Headline could use some help, dang, it's really not representative of the full story:
"The contract, known as a data-sharing agreement, was published Friday by politics website OpenDemocracy and law firm Foxglove alongside similar contracts with Google, Microsoft, and U.K. AI start-up Faculty."
"The contracts show Palantir charged only £1 ($1.27) for use of its Foundry data management software while Google offered “technical, advisory and other support” for free."
This is about a lot more than just Palantir. And the NHS has been in hot water for handing out sensitive patient data to tech firms before. :/
They teach you in Project Management in UK universities that one of the biggest IT failures was this project by NHS. Nobody tells you that they've replaced these failures with a £1 data-dumping contract to a dodgy company.
No matter how usable and helpful the software is for the front line workers, the fact remains that Palantir has extensive access to the medical and according to the article also criminal history of everyone in the UK.
Who can promise that there are no side channels to the USA or no covert exfiltration using "backups" or "integration systems"?
Because the NHS is about to be sold off as part of Brexit, and they can profit hugely from a slice of that action, while pretending they followed the rules until Brexit was completed.
The removal of EU legislation from British law and the UK-US trade deal. With the US demanding it's healthcare and pharma unfettered access to the NHS on terms equivalent to current US not UK standards. The UK is not, technically, slapping a FOR SALE sign on the NHS they've just put themselves in a position where pretty much anyone and everyone can demand a slice. Of course this assumes that the current gonverment doesn't view the NHS as an asset to be strip mined which I'm damn sure they do.
> With the US demanding it's healthcare and pharma unfettered access to the NHS on terms equivalent to current US not UK standards.
They already have that. Read the Lansley reforms. They mostly don't take it up because they can't afford to run healthcare for the pittance paid by UK government, but there are large bits of the NHS run by non-NHS providers. See for example Priory Group or Cygnet Health Care.
It seems that data-related crimes and oversights ("oops we've been hacked") are generally not being punished adequately. It's just data, right? No one got hurt. I have never heard of CEOs going to jail over any of the data breaches and abuses that are reported all the time. So I'd say the risk they'd face by "breaking trust" is fairly minimal.
And, actually tracing back how a machine learning algorithm might have gobbled up this data, to be used in 5 years in a way that no one can predict, is not easy either.
This is plainly a bad-faith question, because it assumes ethics and lasting consequences for bad behaviour. Two things we have seen absolutely no proof of in real life recently (or ever really, when it comes to corporations), rather the opposite is true.
Actually good question, I would like to know how these requests are handled post Brexit. Do A.13 GDPR requests still have to be honoured by the UK up to the Brexit date forever?
GDPR is still in force until the end of the transition period (I think Dec 31). What will change after then, who knows? I don't think I've seen anything coherent on any front from the government at this point.
This is the case for many EU laws - depending on the area [0], laws agreed upon in Brussels don't actually mean anything on their own, but member countries are required to write them into their own law. After Brexit happens such laws will still apply, as they have been written into UK law.
Until it is amended or repealed, all European law is brought into UK law through the European Union (Withdrawal) Act 2018. (Formerly, it was brought in through the European Communities Act.)
In English Law (and in many other jurisdictions) it's only a legal contract if "consideration" is given by both parties; i.e. Palantir here must charge something in return for it to be an enforceable contract.
The UK is still under EU law, as they haven't fully exited yet.
The citizens would still have to agree to allowing their personal data to be processed by third-parties and consent for their data to be processed outside the EU.
Is there any evidence that this consent was given?
The UK government may try to wiggle out of it by using the GDPR exemptions related to research and/or national security https://gdpr-info.eu/art-23-gdpr/
I think many people talk about it but from a different context. The NHS is being de-funded by the same politicians whose friends benefit from these deals. Hard to hire competent people when your budget keeps getting cut.
That comes out to $2k/year/UK resident which is amazingly low I'd say. Staff are also limited to 1% salary increase per year since 2010 which is below inflation.
It seems it was between 1997 and 2003 where spending on the NHS began to dramatically increase. I'm not sure it's fair to say that between 1950 and 1997 that it's growth was exponential.
