One thing that struck me was, when you look through the board and the committees, it's full of scientists, finance people, doctors, academics. There's maybe a couple of technologists - ML, IT delivery.
If they've got anyone with a background in cyber security I can't see it.
> We have never seen any evidence of any UK Biobank participant being re-identified by others.
This data contains sex, at least month and year of birth. I can't see any sensible security-oriented technical person coming out with a line like that.
“Palantir is here to disrupt and make the institutions we partner with the very best in the world and, when it’s necessary, to scare enemies and on occasion kill them,” Karp said, with a smile on his face. The CEO added that he was very proud of the work his firm is doing and that he felt it was good for America. “I’m very happy to have you along for the journey,” he said. “We are crushing it. We are dedicating our company to the service of the West, and the United States of America, and we’re super-proud of the role we play, especially in places we can’t talk about.” [1]
No, Palantir is not a "database vendor", it's an intelligence company closely working with IOF in their ongoing genocidal efforts and with DHS with mass deportations.
I'd rather see Oracle than a ghoul openly supporting targeting civilians.
… As part of an explicit, openly stated mission to reshape the global political order.
Palantir is indeed in many ways just a software vendor but we shouldn’t downplay that they have a much more explicit agenda than most other companies do in seeking government contracts.
Eh. I mean, the government will do what the government will do with the software it buys. We've just seen that with Anthropic. The US government wouldn't give contracts to Palantir if it seemed like its ideology didn't line up with US aims, and they wouldn't give contracts to other vendors if it seemed like their less ideological marketing meant they weren't aligned with US aims.
1) we’re talking about a UK government contract with Palantir
2) actually historically, and aspirationally, the US government isn’t supposed to be focused on ideological alignment of its vendors - the current government is anomalous and we shouldn’t normalize this.
"certainly" is doing a lot of work here. I'm not "certain".
In fact the people I have spoken to who have worked on Palantir platform were deeply suspicious of their users treating data with respect, and so built security and immutable auditability as foundational tech.
Yeah. The data vacuum whose CEO loves to talk about how effectively their software helps the US government kill people is exactly who should have unfettered access to extremely intimate details of many people’s existence, without their permission.
Do you believe the organization that whoops-leaked 500k people’s intimate health data is capable of auditing any complex technical system? Are you asserting that Palantir is no different than any other infrastructure company? Do you think that my criticism would ever apply to the US IC or the DoD? Do you think there’s any way I would approve of the NHS or NIH using Palantir based on my earlier statements? Is there a reason you’re peppering me with tangential rhetorical questions sort of poking around the premise of what I said like a lawyer from palantir talking a deposition while glibly dismissing what I actually said? Dispensing with the rhetorical questions, let’s get concrete: do you have a Palantir logo Coffee Mug? Pajamas? … briefs?
> Do you believe the organization that whoops-leaked 500k people’s intimate health data is capable of auditing any complex technical system?
Yes I believe that it's possible that an organization capable of effective auditing could also leak data
> Are you asserting that Palantir is no different than any other infrastructure company?
For the most part, yes. Palantir is more effective and more "ideological" than most, but in the direction away from your implication that they're vacuuming up data and mixing it across customers
> Do you think there’s any way I would approve of the NHS or NIH using Palantir based on my earlier statements?
No, but the question was whether facts or data adjust your opinion or not, and in which direction if so. Duping one mostly-competent organization on security/privacy posture is much, much harder than duping dozens or hundreds of organizations, including the most security-competent on the planet.
> Is there a reason you’re peppering me with tangential rhetorical questions sort of poking around the premise of what I said
Because the premise of what you said is wrong. The phrase "data vacuum" is clearly meant to imply a fact pattern that just isn't true. The term "unfettered access" is not true either, as data infrastructure companies (Palantir more than most) have significant controls on their exposure to customer data.
The overall implication that people's UK health data would be somehow mixed into a US government effort to kill people is laughably wrong when you actually have to write it out explicitly instead of relying on nudge nudge wink wink.
And yes I do have a Palantir mug actually! Good guess.
Let's get concrete: have you ever actually used Palantir? Ever engaged in contract negotiations with them or set up their access controls on your own data to understand what is or is not allowed, and to what degree you have visibility and control into it?
Sorry buddy but it's you who's speaking in baseless rhetoric here.
> In fairness, is this any worse than what Palantir will do with the whole countries NHS records?
I don’t get this trend of seeing bad thing happen and then commenting that other bad thing exists and therefore “in fairness” we should downplay it.
