4 hours ago
5
London, United Kingdom – Trust, once lost, is hard to claw back. For Palantir Technologies, a leading defence and intelligence software firm in the United States, the trust that the company established in the United Kingdom on a one-British-pound ($1.37) National Health Service (NHS) contract during the COVID-19 pandemic in March 2020 – which translated into a six-year relationship worth nearly 400 million pounds ($546m) – has recently eroded.
This has been accelerated in part by Palantir’s own conduct.
Recommended Stories
list of 4 items- list 1 of 4Blood tech: The UK ambassador, the sex offender, Palantir, and Gaza
- list 2 of 4‘Technofascism’: Critics accuse Palantir of pushing AI war doctrine
- list 3 of 4Technofacism? Why Palantir’s pro-West ‘manifesto’ has critics alarmed
- list 4 of 4Varoufakis on Palantir, AI warfare, and the rise of tech lordism
The company’s X account posted a 22-point manifesto recently that alarmed critics and prompted renewed questions about whether a company with such openly militaristic values is an appropriate steward of a health patient’s most sensitive data.
Among the points were calls for universal national military service and the advancement of “AI weapons”.
“Palantir is perceived as a defence contractor,” said Duncan McCann, the technology and data lead at legal campaign group the Good Law Project. “If they had just stayed in that lane, I think people might accept that. But a defence company has inherently different values than [a healthcare organisation like] the NHS, and that’s where I think this [concern] was created.”
What seemed like a long shot four or five months ago now feels within reach to McCann.
Opposition to Palantir’s 330-million-pound ($450m) flagship data programme named Federated Data Platform (FDP), which is used by the NHS, has shifted from a fringe activist concern to a serious governance dilemma for NHS England and the UK government more broadly.
Officials are now openly considering a 2027 break point for the contract.
On Monday, Palantir came under further scrutiny. The Financial Times reported that NHS England had allowed Palantir employees “unlimited” access to patient data, citing an internal briefing note.
Palantir’s origins are rooted in defence.
Its Gotham platform is used by intelligence, military, and policing communities around the world. Foundry, the company’s civilian solution, is what underpins the NHS’s FDP. Although they sound like different products, a 2020 review by Privacy International and No Tech For Tyrants found the two systems share the same Palantir DNA.
That shared architecture sits at the heart of a governance problem that critics argue has never been adequately addressed.
According to NHS England, Palantir “will only operate under the instruction of the NHS when processing data on the platform” and they “will not control the data in the platform, nor will they be permitted to access, use or share it for their own purposes”.
Palantir responded, stating that the company “in no way uses patient data, or any NHS data, for its own purposes. Palantir acts exclusively as a data processor under the instruction of the NHS”.
Palantir UK’s Charles Carlson told Al Jazeera. “On verification, auditors review our controls and our compliance with them, and we undergo multiple audits.”
He noted that “the customers themselves, aided by the NCSC [National Cyber Security Centre], do their own validation”.
While audits may show that Palantir follows industry standards for protecting data against unauthorised access and breach, observers have doubted the extent to which tech companies comply with the rules.
“We really wouldn’t know if Palantir was doing something nefarious [with NHS data],” said Eerke Boiten, a professor in cybersecurity and head of the School of Computer Science and Informatics at De Montfort University in Leicester. “But that’s the same with Microsoft, Google and other American tech companies involved in providing the NHS or anyone else with IT solutions.”
Boiten preaches “technical realism” and says these companies are so big, their products so complex and proprietary, that their customers must trust that they are not going to exploit the situation.
As a safeguard, a data protection impact assessment (DPIA) is required before processing sensitive personal data at this scale.
“You have to look into the DPIA and see that they are serious,” Boiten said. “Government should publish them to gain public confidence.”
‘A potential security risk’
Following legal pressure from the Good Law Project, NHS England released a less heavily redacted version of the FDP contract – but roughly 100 pages remain withheld, according to McCann.
Those pages relate specifically to the methodology by which patient data is pseudonymised before it enters the platform. This is the one element of the contract’s data protection framework that the public, parliament, and independent experts cannot scrutinise.
Everyone interviewed for this article agreed the FDP is broadly a good thing – and that alternatives exist.
Leaders at the NHS Greater Manchester integrated care board, which manages the commissioning and funding of healthcare services across that region, have spent six years building their own analytics platform without Palantir.
Analysts say the question is not whether the NHS can manage its data effectively, but whether it needs Palantir to do so.
“Palantir’s political leanings, expressed in their rhetoric, make them a potential security risk,” Boiten said.
One less-talked-about risk is the possible aggregation of data.
Palantir’s Foundry platform underpins contracts across at least 10 UK government departments, but the company rejects any assertion that it can aggregate these data sets.
“Each customer engagement with Palantir is contractually, operationally and technically distinct and walled off,” said Carlson from Palantir. He added that the company “does not transfer data among our customers for our own purposes”.
“Moreover,” he said, “it would be illegal for the government to share data in this way unless there are specific data-sharing agreements in place between the different government departments in question.”
Two senior Ministry of Defence systems engineers warned The Nerve in March that by aggregating data across different government datasets, Palantir could generate top-secret information from entirely unclassified sources.
For Sarah Simms, senior policy officer at Privacy International, such a risk and precedent have already been established by the company’s actions abroad.
“Trust is essential to delivering healthcare and the NHS,” she said. “People should be able to trust that their data is being handled securely and ethically. And if it isn’t, well, that could have a devastating impact on healthcare for everyone.”
