US surveillance company’s involvement with NHS is ‘crossing a red line’, warns civil liberties group

Backdoor Spies
Support us and go ad-free

Jim Killock of the Open Rights Group (ORG) civil liberties organisation has warned The Canary that surveillance and analytics firm Palantir is “not a company you want handling sensitive personal data”. He says that Palantir is already “crossing a red line” by analysing NHS data as part of efforts to combat the coronavirus (Covid-19) pandemic.

Palantir is not permitted to use NHS data unless…

The British government has said in a statement that:

Palantir is a data processor, not a data controller, and cannot pass on or use the data for any wider purpose without the permission of NHS England

Palantir itself responded (sort of) to a list of 10 questions sent to it by Privacy International, Big Brother Watch, Foxglove, medConfidential, and ORG on 6 May 2020. In its response, the company said that “the NHS retains full ownership of NHS data and any analysis derived from this data”. It adds that “any access to customer data under any circumstances would be strictly at the direction of customers”. In this case, that would be the NHS.

A reply from NHSX (an NHS division specialising in digital innovation) confirmed that NHS England, NHS Digital, and NHSX will retain all intellectual property of the data.

But it’s unclear who within the NHS would need to provide permission to Palantir to access patient or other data; to what extent any such permission would become properly reported to the public, or even if the “permission” required is even technologically necessary for Palantir to gain access to or pass on NHS data.

Killock says that the “NHS should assume the temptation may exist” for Palantir to use its access to the NHS, now or in the future, in order to facilitate spying or blackmail of individuals and should “plan to make it impossible”.

Read on...

Support us and go ad-free
Palantir’s long and sordid history

Killock also confirmed that Palantir’s history of targeting labour unions, journalists, and political organisations, as well as its links to the CIA, has strongly influenced ORG’s position on the company’s involvement with the NHS.

In 2013, Investigative journalist Lee Fang explained that:

Palantir’s rise to prominence, now reportedly valued at $8 billion, came from initial investment from In-Q-Tel, the venture capital arm of the CIA, and close consultation with officials from the intelligence-gathering community, including disgraced retired admiral John Poindexter and Bryan Cunningham, a former adviser to Condoleezza Rice.

In 2010, Palantir, along with firms HBGary Federal and Berico, were solicited by the US Chamber of Commerce to target its critics. The group began “plotting a campaign of snooping on activists’ families and even using sophisticated hacking tools to break into computers”.

As Fang notes:

The tactics described in the proposals are illegal. However, there were no discussions in the leaked e-mails about the legality of using such tactics. Rather, the Chamber’s attorneys and the three contractors quibbled for weeks about how much to charge the Chamber for these hacking services. At one point, they demanded $2 million a month.

The risk of “vendor lock in” is very real

Killock says ORG’s current concerns include the “potential for vendor lock in – leading to simple profiteering”. This is “extremely easy to take place when people are rushing and failing to do due diligence on contracts”, as is currently happening during the coronavirus pandemic.

Killock warns The Canary that, as a result:
Palantir may become impossible to remove [from public service contracts], and increasingly [become] involved with personal data. They have already been granted access to ‘anonymised’ personal data – this is usually data than can be relinked to people in practice, so already promises that they wouldn’t handle personal data have been broken
Palantir’s involvement in government is in the context of wider concern that for-profit organisations with links to the national security state are getting contracts with the NHS and Department of Health and Social Care (DHSC). Former Labour leader Jeremy Corbyn recently argued that for-profit multinationals like Serco and G4S (both with notable histories of poor performance and associations with human rights violations) should not be getting government contracts like the coronavirus track and trace programme.
NHSX responds to concerns

The Canary contacted NHSX and asked about the nature of its relationship with Palantir and the appropriateness of such a company – which has been implicated in human rights abuses – handling NHS data.

A spokesperson for NHSX told The Canary:

To help us confront the unprecedented challenge from Coronavirus, ministers and health leaders need access to real-time information about health services, showing where demand is rising and where critical equipment needs to be deployed.

Strict data protection rules apply to everyone involved in helping in this critical task. The companies involved do not control the data and are not permitted to use or share it for their own purposes.

At the end of the Coronavirus public health emergency their work will either be deleted or returned to the NHS.

‘Surveillance firms have no place in handling sensitive data’
Killock’s position is clear:
when personal data is handled, [Palantir] should be excluded while they have a surveillance business, in much the same way as companies like Lockheed Martin which sell surveillance tech as well as business tech must be treated with caution.

“Even if the companies could be trusted,” Killock said, “there is a huge issue of public perception.”

Palantir failed to respond to repeated requests for comment.

Feature image via EFF/Wikimedia Commons

Support us and go ad-free

We need your help to keep speaking the truth

Every story that you have come to us with; each injustice you have asked us to investigate; every campaign we have fought; each of your unheard voices we amplified; we do this for you. We are making a difference on your behalf.

Our fight is your fight. You’ve supported our collective struggle every time you gave us a like; and every time you shared our work across social media. Now we need you to support us with a monthly donation.

We have published nearly 2,000 articles and over 50 films in 2021. And we want to do this and more in 2022 but we don’t have enough money to go on at this pace. So, if you value our work and want us to continue then please join us and be part of The Canary family.

In return, you get:

* Advert free reading experience
* Quarterly group video call with the Editor-in-Chief
* Behind the scenes monthly e-newsletter
* 20% discount in our shop

Almost all of our spending goes to the people who make The Canary’s content. So your contribution directly supports our writers and enables us to continue to do what we do: speaking truth, powered by you. We have weathered many attempts to shut us down and silence our vital opposition to an increasingly fascist government and right-wing mainstream media.

With your help we can continue:

* Holding political and state power to account
* Advocating for the people the system marginalises
* Being a media outlet that upholds the highest standards
* Campaigning on the issues others won’t
* Putting your lives central to everything we do

We are a drop of truth in an ocean of deceit. But we can’t do this without your support. So please, can you help us continue the fight?

The Canary Support us
  • Show Comments
    1. Nothings off the table with Big Brother. Not even a Global Pandemic.
      I for one won’t be uploading that app. It’s pointless anyway. Unscrupulous employers will pressure their staff into lying about any symptoms, or ignore warnings, so as not to affect their profits.

    2. A couple of years ago NHS Patients were asked if they wanted an `OPTOUT` for Digitalisation of Patient`s Health Records. The Records were going on a NHS Computer system enabling GP`s and NHS Hospitals all over the UK to access records in case of Car Accidents etc. The NHS National Patient`s Records Database was given to an American Company,who completely screwed it up and the Database shelved. The DVLA Vehicle Licensing body at Swansea have selling UK Motorist`s Data to Crooked Car-Parking Companies for years; in direct breach of Data Protection Laws.

    Leave a Reply

    Join the conversation

    Please read our comment moderation policy here.