Bad things are bad. Comparing them to other things we don’t like doesn’t make them less bad. I don’t like Palantir either but they’re not intentionally leaking health details so this comparison doesn’t even make any sense.
no, they should not, since we already know that the contract won't stop them from using that data for other purposes and other governments. A government should act in the interest of its own citizens, first and foremost, and not pretending to believe a pinky swear by a notoriously bad actor.
That's a catch 22, I mean they literally are using the contractor... So yeah, they're effectively doing it.
The point was that they shouldn't use contractors and keep their citizens data private. Whenever they don't do that... that's an issue. Hence the critique.
That was the norm for some time, it's just being eroded over the years and is basically entirely gone at this point
“In fairness, this pot of water was already uncomfortably hot before [latest development] raised the temperature another few degrees closer to boiling.”
…says a happy frog who will be as cooked as everyone else.
There isn't much difference between giving this data to 20,000 researchers all over the world and simply publishing the data on the web.
I personally would like data like this to simply be published, together with a law that says using the data to make personalized decisions affecting those individuals is punishable with life in prison.
Basically, this data is 'opensource', but not for use to decide insurance premiums, job offers, or the contents of news articles.
or it's made the onus for the proof that the data wasn't used, so if your decision didn't come with a proof it wasn't, the party making the decision can be sued for it.
> together with a law that says using the data to make personalized decisions affecting those individuals is punishable with life in prison.
This works well in theory but is basically unenforceable. It's barely possible, if possible at all, to audit how FB or google make ad targeting decisions - but once stuff gets into the fragmented ecosystem of data brokers and market intelligence consultancies all hope is lost.
To say nothing of state actors, like countries who might deny you a visa based on adverse medical info or otherwise use your information against you.
> There isn't much difference between giving this data to 20,000 researchers all over the world and simply publishing the data on the web.
As a researcher who regularly deals with such data there is a MASSIVE difference. Yes, I have access to the data but I am restricted on how it can be stored (no cloud), what I can and can't do with it, and for some of it I'm even mandated to destroy it once the research project is over. I have the informed consent of every participant, some of which withdrew halfway throughout the collection without any penalty to them. I also don't need a new law because I'm already bound by existing ones, by the contract I signed when I joined, and by the confidentiality agreement I signed when the project started. While I don't know that the leaker(s) will be identified, the existence of the data itself already calls for legal action while giving a starting point for investigation.
Your suggestion, on the other hand, seems to be "let's put this data out there without people's consent and make companies pinky promise that they won't use it in their black boxes in a way that's virtually impossible to detect or prosecute". Those two things are definitely not equivalent.
I am not arguing either way, but I think you missed the point.
When you give O(20000) people you have a 1-0.9999^20000 (high) probability that that will leak anyway (either 1/20000 people not following the rules, or just the accident/attack surface area).
"Access this article for 1 day for: £50 / $60/ €56 (excludes VAT)"
Man, the scientific publishing cartel is something else. Note that author will generally get exactly £0 / $0 / €0 for his text.
The general public tried over and over and over to reject the collection of such data in the first place. At every opportunity they rejected it. But the people who wanted the data just took it anyway, and when the predictable and predicted bad thing happens, nobody will be punished for it.
I honestly think health data should be public by default to any health researcher. We should do whatever we can to solve disease and live forever. Privacy be damned, I want life.
> Data for sale included people’s gender, age, month and year of birth, socioeconomic status, lifestyle habits, mental health, self-reported medical history, cognitive function, and physical measures.
If this is not traceable back to individuals, it would probably good to be made public. But I assume the UK Biobank only gives access to trusted partners since - as we know in our 'data analytics' day and age - with enough general data quantity you can trace back anything to anyone if you have the resources. And the capitalist-surveillance econonmy certainly provides the profit-motive.
I want to get my DNA digitized so I can do all sorts of health stuff for myself, but finding a place that won't leak my data is troublesome. 23andme is right out.
If we are censoring our daily activities and major life decisions like healthcare due to the data economy, then it is making us less free. But who knows how many generations will pass before a solution shows up. We would need representatives who act collectively towards motives beyond profits.
But once your data has been digitized even if it is under your control the likelihood that it gets leaked is still high. Specially now with AI agents running everywhere, or people just asking AI services for medical advice.
Today the choice for advice is between low quality local AI advice or higher quality advice but lose your data control, the rational choice is probably losing your data control even if if will almost certainly comes back to bite you.