Perhaps a more fair statement to make would be that demand for NHS services has seen a dramatic increase since 1997 and as a consequence it's budget has seen dramatic adjustments.
Total health spending in England was around £129 billion in 2018/19 and is expected to rise to nearly £134 billion by 2019/20, taking inflation into account.
That comes out to $2k/year/UK resident which is amazingly low I'd say. Staff are also limited to 1% salary increase per year since 2010 which is below inflation.
A little pedantic - England is not the UK and that budget quoted above was for England. The budget for all countries is larger, and England spends a bit less per citizen than Scotland, Wales and Northern Ireland.
https://fullfact.org/health/what-is-the-nhs-budget/
Fair point although England is by far the majority of the population so per capita spend only goes up 20%. Still not a very high number and near the bottom for G7 nations.
Yes, it’s a big difference.
I also noticed that the per capita spend is a fair bit higher in the UK when you exclude England, Northern Ireland in particular. This could be skewed to look more significant than it really is, because the economies of scale could be helping England.
Roughly 8% is spent on management which makes up 4% of the workforce. Which is significantly less than the private sector. That took me 60 seconds to Google btw.
I have worked extensively with the NHS and organisations who are attached to it. Part of the problem is that the NHS cannot pay market rates for developers, so they resort to contractors instead who are accounted for differently, and where the total cost is _much_ higher.
Of all the competent devs / data analysts in the UK, how many do you think actually want to work for GCHQ? I would have thought not very many, and yet plenty fo them do.
Can you suggest another job where you look through other people's emails? To paraphrase a great man, you underestimate how voyeuristic other people are.
The salaries aren't definitely not great compared with London...but they aren't terrible outside. I think the issue is that being a "dev" in the NHS is nothing like being an actual dev anywhere else. It is mostly about learning proprietary software, not development. So there are no real transferable skills (and ofc, NHS Trusts is always do "internal hires").
I have seen this in other businesses. They have huge IT departments but it is mostly about maintaining proprietary software (like SharePoint or whatever). The business then changed to a tech business and they have hundreds of IT people who have no useful skills (and the issue is management, in the NHS you have managers who are from the last century...no wonder Palantir rolled them).
(Somewhat ironically, one of these businesses actually employs a few top CS grads but they all work in the non-IT side of business...the issue is management in the UK not understanding what IT is for at a fundamental level).
The article text seems to indicate that Palantir was offering data analysis software/services to the British government for a nominal fee. It doesn't seem like NHS was selling the data, they just needed some services, and paying £1 was required to bind Palantir in a contract.
>" Sorry, they purchased it for £1? Now who's being "technically correct"? "
Palantir received one pound; the government paid Palantir for software. The title implies that the government was selling the data, but they were actually getting SaaS for a pittance.
Honestly that distinction had never even occurred to me—I was envisioning possible concern over giving access to sensitive personal information to a for-profit multinational.
The £1 deal is is not relevenat because I am sure people will be annoyed despite it being a free deal or one that costs thousands of pounds. The only thing that matters is whether the data privacy was ensured.
The token amount is just there in the contract to notarize on paper the NHS as the 'client' in the contract, because you anticipate this will be questioned as a dodgy deal.
I do not see in the contract uploaded that UK govt is sharing personal contact details as the article claims. Can someone see if this has actually happened or is CNBC exaggerating?
The data for use in model training is worth far more to Palantir. They can spin it as being nice and helping with COVID-19 but in reality Palantir couldn’t buy this data even if they wanted to... so they got the U.K. government to give it to them! Clever.
Just wait a year or two and you'll find that somebody with influence on the decision gets a well paid cushy job in the private sector. Perhaps one of those 200K-per-appearance type jobs as a "senior advisor" for a bank.
From my understanding Foundry (the Palantir product in question) is just a data management platform. I don't understand why this is so nefarious: they gave software they usually charge for to a public health agency for free.
