woensdag 15 juli 2026

I investigated Palantir’s foothold in the British state – and what I found should worry us all

 


I investigated Palantir’s foothold in the British state – and what I found should worry us all

Peter Geoghegan

Paid-for political access and threadbare regulations have helped to embed the US tech firm in the NHS – and beyond. But there is a way to free ourselves

A

ndy Burnham faces a lot of big decisions. But one of the incoming prime minister’s biggest early tests is what he does about the world’s “scariest company” – Palantir. The US defence and surveillance tech behemoth has a swathe of British public contracts, including, most controversially, a £330m deal with the NHS. It’s pretty clear what many of Burnham’s new parliamentary colleagues want him to do: the science, innovation and technology committee says the government should ditch Palantir and its “clear mismatch with UK values”.

Peter Thiel and Alex Karp’s company is not without British backers. The Times and the Telegraph have been enthusiastic supporters. In the Financial Times last month former Conservative party adviser Camilla Cavendish accused Palantir’s critics of putting politics over progress: “To me, what matters is what works.”

But does Palantir work for Britain? Does the £330m federated data platform (FDP) live up to the claims of Palantir and NHS England? Has it delivered the much-vaunted digital revolution in our healthcare system?

These are questions my Democracy for Sale colleague Lucas Amin and I have been investigating for the past year. We spoke to NHS whistleblowers and Palantir staff, obtained confidential documents and unearthed new data. Our findings, published in the London Review of Books, raise serious questions about the efficacy of Palantir’s technology, about the approach of NHS senior leaders and about the lobbying that helped a Silicon Valley startup expand so quickly in Britain.

Let’s start with the most important part of Palantir’s British operation: the FDP. Built on the company’s Foundry software, the platform was sold as a generational chance to knit disparate data from hospitals, doctors, pharmacists and myriad other sites together into a coherent whole. You’d struggle to find anyone in the NHS who would oppose that.

NHS England cites impressive statistics for the FDP’s rollout since it launched in 2024. It says almost two-thirds of NHS trusts are “live” on Palantir’s software. Politicians and NHS leaders have hailed the FDP as a success. But drill a little deeper and you’ll find another story. Dozens of the trusts that NHS England says are using the FDP appear not to have logged into a single FDP app in the past year, according to internal usage data released under the Freedom of Information Act.

The Cancer 360 tool, which Keir Starmer lauded last year as “groundbreaking new technology” that would “slash treatment delays across the NHS”, was used by just six out of about 200 trusts in the nine months since it launched. (Palantir told us that the firm is merely a software provider: “How that software is used is controlled by the NHS trusts who use it.”)

Clinicians’ reluctance around using Palantir’s software is less ideological – although some object on this basis, too – and more practical: many trusts say that the FDP is slower and less effective than their existing technology. NHS analysts say it can take five minutes or more to run a basic query. As NHS Greater Manchester’s chief data officer told the health select committee last month: “We can match anything that the Palantir FDP can do.” Palantir says the FDP could not be compared “like for like” with other systems because of the “additional security” embedded in it.

In private briefings we obtained, senior NHS leaders went even further, complaining that Palantir’s software has a “poor user experience”. Kanthan Theivendran, an orthopaedic surgeon at a trust in Birmingham, stopped using Palantir’s flagship waiting-list app because he couldn’t edit the data: “It’s just a waste of time,” he told us.

The true cost of Palantir’s FDP is much greater than £330m. Individual trusts have been given as much as £3m each to encourage implementation. Consultancy giant KPMG was even given an £8.5m contract to push the FDP across the health service.

Among the biggest challenges is Palantir’s own software. Foundry is a proprietary product. Some NHS data analysts told us that all their work on the FDP would be lost if they no longer had access to Palantir’s platform. This raises concerns over what many experts call “vendor lock in”. Once you start using a Silicon Valley tech company’s product, it can be very hard to move off it – even if you are dissatisfied with the service. Vendor lock in is bad enough if you’re changing smartphones. But when the company that has all your data is working for Donald Trump’s ICE, the Israel Defense Forces and heralding the arrival of AI-fuelled global warfare, the problem is not inconvenience, it’s a national security issue.

So how did a Silicon Valley startup that counts the CIA’s investment arm as an early customer become so integral to the British state? The answer, in large part, is paid-for political access and threadbare regulations.

In 2018, Palantir hired Peter Mandelson’s lobbying firm Global Counsel to position it as “a respectable partner to the British government”. Global Counsel organised dinners for Palantir with policymakers and politicians but did not have to declare their client on official disclosures, as policy briefings are not classified as paid advocacy. As a former Global Counsel employee who worked on the Palantir contract told us: “You really have to fuck up to have to register somebody.”

Palantir was one of Global Counsel’s biggest clients, on a monthly retainer worth more than £30,000. The account was so sensitive it had an internal code name: Project Onion. When Starmer visited Washington DC with Mandelson last year he also met Karp and Palantir’s UK boss, Louis Mosley. (No 10 has repeatedly refused to say what they discussed.)

skip past newsletter promotion

Mandelson’s spectacular fall took Global Counsel with it – the company is now in administration – but has had little discernible impact on Palantir’s political access. Palantir now has had contracts with everyone from the Financial Conduct Authority to the Atomic Weapons Establishment. Last year, the Ministry of Defence signed a strategic partnership with Karp, agreeing to spend up to £750m on the firm’s defence technology over the next five years.

