The Content Incident Protocol (CIP) is a process by which GIFCT member companies quickly become aware of, assess, and address potential content circulating online resulting from a offline terrorist or violent extremist event.
The GIFCT Content Incident Protocol (CIP) is activated when all four of the following conditions are met:
How does it work?
No one individual or organization can activate the Content Incident Protocol. Rather, the Protocol is based on the existence of content online relating to the terrorist or violent extremism event, and distribution of that content, including a live stream of murder or attempted murder produced by the attack’s perpetrator or an accomplice.
Once the GIFCT Operating Board declares a CIP, all hashes of an attacker’s video and other related content is shared in the GIFCT hash database for all other GIFCT member platforms to detect if the content is being shared on their respective platforms. Furthermore, communications and situational awareness updates are established among all GIFCT members to identify and address risks and needs during an active CIP.
A CIP is only activated after following a multi-step process that includes the formal decision to activate the Protocol. Following that decision, GIFCT works to communicate the decision, review content assets, and inform GIFCT member companies and relevant governments that content from the offline violent incident is manifesting online. A CIP formally concludes when GIFCT members can confirm that the volume of content, and the potential impact of such content, has noticeably decreased.
Following a CIP activation, a formal debriefing process is launched to review GIFCT and member company responses and to identify any areas for improvement.
How did it evolve?
During the CIP development process, drafts of the Protocol were shared and discussed with a range of stakeholders. The CIP was tested in a “controlled” environment in September 2019 during the first multi-stakeholder tabletop exercise at Europol HQ in The Hague, where tech industry representatives, European law enforcement authorities and third-party governments walked through a six-part, real-world scenario to determine applicability of both the CIP and the EU’s Crisis Response Protocol. The CIP was tested a second time in a similarly controlled environment at a workshop in Wellington, New Zealand, in December 2019. The CIP is a dynamic, “living” process that GIFCT continues to refine and evolve over time.
The attacks in Christchurch, New Zealand in March 2019 initiated the creation and eventual launch of the CIP process. GIFCT has since activated the CIP in response to five separate offline attacks where perpetrator content was shared on GIFCT member platforms.
The CIP was activated at 1:09pm EST on October 9, 2019 in response to a shooting in Halle, Germany. Read more
Glendale, Arizona, USA
The CIP was activated at 12:00pm EDT on May 20, 2020 in response to a shooting in Glendale, Arizona. Read more
Buffalo, New York, USA
The CIP was activated at 4:52pm EDT on May 14, 2022 in response to a shooting in Buffalo, New York. Read more
Memphis, Tennessee, USA
The CIP was activated at 9:06pm EDT on September 7, 2022 in response to a shooting in Memphis, Tennessee. Read more
Louisville, Kentucky, USA
The CIP was activated at 12:02 p.m. EDT on April 10, 2023 in response to a shooting in Louisville, Kentucky. Read more