company responses and to identify any areas for improvement.

    How did it evolve?

    During the CIP development process, drafts of this protocol were shared and discussed with a range of stakeholders. The CIP was tested in a “controlled” environment in September 2019 during the first multi-stakeholder tabletop exercise at Europol HQ in The Hague, where tech industry representatives, European law enforcement authorities and third-party governments walked through a six-part, real-world scenario to determine applicability of both the CIP and the EU’s Crisis Response Protocol. The CIP was tested a second time in a similarly controlled environment at a workshop in Wellington, New Zealand, in December 2019. The CIP is a dynamic, “living” process that the GIFCT continues to refine and evolve over time.

    CIP Declarations

    The attacks in Christchurch, New Zealand in March 2019 initiated the creation and eventual launch of the CIP process. GIFCT has since activated the CIP twice in response to two, separate offline attacks where perpetrator content was shared on GIFCT member platforms.

    Halle, Germany

    The first CIP was activated on 9 October 2019 following the shooting in Halle, Germany when the perpetrator filmed the attack and the livestream was circulated on GIFCT member platforms. Ultimately, GIFCT shared hashes from 36 visually-distinct videos from the attack so member platforms could detect and remove the content on their respective platforms.

    Glendale, Arizona

    The second CIP was activated on 20 May 2020 following the shooting in Glendale, Arizona. The attack met the criteria for CIP activation, which led to enhanced situational awareness updates among stakeholders and hash-sharing among GIFCT members.