Already being discussed:
UK Biobank health data keeps ending up on GitHub
https://news.ycombinator.com/item?id=47875843
UK Biobank health data listed for sale in China, government confirms
https://news.ycombinator.com/item?id=47874732
One thing that struck me was, when you look through the board and the committees, it's full of scientists, finance people, doctors, academics. There's maybe a couple of technologists - ML, IT delivery.
If they've got anyone with a background in cyber security I can't see it.
https://www.ukbiobank.ac.uk/about-us/people-and-governance/
And then the CEO comes out with:
> We have never seen any evidence of any UK Biobank participant being re-identified by others.
This data contains sex, at least month and year of birth. I can't see any sensible security-oriented technical person coming out with a line like that.
In fairness, is this any worse than what Palantir will do with the whole countries NHS records? And they're being paid by the government to do it!
Both are bad
Palantir develops database software.
“Palantir is here to disrupt and make the institutions we partner with the very best in the world and, when it’s necessary, to scare enemies and on occasion kill them,” Karp said, with a smile on his face. The CEO added that he was very proud of the work his firm is doing and that he felt it was good for America. “I’m very happy to have you along for the journey,” he said. “We are crushing it. We are dedicating our company to the service of the West, and the United States of America, and we’re super-proud of the role we play, especially in places we can’t talk about.” [1]
[1] https://gizmodo.com/palantirs-billionaire-ceo-just-cant-stop...
Yes, that’s a bunch of bluster about database software.
No, Palantir is not a "database vendor", it's an intelligence company closely working with IOF in their ongoing genocidal efforts and with DHS with mass deportations.
I'd rather see Oracle than a ghoul openly supporting targeting civilians.
Doesn't Oracle (or at least Larry Ellison) openly support extermination of civilians too?
Not ordinarily, at least not anymore. They cancelled Project Beanstalk in the late 2010s, now relying on the legal system to extract perceived debts.
Never to that extent FWIR but I see your point. Yeah, Oracle is bad too.
… As part of an explicit, openly stated mission to reshape the global political order.
Palantir is indeed in many ways just a software vendor but we shouldn’t downplay that they have a much more explicit agenda than most other companies do in seeking government contracts.
Eh. I mean, the government will do what the government will do with the software it buys. We've just seen that with Anthropic. The US government wouldn't give contracts to Palantir if it seemed like its ideology didn't line up with US aims, and they wouldn't give contracts to other vendors if it seemed like their less ideological marketing meant they weren't aligned with US aims.
1) we’re talking about a UK government contract with Palantir
2) actually historically, and aspirationally, the US government isn’t supposed to be focused on ideological alignment of its vendors - the current government is anomalous and we shouldn’t normalize this.
Is allowing random malicious actors to buy health data worse than allowing NHS's own employees to interact with that data productively?
yes
Palantir may not be random but it's certainly a malicious actor
"certainly" is doing a lot of work here. I'm not "certain".
In fact the people I have spoken to who have worked on Palantir platform were deeply suspicious of their users treating data with respect, and so built security and immutable auditability as foundational tech.
Killing hundreds of children in Iran is certain.
The NHS does it so badly that they brought in Palantir.
... which provides software to help NHS personnel utilize their own data...
Yeah. The data vacuum whose CEO loves to talk about how effectively their software helps the US government kill people is exactly who should have unfettered access to extremely intimate details of many people’s existence, without their permission.
Good data infrastructure can be used for all sorts of things
If anything, the fact the US IC, DOD, NIH, and NHS trust the software with such sensitive and operationally critical data is positive signal
Do you believe these customers don't audit systems/processes that they put their data into?
Do you believe the organization that whoops-leaked 500k people’s intimate health data is capable of auditing any complex technical system? Are you asserting that Palantir is no different than any other infrastructure company? Do you think that my criticism would ever apply to the US IC or the DoD? Do you think there’s any way I would approve of the NHS or NIH using Palantir based on my earlier statements? Is there a reason you’re peppering me with tangential rhetorical questions sort of poking around the premise of what I said like a lawyer from palantir talking a deposition while glibly dismissing what I actually said? Dispensing with the rhetorical questions, let’s get concrete: do you have a Palantir logo Coffee Mug? Pajamas? … briefs?
> Do you believe the organization that whoops-leaked 500k people’s intimate health data is capable of auditing any complex technical system?
Yes I believe that it's possible that an organization capable of effective auditing could also leak data
> Are you asserting that Palantir is no different than any other infrastructure company?