Palantir already works with a a huge number government agencies is my point. They're basically a contracting firm. If they had charged the NHS at least a few hundred thousand pounds it wouldn't have been newsworthy.
Honestly borders to me on being de-facto undemocratic because I doubt a lot of British citizens are aware of this or that there has been any sort of meaningful consent given by patients to outsource their data to a foreign intelligence firm.
When it comes to how to solve this I really think we need to fundamentally rethink data ownership both on a legal as well at a technical level. I was recently reading up on Tim Berners-Lee's SOLID and I think something like that should be the default for all our data. We store our own healthcare data in something akin to a pod, when the NHS uses that data they get access to it granted by the patient in a way that puts formal limits on what they can do with it and how long they have access to it, and I as the patient have both the right and technical ability to revoke that access. We really need to push for data ownership and strong guarantees for data rather than this through the backdoor process of shoving private health data to unaccountable firms.
Maybe this is something where all these smart contract and decentralisation technologies can play a meaningful role rather than being primarily used for speculative currencies.
> in a way that puts formal limits on what they can do with it and how long they have access to it, and I as the patient have both the right and technical ability to revoke that access
If that's what SOLID is, its a scam and more of his DRM promotion. There is no technical way to "revoke my access." Unless you have a memory erasing implant in my brain, if the data gets onto my screen, I can copy it and access it forever. Period. Fuck Tim Berners-Lee.
Data use agreements often specify under what terms the data is held and destroyed. While people may still remember some data, the usual use case is large databases that can't be memorized. If someone revokes that data, that data would need to be removed from the database and all associated downstream copies. Failure to comply would open the door to legal penalties, which is the real stick.
Pseudo-patronage, or charity-software, it's the new model being pushed by GAFAM (and Palantir) in order to access to digital public services markets in the EU. It's quite certainly illegal though - procurement regulations, etc., but nobody seems to care, especially not in the local software industry. No wonder the EU are so much behind when it comes to digital industry. They don't even try to fight.
As far as I'm aware, Palantir is basically a SaaS data analytics provider for governments all over the world.
Why would any government consent to working with Palantir if they had any suspicion that their data might be used by US government clandestine agencies?
AWS do not have the legal right to use data in an RDS-managed database, and there would be hell to pay in terms of off-AWS migrations if they were ever found to be using customer data where they claim not to. Palantir is not a "cloud service" in the same way.
Structurally speaking, what mechanism prevents Amazon from being able to access RDS-managed customer data that doesn't prevent Palantir from doing the same?
As far as I'm aware, Palantir doesn't claim to share data between its customers. It works with governments all over the world — ostensibly this means that either Palantir agrees to not share its customers data with other customers, or every government is implicitly consenting to their citizens' data being accessed by every other government.
The UK is trusting an American national security-related firm with patient data, one that has to secretly accept any data access requests from the Americans. The UK should stick with their own companies for this sort of work - same for other countries
Disturbing. When you cannot even trust your own health-care system and government to even have the ambition to safeguard your sensitive data. What are citizens supposed to do? It’s tragic how democracy have been so deeply undermined by private interests. This is not how it was supposed to work. Truly a disgrace.
79 comments
[ 2.3 ms ] story [ 157 ms ] thread"The contract, known as a data-sharing agreement, was published Friday by politics website OpenDemocracy and law firm Foxglove alongside similar contracts with Google, Microsoft, and U.K. AI start-up Faculty."
"The contracts show Palantir charged only £1 ($1.27) for use of its Foundry data management software while Google offered “technical, advisory and other support” for free."
This is about a lot more than just Palantir. And the NHS has been in hot water for handing out sensitive patient data to tech firms before. :/
Without the perspective of someone who works in the NHS with Palantir's software, it's impossible to say if the NHS and the public got a good deal.
Who can promise that there are no side channels to the USA or no covert exfiltration using "backups" or "integration systems"?
In other cases, data has been outright sold: https://www.theguardian.com/politics/2019/dec/07/nhs-medical...
And what do you think why Palantir and the other offer their services for one pound?! It's all about that data. https://www.wired.co.uk/article/google-apple-amazon-nhs-heal...
