The U.K. government has systematically failed to provide transparency regarding the scope and nature of its partnership with U.S.-based surveillance and data analytics company Palantir, a joint investigation from digital rights groups Privacy International and No Tech For Tyrants has found.
In the report, published in late October, the watchdogs accuse the U.K. government of effectively stonewalling their attempts to access more information regarding contracts between the controversial firm and a number of government branches, including the Cabinet Office, Ministry of Defence, and police. Out of 11 Freedom of Information requests sent by the two organizations, the government has only responded to four in which they confirm the existence of contracts with Palantir but provide few details of what they actually entail.
“Palantir’s growing role in a range of UK government bodies, coupled with a lack of transparency from the government on what this role entails, means Palantir will have increasing access to data about people living in the UK, and the power to shape the processing and analysis of this data, with no accountability to the public,” they write in the report. “In other words, we often do not know what, if any, safeguards are in place to protect our data, and ensure that it is not misused.”
A lack of transparency is always problematic when governments decide to join forces with the private sector—this is especially the case with Palantir.
In the U.S., Palantir’s software has been weaponized to target vulnerable communities. The company has close ties to the US Department of Defence (DOD), numerous intelligence agencies including the Central Intelligence Agency (CIA), and perhaps most infamously, U.S. Immigration and Customs Enforcement (ICE). Last August, Palantir’s Falcon software played a critical role in a massive ICE raid targeting factories across Mississippi that led to the arrest of 680 undocument workers. Just a month before the raid, Motherboard obtained a user manual for the company’s Gotham software revealing how it is used by law enforcement to surveil and track people. And, to put the cherry on top, Palantir’s CEO doesn’t really seem to care that his company has done some pretty awful things.
Given this precedent, it’s alarming that Palantir software is being used by a U.K. security and law enforcement apparatus that in the past has been accused of human rights violations, engaged in illegal mass surveillance, and inappropriately accessed and profited off citizen’s personal data. Just as recently as this September, The Guardian revealed that the government had contracted Palantir to manage the country’s post-Brexit border and customs data.
“Given Palantir’s track record, understanding the technology infrastructure created by their partnership with the UK government is incredibly important,” Matt Mahmoudi, a member of No Tech for Tyrants and one of the authors of the report, told Motherboard over the phone. “I think there’s a very legitimitate fear that this infrastructure could be used to monitor and target vulnerable people domestically, or to offensively keep them at bay at the UK’s borders.”
The little that is publicly known is that Palantir has in the past at least signed contracts with: the Cabinet Office, the Ministry of Defence, some UK police departments, and the National Health Service. Yet, despite the fact that government departments are required by UK law (with some exceptions) to publish details of contracts within thirty days of awarding them, little to nothing is known about what they actually entail.
Out of these contracts, just two between the NHS and Palantir for the use of its Foundry data management software have been released publically. The first was only posted hours before legal proceedings from Open Democracy were set to begin. As pointed out in the report from PI and No Tech for Tyrants, in this initial contract Palantir is problematically granted permission to process data that “includes, but is not limited to […] personal details (including gender, nationality, place of birth)” and a number of other sensitive attributes, such as race, political affiliations, religious beliefs, and physical or mental health condition. Palantir also only charged the NHS £1 ($1.29) for using the software in the initial contract.
For Palantir’s contracts with the other departments and branches, we largely don’t know the specifics of what type of data is being used and for what purposes.
“One of my initial concerns with these contracts is what kind of personal data Palantir is being provided,” Quito Tsui, a human rights researcher and author of the report, told Motherboard. “In other words, the actual named categories. Are they getting data about nationality, race, ethnic origin, anything from asylum seekers? I think it’s clear from the US that data processed by Palantir is being used in very contentious ways on very vulnerable populations. So, even if there are some data protections, like anonymization for example, I’m still concerned about how aggregate data concerning categories such as nationality are being analyzed.”
Palantir did not respond to Motherboard’s request for comment.
Palantir’s Director of Privacy and Civil Liberties Courtney Bowman did, however, send a letter to Privacy International listing a set of objections to the report’s findings. Today, Privacy International uploaded an amended version of their report that includes both Palantir’s letter and their response. The letter is similar to others Palantir has sent to rights watchdogs in that it effectively nitpicks some of the report’s terminology without actually providing any substantive response to its main premise: that both they and the U.K. government have provided little meaningful transparency regarding what their partnership actually entails.
Palantir continually emphasizes (both in this letter and other public responses to privacy criticisms), for example, that under Europe's General Data Protection Regulation (GDPR) it’s classified as a “data processor”, meaning that it handles data at the discretion and instruction of the “data controller”—in this case the relevant government department—and that this data always remains the intellectual property of the controller.
It is true that legally Palantir is a data processor, but that doesn’t mean that the firm doesn’t seek to gain from the data they’re processing. That data, Privacy International and No Tech For Tyrants write in their response, “[…] could enable Palantir to experiment with, learn from, and improve the product’s ability to integrate with multifarious AI models, and to apply data transformation and normalisations in different ways.”
In the few Palantir contracts that have been made publicly available, the company has consistently used “improvement clauses” that essentially allow the firm to train their algorithms and statistical models on customer usage data. For example, in a 2019 contract with the United States Department of Defense cited in the report, Palantir is granted access to collect “analytics, statistics, metrics, or other usage data related to the Customer’s use of the Products […] to monitor, analyze, maintain, and improve the Products.”
Palantir’s letter argues that it is not “a largely ‘black box’ technology provider” because the report cites “numerous sources […] all offering extensive details on Palantir software capabilities, uses, and customers.” The reality is that much of what is known about Palantir has come from the persistent work of activists, journalists, researchers, and watchdogs. Much of this information has not been quickly handed over by government authorities, but rather painstakingly pried from their hands.
“The big word that has to be repeated over and over again here is transparency,” Caitlin Bishop, Campaigns Officer at Privacy International, told Motherboard over Zoom. “It’s incredibly frustrating to have to go through endless bouts with the government to gain access to information that the public is already entitled to. That’s not how the government is supposed to function. We don’t have the ability to actually scrutinize what governments are getting involved in, to know what problems they’re trying to solve, how they’re trying to solve them, and if they are even ‘problems’ in the first place. That is deeply problematic in a democratic society.”
With more than double the employees in its London office than either of its two U.S. offices, new contracts with Europol and some of Europe's largest corporations, and questionable meetings with top E.U. officials, the continent looks to be fertile ground for a company relentlessly looking to diversify its portfolio. It doesn’t seem like Palantir’s foray into Europe will be ending anytime soon.