Update to GIFCT Statement on Halle Shooting

Oct. 17, 2019 by GIFCT


Update to GIFCT Statement on Halle Shooting:


Following the tragic shooting in Halle, Germany, on Wednesday October 9, the Global Internet Forum to Counter Terrorism (GIFCT) activated its new Content Incident Protocol (CIP) for the first time. With the aim of improving operations of the Protocol and providing more transparency into GIFCT activities generally, GIFCT is providing a timeline of its actions related to the attack in Halle.


The earliest communication among GIFCT founding members occurred at approximately 5:00AM PT on October 9 and individual GIFCT companies began platform-specific monitoring and enforcement operations. Early reports by eyewitnesses indicated the attacker wore a video camera which suggested the possibility of a recording or livestream of the attack, which could activate a CIP. This was confirmed at approximately 9:15AM PT when GIFCT became aware of the perpetrator’s video and that copies of the original livestream were circulating on non-GIFCT member platforms. By this time, the archived video on Twitch had been removed and the GIFCT Operational Board formally declared a CIP at 10:09AM PT. 


Declaring a CIP initiated several protocol-driven processes: 


1. Alerting all members of the GIFCT that an active CIP was underway

2. Uploading hashes of the attacker’s video, its derivatives, and other related content into the shared GIFCT hash database with a dedicated label to enable quick identification and ingestion by GIFCT member companies

3. Alerting the German government and Europol that an active CIP was underway 

4. Continuing communications among GIFCT founding members to identify and address risks and needs during the active CIP

5. Establishing the timing of a Situational Awareness Interval when GIFCT would be able to share some detail of the CIP with impacted governments


GIFCT formally concluded the Halle CIP at 8:17AM PT on October 10, following significant reductions of attempts to upload the content to member platforms. 


Overall, the content related to the attack in Halle was significantly less impactful online than content related to the attack in Christchurch, New Zealand on March 15, 2019. During the Halle CIP, we shared hashes, or digital fingerprints, related to 36 visually-distinct videos related to the attack via our collective database, far fewer variations than we saw during a similar period after the Christchurch attack. 


GIFCT deems this first live activation of the CIP to have been productive, but we have also identified areas for improvement. GIFCT is currently in a transitional phase, as it establishes itself as an independent NGO, and this incident will form a critical learning opportunity to improve the CIP process. We intend to streamline decision-making, step-up communications to various stakeholders, and ensure that our joint systems continue to improve. We will also include details of any CIPs activated over the course of a year within the GIFCT Annual Transparency Report, the first of which was released this past July. The GIFCT is committed to enacting concrete improvements through continued collaboration with government and civil society stakeholders in order to further our mission to prevent terrorists and violent extremists from exploiting our platforms and services.



First GIFCT statement on the shooting in Halle, Germany on October 9, 2019:

“Following the tragic shooting in Halle, Germany today, the Global Internet Forum to Counter Terrorism (GIFCT) has activated a Content Incident Protocol (CIP). We are actively removing perpetrator-created content related to the attack, hashing it and placing the hashes into a shared database for Hash Sharing Consortium members, to prevent its viral spread across our services. We are in close contact with each other and remain committed to disrupting the online spread of violent and extremist content.”