Tier 1: Threat to Life

We present here Tier 1 of the TCAP Tiered Alert System: Threat to Life (TTL). This policy governs how the TCAP alerts tech platforms and law enforcement to online content indicating a high threat to life.

Data collection for the Terrorist Content Analytics Platform (TCAP) requires a wide-range of open-source intelligence (OSINT) across a variety of tech platforms. This data collection is targeted towards locations where terrorists and violent extremists spread propaganda, communicate, and recruit. Throughout our investigations, there is a possibility of finding data which gives information about a potential threat to life.

This Threat to Life Policy guides our actions when an emergency incident occurs, by ensuring we have provisions in place to alert the appropriate authorities through the TCAP and mitigate the threat posed by online violent extremist content.

Our Threat to Life Policy is based on similar policies created by the UK Police and Home Office. The TCAP’s original function is to alert tech companies to terrorist content when we find it on their platforms. We aim to enhance the function of the TCAP as part of our crisis response workflow, to alert tech companies and law enforcement to incidences of threat to life and to crisis events.

How do we define a threat to life?

A threat to life can be considered as:

  • Real and immediate threat to a loss of life
  • Threat to cause serious harm
  • Threat of injury to another
  • Threat of serious sexual assault
  • Threat of rape

Levels of threat

LOW: Capability to do serious harm (e.g., access to weapons) assessed to be present, but no intent to cause serious harm (or any other TTL defined above).

MEDIUM: Intent assessed to be present, but no capability.

HIGH UNSPECIFIC: Both capability and intent to do serious harm assessed to be present. However, no specific information identified on the location, victim, or timeframe.

HIGH SPECIFIC: Both capability and intent to do serious harm assessed to be present. Specific information on one or more of the location, victim, or timeframe identified.

DOXXING: Doxxing is the publishing of private or identifying information about an individual on the internet, with malicious intent. If doxxing is identified, it should be carefully assessed for intent as well as capability to cause serious harm to the doxxed individual. If both are present, and the threat can be verified as original and recent, it will be alerted.

Assessing threat to life

TTL POLICY
Figure 1: Threat to life assessment workflow

Our assessment is based on considering the intent and capability of a potential attacker and collating intelligence to share with the appropriate law enforcement agencies based on the suspected location of the intended attack. Each threat to life will be considered as low, medium, or high, and is monitored for status change. We consider our ethical responsibility of reporting a threat to life as overriding the TCAP Inclusion Policy. While the Inclusion Policy may be used to support our report of a threat to life, association with a listed entity is not necessary for us to report a credible threat to life to authorities.

In the event of a potential, credible threat to life, we will inform UK law enforcement, any relevant law enforcement and intelligence agencies based on the suspected location of the intended attack, and continue to monitor the event. We will also ensure we keep an accurate archive of all relevant data, should it be needed.

In the event of the doxxing of a public figure alongside the intent and capability to cause that person harm, we will inform the relevant authorities, intelligence agencies, tech platform, and target. We will also continue to monitor the situation and escalate when necessary. Other instances of doxxing not meeting this threshold shall be reported to the relevant tech platform.

You can see our full Threat to Life Protocol above, showing the workflow progression and key decision-making involved in our assessments.

Alerting threat to life

TTL TCAP
Figure 2: Threat to life TCAP alerting workflow

LOW threat to life

  • No action necessary
  • Monitor for change

MEDIUM threat to life

  • Alert Tech Against Terrorism (TAT) management
  • Ensure accurate archiving of relevant data
  • Establish PoC (Point of Contact) with law enforcement agency (LEA)
  • Monitor for change
  • If change in capability escalate to HIGH threat

HIGH UNSPECIFIC threat to life

  • Alert TAT management
  • Ensure accurate archiving of relevant data
  • Establish PoC with LEA
  • Collate all information
  • Alert UK Police with email detailing relevant information and context (MANUAL)
  • Submit relevant URL(s) through TCAP, selecting Tier 1.1 (High unspecific TTL). This will allow user to select relevant tech platform and relevant jurisdiction for corresponding Law Enforcement Agency, reason for reporting, as well as additional screenshot(s). For unspecific threats where no location can be identified, UK Police should always be alerted.
  • TCAP will immediately hash, archive, and send alert
  • Continue to monitor for escalation to SPECIFIC TTL or CRISIS.

HIGH SPECIFIC threat to life

  • Alert TAT management
  • Ensure accurate archiving of relevant data
  • Establish PoC with LEA
  • Collate all information
  • Alert UK Police with email detailing relevant information and context (MANUAL)
  • Submit relevant URL(s) through TCAP, selecting Tier 1.2 (High specific TTL). This will allow user to select relevant tech platform and relevant jurisdiction for corresponding Law Enforcement Agency, reason for reporting, as well as additional screenshot(s). For specific threats where a location can be identified, select relevant jurisdiction on TCAP which will automatically send an email alert to the relevant LEA.
  • TCAP will immediately hash, archive, and send alert
  • Continue to monitor for escalation to CRISIS.

DOXXING

  • Doxxing is the publishing of private or identifying information about an individual on the internet, with malicious intent. If doxxing is identified, it should be carefully assessed for intent as well as capability to cause harm to the doxxed individual. If both are present, and the threat can be verified as original and recent:
  • Alert TAT management
  • Ensure accurate archiving of relevant data
  • Collate all information
  • Alert UK Police with email detailing relevant information and context (MANUAL)
  • Separately, alert the targeted individual by email with evidence, context, and advice (MANUAL)
  • Submit relevant URL to the TCAP, selecting Tier 1.3 (doxxing). This will allow user to select relevant tech platform and relevant jurisdiction for corresponding Law Enforcement Agency, reason for reporting, as well as additional screenshot(s). This will send a template email to the tech platform alerting them to the incident as well as tracking doxxing incidents in the TCAP.
  • TCAP will immediately hash, archive, and send alert
  • Continue to monitor for escalation to CRISIS

CRISIS

  • A crisis incident is a terrorist attack with a significant online dimension, such as the dissemination of a manifesto or a livestream by the attack perpetrator
  • When a TTL escalates to a crisis incident (where a TTL becomes an imminent/ongoing attack), relevant URLs (e.g. to manifesto/livestream) shall be alerted to platforms on TCAP through 2.1 (live crisis)

Additional alerting considerations:

A risk assessment should be made prior to alerting tech platforms to TTL content. This should consider:

  • Whether the relevant platform is hostile or likely operated by terrorists or violent extremists. These platforms should not be alerted.
  • Whether the removal of a user/channel by the relevant platform (due to alerting) will disrupt the monitoring of a potential escalation of the threat. We will consider advice of LEA POC.
  • The details and context of the post, for example whether it is an individual signalling intent to target an individual versus inciting others to carry out an attack. In the latter case, always alert.