They already have that. Read the Lansley reforms. They mostly don't take it up because they can't afford to run healthcare for the pittance paid by UK government, but there are large bits of the NHS run by non-NHS providers. See for example Priory Group or Cygnet Health Care.
They specifically do not. You consuming twitter bubble fake news doesn't make something true
And, actually tracing back how a machine learning algorithm might have gobbled up this data, to be used in 5 years in a way that no one can predict, is not easy either.
[0] https://ec.europa.eu/info/about-european-commission/what-eur...
http://www.legislation.gov.uk/ukpga/2018/16/crossheading/ret...
The citizens would still have to agree to allowing their personal data to be processed by third-parties and consent for their data to be processed outside the EU.
Is there any evidence that this consent was given?
Of all the competent devs / data analyst in the UK, how many do you think actually want to work at the NHS?
So lots of demand / need (healthcare is a mess in part because of data management via paper) and no supply / interest of talent.
https://i.imgur.com/iab51Zq.png
From OECD https://data.oecd.org/healthres/health-spending.htm
https://www.ifs.org.uk/uploads/images/election2017_images/bn...
https://www.ifs.org.uk/publications/9186
Perhaps a more fair statement to make would be that demand for NHS services has seen a dramatic increase since 1997 and as a consequence it's budget has seen dramatic adjustments.
Total health spending in England was around £129 billion in 2018/19 and is expected to rise to nearly £134 billion by 2019/20, taking inflation into account.
The salaries aren't definitely not great compared with London...but they aren't terrible outside. I think the issue is that being a "dev" in the NHS is nothing like being an actual dev anywhere else. It is mostly about learning proprietary software, not development. So there are no real transferable skills (and ofc, NHS Trusts is always do "internal hires").
I have seen this in other businesses. They have huge IT departments but it is mostly about maintaining proprietary software (like SharePoint or whatever). The business then changed to a tech business and they have hundreds of IT people who have no useful skills (and the issue is management, in the NHS you have managers who are from the last century...no wonder Palantir rolled them).
(Somewhat ironically, one of these businesses actually employs a few top CS grads but they all work in the non-IT side of business...the issue is management in the UK not understanding what IT is for at a fundamental level).
This title really seems like click-bait.
Palantir received one pound; the government paid Palantir for software. The title implies that the government was selling the data, but they were actually getting SaaS for a pittance.
No ambiguity there, although it doesn't adequately explain how that came about, but that's why there's an article.
When it comes to how to solve this I really think we need to fundamentally rethink data ownership both on a legal as well at a technical level. I was recently reading up on Tim Berners-Lee's SOLID and I think something like that should be the default for all our data. We store our own healthcare data in something akin to a pod, when the NHS uses that data they get access to it granted by the patient in a way that puts formal limits on what they can do with it and how long they have access to it, and I as the patient have both the right and technical ability to revoke that access. We really need to push for data ownership and strong guarantees for data rather than this through the backdoor process of shoving private health data to unaccountable firms.
Maybe this is something where all these smart contract and decentralisation technologies can play a meaningful role rather than being primarily used for speculative currencies.
If that's what SOLID is, its a scam and more of his DRM promotion. There is no technical way to "revoke my access." Unless you have a memory erasing implant in my brain, if the data gets onto my screen, I can copy it and access it forever. Period. Fuck Tim Berners-Lee.
Imagine for example, if the US or UK governments took corporate misuse of personal health data (https://www.theverge.com/2019/6/27/18760935/google-medical-d...) as seriously as they currently takes video copyright violations by individuals....
Is the argument against this that the NHS not be allowed to use any cloud infrastructure, and that everything ought to be on-premise?
Why would any government consent to working with Palantir if they had any suspicion that their data might be used by US government clandestine agencies?
As far as I'm aware, Palantir doesn't claim to share data between its customers. It works with governments all over the world — ostensibly this means that either Palantir agrees to not share its customers data with other customers, or every government is implicitly consenting to their citizens' data being accessed by every other government.