INCIDENT RESPONSE POLICY

This page contains a brief overview of Tech Against Terrorism's incident response processes and introduces a tiered response framework. These processes are subject to regular review and modification to best ensure maximum impact.

Aim

The aim of introducing our new criteria and framework is to ensure efficient and easily understood processes that can be clearly integrated and communicated with partners' own processes.

Defining an incident

Tech Against Terrorism considers an "incident" within scope of assessment as a terrorist or violent extremist attack with a significant online component.

Content within scope

Content within scope of an incident response includes, but is not limited to:

  • Livestreams depicting the attack
  • Manifestos relating to and justifying the attack 
  • Attacker-produced videos that justify or depict the attack. This includes pledges of allegiances to terrorist organisations or causes, and the reposting of this content by terrorist organisations and their online supporters.
  • Attacker-produced photos that depict victims and or incite further violence
  • Diaries that include planning or motivations for conducting the attack
  • Instructional material specific to the attack
  • Posts by the perpetrator online encouraging others to commit acts of violence

We will assess content against the scope listed above when material is detected via manual or automated methods, or alerted to the attack by other protocols or third-party sources such as alerting services and news organisations.

Bystander-produced content

Bystander-produced content will be assessed on a case-by-case basis, with a particular focus on the graphic or violent nature of the material, and the likelihood of this content being shared by supporters of the attack.

Criteria

Tech Against Terrorism will assess terrorist and violent extremist (TVE) produced content based on four criteria, which will guide our triage of potential incidents as they develop.

Virality: Virality refers to the rapid sharing of multimedia across multiple tech platforms. We will consider the range and size of platforms the content appears on, and the engagement it receives.

Extremity: Extremity refers to the nature of the content, such as extremely graphic depictions of violence. This is considered within the context of content that is likely to be shared based on "shock value".

Volume: Volume refers to the number of distinct pieces of attacker-produced content.

Contextual significance: Contextual significance informs our posture around a potential crisis. For example, attacker or bystander-produced content depicting an attack in a location or setting that is likely to contribute to greater levels of engagement and dissemination.

Response Tiers

We have developed a tiered response process to best ensure our response reflects the severity of an incident based on the criteria listed above. These three distinct tiers, in addition to routine monitoring, contain different actions.

The response tiers provide a framework that focuses on two key principles: providing a clear escalatory process and defining operational outputs. A clear process ensures that key partners and stakeholders understand where and how TAT is positioning itself in response to an incident at any point in time. Clear and well-defined operational outputs ensures that Tech Against Terrorism is postured to scale its response in proportion to the severity of incidents.

Slide1.jpg