Content Incident Protocol

The Content Incident Protocol (CIP) is a process by which GIFCT member companies quickly become aware of, assess, and address potential content circulating online resulting from a offline terrorist or violent extremist event.

The GIFCT Content Incident Protocol (CIP) is activated when all four of the following conditions are met:


A real-world terrorist, violent extremist, or mass violence event;


Live-streamed or recorded video by perpetrator or accomplice;


Depicting murder or attempted murder;


Is being distributed on GIFCT member platforms or so broadly online that such distribution appears inevitable.

How does it work?

No one individual or organization can activate the Content Incident Protocol. Rather, the Protocol is based on the existence of content online relating to the terrorist or violent extremism event, and distribution of that content, including a live stream of murder or attempted murder produced by the attack’s perpetrator or an accomplice.

Once the GIFCT Operating Board declares a CIP, all hashes of an attacker’s video and other related content is shared in the GIFCT hash database for all other GIFCT member platforms to detect if the content is being shared on their respective platforms. Furthermore, communications and situational awareness updates are established among all GIFCT members to identify and address risks and needs during an active CIP.

A CIP is only activated after following a multi-step process that includes the formal decision to activate the Protocol. Following that decision, GIFCT works to communicate the decision, review content assets, and inform GIFCT member companies and relevant governments that content from the offline violent incident is manifesting online. A CIP formally concludes when GIFCT members can confirm that the volume of content, and the potential impact of such content, has noticeably decreased.

Following a CIP activation, a formal debriefing process is launched to review GIFCT and member company responses and to identify any areas for improvement.

How did it evolve?

During the CIP development process, drafts of the Protocol were shared and discussed with a range of stakeholders. The CIP was tested in a “controlled” environment in September 2019 during the first multi-stakeholder tabletop exercise at Europol HQ in The Hague, where tech industry representatives, European law enforcement authorities and third-party governments walked through a six-part, real-world scenario to determine applicability of both the CIP and the EU’s Crisis Response Protocol. The CIP was tested a second time in a similarly controlled environment at a workshop in Wellington, New Zealand, in December 2019. The CIP is a dynamic, “living” process that GIFCT continues to refine and evolve over time.

CIP Activations

The attacks in Christchurch, New Zealand in March 2019 initiated the creation and eventual launch of the CIP process. GIFCT has since activated the CIP  in response to six separate offline attacks where perpetrator content was shared on GIFCT member platforms.

Halle, Germany

The CIP was activated at 1:09pm EST on October 9, 2019 in response to a shooting in Halle, Germany. Read more

Glendale, Arizona, USA

The CIP was activated at 12:00pm EDT on May 20, 2020 in response to a shooting in Glendale, Arizona. Read more

Buffalo, New York, USA

The CIP was activated at 4:52pm EDT on May 14, 2022 in response to a shooting in Buffalo, New York. Read more

Memphis, Tennessee, USA

The CIP was activated at 9:06pm EDT on September 7, 2022 in response to a shooting in Memphis, Tennessee. Read more

Louisville, Kentucky, USA

The CIP was activated at 12:02 p.m. EDT on April 10, 2023 in response to a shooting in Louisville, Kentucky. Read more

Perry, Iowa, USA

The CIP was activated at 3:50 p.m. EST on January 4, 2024 in response to a mass violent event in Perry, Iowa. Read more

Levittown, Pennsylvania, USA

The CIP was activated at 00:41 EST on January 31, 2024 in response to a violent extremist event in Levittown, Pennsylvania. Read more