For the most part, yes. Palantir is more effective and more "ideological" than most, but in the direction away from your implication that they're vacuuming up data and mixing it across customers
> Do you think there’s any way I would approve of the NHS or NIH using Palantir based on my earlier statements?
No, but the question was whether facts or data adjust your opinion or not, and in which direction if so. Duping one mostly-competent organization on security/privacy posture is much, much harder than duping dozens or hundreds of organizations, including the most security-competent on the planet.
> Is there a reason you’re peppering me with tangential rhetorical questions sort of poking around the premise of what I said
Because the premise of what you said is wrong. The phrase "data vacuum" is clearly meant to imply a fact pattern that just isn't true. The term "unfettered access" is not true either, as data infrastructure companies (Palantir more than most) have significant controls on their exposure to customer data.
The overall implication that people's UK health data would be somehow mixed into a US government effort to kill people is laughably wrong when you actually have to write it out explicitly instead of relying on nudge nudge wink wink.
And yes I do have a Palantir mug actually! Good guess.
Let's get concrete: have you ever actually used Palantir? Ever engaged in contract negotiations with them or set up their access controls on your own data to understand what is or is not allowed, and to what degree you have visibility and control into it?
Sorry buddy but it's you who's speaking in baseless rhetoric here.
Well, one is a thing that has happened, and one is a thing that hasn't happened.
> In fairness, is this any worse than what Palantir will do with the whole countries NHS records?
I don’t get this trend of seeing bad thing happen and then commenting that other bad thing exists and therefore “in fairness” we should downplay it.
Bad things are bad. Comparing them to other things we don’t like doesn’t make them less bad. I don’t like Palantir either but they’re not intentionally leaking health details so this comparison doesn’t even make any sense.
> they’re not intentionally leaking health details
To many, they are. They're leaking information that has been trusted to the NHS to their own databases.
The fact that it's being done under government contract and (arguably) within the law shouldn't immediately make it any less bad.
> The fact that it's being done under government contract and (arguably) within the law shouldn't immediately make it any less bad.
Of course it should, to say otherwise is absurd
what, the NHS shouldn't have _any_ subcontracting? All data must only be held by sacred NHS monks in a vault somewhere?
As long as palentir are holding the data on UK servers, to modern data security standards, and they have a contract to do so, they should be able to
no, they should not, since we already know that the contract won't stop them from using that data for other purposes and other governments. A government should act in the interest of its own citizens, first and foremost, and not pretending to believe a pinky swear by a notoriously bad actor.
Why do you trust the UK government won’t do the same?
That's a catch 22, I mean they literally are using the contractor... So yeah, they're effectively doing it.
The point was that they shouldn't use contractors and keep their citizens data private. Whenever they don't do that... that's an issue. Hence the critique.
That was the norm for some time, it's just being eroded over the years and is basically entirely gone at this point
Not just in the UK for that matter...
Why subcontract with public money to a private for-profit enterprise whose main goal is not the public good?
“In fairness, this pot of water was already uncomfortably hot before [latest development] raised the temperature another few degrees closer to boiling.”
…says a happy frog who will be as cooked as everyone else.
There isn't much difference between giving this data to 20,000 researchers all over the world and simply publishing the data on the web.
I personally would like data like this to simply be published, together with a law that says using the data to make personalized decisions affecting those individuals is punishable with life in prison.
Basically, this data is 'opensource', but not for use to decide insurance premiums, job offers, or the contents of news articles.
I can't wait for this to be used for assassination by peanut.
“We didn’t make a decision based on that.” Done and dusted?
or it's made the onus for the proof that the data wasn't used, so if your decision didn't come with a proof it wasn't, the party making the decision can be sued for it.
Like a clean room implementation requirement.
Which would be fine if that's what the people who gave their data over agreed to.
> together with a law that says using the data to make personalized decisions affecting those individuals is punishable with life in prison.
This works well in theory but is basically unenforceable. It's barely possible, if possible at all, to audit how FB or google make ad targeting decisions - but once stuff gets into the fragmented ecosystem of data brokers and market intelligence consultancies all hope is lost.
To say nothing of state actors, like countries who might deny you a visa based on adverse medical info or otherwise use your information against you.
well you just articulated the difference
licensing it to researchers allows you to create, monitor, and enforce policies like the one you describe
stealing it does not
> There isn't much difference between giving this data to 20,000 researchers all over the world and simply publishing the data on the web.
As a researcher who regularly deals with such data there is a MASSIVE difference. Yes, I have access to the data but I am restricted on how it can be stored (no cloud), what I can and can't do with it, and for some of it I'm even mandated to destroy it once the research project is over. I have the informed consent of every participant, some of which withdrew halfway throughout the collection without any penalty to them. I also don't need a new law because I'm already bound by existing ones, by the contract I signed when I joined, and by the confidentiality agreement I signed when the project started. While I don't know that the leaker(s) will be identified, the existence of the data itself already calls for legal action while giving a starting point for investigation.
Your suggestion, on the other hand, seems to be "let's put this data out there without people's consent and make companies pinky promise that they won't use it in their black boxes in a way that's virtually impossible to detect or prosecute". Those two things are definitely not equivalent.
I am not arguing either way, but I think you missed the point.
When you give O(20000) people you have a 1-0.9999^20000 (high) probability that that will leak anyway (either 1/20000 people not following the rules, or just the accident/attack surface area).
The web is global, UK law certainly isn't.
Related: https://news.ycombinator.com/item?id=47875843 “UK Biobank health data keeps ending up on GitHub”
Extremely related - my red string on the wall points to this being the source of the data leak rather the latest heist by Oceans Crew.
Given the whack-a-mole takedowns, its pretty clear everyone involved knew what was going on.
"Access this article for 1 day for: £50 / $60/ €56 (excludes VAT)" Man, the scientific publishing cartel is something else. Note that author will generally get exactly £0 / $0 / €0 for his text.
The general public tried over and over and over to reject the collection of such data in the first place. At every opportunity they rejected it. But the people who wanted the data just took it anyway, and when the predictable and predicted bad thing happens, nobody will be punished for it.
Would this have been prevented by the Trusted Research Environment stuff Ben Goldacre always used to talk about?
Just tell me how I check my name
How can the fulltext be accessed?
In the same way as the "UK Biobank" software accesses it.
I honestly think health data should be public by default to any health researcher. We should do whatever we can to solve disease and live forever. Privacy be damned, I want life.
> Data for sale included people’s gender, age, month and year of birth, socioeconomic status, lifestyle habits, mental health, self-reported medical history, cognitive function, and physical measures.
If this is not traceable back to individuals, it would probably good to be made public. But I assume the UK Biobank only gives access to trusted partners since - as we know in our 'data analytics' day and age - with enough general data quantity you can trace back anything to anyone if you have the resources. And the capitalist-surveillance econonmy certainly provides the profit-motive.
I want to get my DNA digitized so I can do all sorts of health stuff for myself, but finding a place that won't leak my data is troublesome. 23andme is right out.
Buy a desktop sequencer?
https://nanoporetech.com/products/sequence/minion
Great suggestion. Thank you for sharing!
I have the same sentiment as OP, but for me the main benefit of a company doing it is the analysis that comes with it.
If we are censoring our daily activities and major life decisions like healthcare due to the data economy, then it is making us less free. But who knows how many generations will pass before a solution shows up. We would need representatives who act collectively towards motives beyond profits.
https://sequencing.com/our-difference/privacy-forever seems the best choice these days.
I can believe the company does their best to keep the records private.
...until they're inevitably sold.
Similar to https://xcancel.com/SethSHowes ~10k budget based on minION sequencer. (Edit : his dedicated project page https://iwantosequencemygenomeathome.com/ )
But once your data has been digitized even if it is under your control the likelihood that it gets leaked is still high. Specially now with AI agents running everywhere, or people just asking AI services for medical advice.
Today the choice for advice is between low quality local AI advice or higher quality advice but lose your data control, the rational choice is probably losing your data control even if if will almost certainly comes back to bite you.
That kind of data should be public anyways.
Yeah, as long as all 500,000 people in the data set agreed for it to be public then thats fine. But how do we verify that?
They're on the list, their information is out there. Isn't that what 'opt in' means?
That's a quite.... astonishing* take.
If I leak your medical information you confidentially shared it with your doctor that means you are okay with it because you opted in for that?
Or does the scope / details do not matter for others, but only matter for your data.
*I have much better word but I guess I should say it.
When i signed up as a volunteer they assured me it was not going to be public, only veted researchers allowed to access it.
But it's nonconsensual, contrary to the laws and contract.
Should or shouldn't in general, but THIS one database shouldn't.
Gonna wager the US government is the first to purchase
I thought we pay them to have it via Palantir contracts or something?
I think it is google that we pay to backdoor the data
The US has over 70 million on Medicare, why would they care about 500K brits?