Palantir’s expansion into the British state has not been quiet. Its nefarious self-mythology guarantees headlines. Petitions against Palantir contracts have attracted about 230,000 signatures. Protests outside its London offices are frequent. But too often a crucial question goes unasked: is Palantir value for money for Britain? There are reasons to be sceptical. The Ministry of Housing, Communities and Local Government says it is now saving millions of pounds per year after ditching Palantir’s “confusing to use” software and switching to an in-house system.

The UK Statistics Authority is now investigating NHS England’s use of data in promoting the benefits of Palantir’s software. Even the Ministry of Defence has admitted that it is becoming “locked in” to Palantir’s software. Two separate select committees have now called on the government to exercise a “break clause” when the FDP comes up for renewal next year.

Palantir is failing even its supporters’ own test. As Cavendish says, what matters is what works – and it’s not working. Burnham has a break clause and every reason to use it. He should not waste the chance.




maandag 13 juli 2026

Joint Statement: Pegasus in the European Parliament, the EU Must Act Now

 




European Policy, Government Surveillance

Joint Statement: Pegasus in the European Parliament, the EU Must Act Now

CDT Europe is publishing a joint statement with civil society organisations and individual signatories calling on the EU institutions to regulate spyware technologies after the 2026 Citizen Lab revelations.

On 3 July 2026, a forensic analysis by the Citizen Lab revealed that Stelios Kouloglou, former Member of the European Parliament and investigative journalist, was targeted and infected with Pegasus spyware, developed by NSO Group, on or around 21 October 2022, and again on 6 and 7 March 2023. At the time, Kouloglou was serving as a substitute Member of the Parliament’s Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware (PEGA Committee).

This revelation is especially alarming because of the specific institutional context in which the targeting occurred. A member of the very committee mandated to investigate spyware abuse in Europe was targeted during key moments of that inquiry, which raises grave concerns about the integrity of parliamentary oversight, the protection of independent institutions in line with separation of powers, and the ability of elected representatives to scrutinise state surveillance without intimidation or interference as part of a legitimate exercise of their duties.

While the Citizen Lab did not attribute the spyware attack to a particular government, they noted that there is no indication that the government of Greece, despite being connected to widespread spyware abuses with Predator spyware, was responsible for these attacks, or has ever been a Pegasus customer. Instead, their analysis suggests that a Pegasus customer previously investigated by the Citizen Lab and Access Now may be responsible for at least one of the infections. That customer was caught using Pegasus to hack exiled activists and journalists from Russia and Belarus. We are not aware of any evidence suggesting that either Russia or Belarus has been a Pegasus customer.

Nearly three years after the PEGA Committee adopted its report and recommendations, the European Union has failed to deliver a meaningful, EU-wide response to the proliferation and abuse of commercial spyware. Since then, the EU and Member States have been involved in repeated scandals: besides the spyware use against exiled journalists and activists in Latvia, Lithuania, and Poland; there was also the targeting of the President of the European Parliament with Predator spyware; the use of Graphite spyware in Italy against humanitarian workers and journalists; EU public money flowing to spyware companies; as well as a lack of enforcement of the dual-use regulation resulting in continued exports of surveillance technology from the EU to countries with serious records of human rights violations.

These incidents all point to a structural failure to adequately and seriously respond to the spyware crisis in Europe. This latest revelation should be treated as a rule of law emergency, threatening the very foundations of our society.

Europe cannot continue moving from scandal to scandal without consequence. The targeting of a Member of the European Parliament involved in investigating spyware abuse should mark a turning point. The EU must act now to defend independent oversight, protect fundamental rights, and ensure that spyware abuse in Europe is met with accountability, not impunity. We therefore call on:

  1. DG ITEC to conduct a full, independent, and impartial investigation into the hacking of Stelios Kouloglou to determine those responsible, establish all the relevant facts that led to the attacks, and launch an independent assessment of the full scope of the targeting of parliamentarians involved in oversight activities;
  2. The European Commission to urgently and publicly respond to the PEGA Committee recommendations, reporting on any implementation of said recommendations, identifying the gaps that remain, and setting out a roadmap for addressing the spyware crisis in the Union without further delays;
  3. Member States to guarantee effective remedies for victims, including access to evidence, independent investigations, notification where surveillance has occurred, and accountability for both state users and corporate actors; the European Commission should closely monitor the situation in that regard, ensuring compliance with EU legal standards, and use its enforcement powers against infringing Member States;
  4. The European Commission to ⁠strengthen enforcement of the EU Dual-Use Regulation and ensure that the upcoming evaluation of the Regulation fully reflects the findings of the PEGA Committee and subsequent spyware revelations; includes a comprehensive fundamental rights impact assessment; and is conducted with meaningful participation of civil society;
  5. Ensure that EU funds do not support companies involved in the development, sale, or deployment of spyware.

Read the statement here.

Signatories

Access Now

Alternatif BiliÅŸim

Amnesty International

AsociaÈ›ia pentru Tehnologie È™i Internet – ApTI

Balkan Free Media Initiative 

Bits of Freedom

Centre for Democracy and Technology Europe

Chaos Computer Club

Civil Liberties Union for Europe (Liberties)

Committee to Protect Journalists

Data Rights

Danes je nov dan, Inštitut za druga vprašanja

Digitale Gesellschaft (Germany)

epicenter.works – for digital rights

European Centre for Press and Media Freedom (ECPMF)

European Digital Rights (EDRi)

European Federation of Journalists (EFJ) / Fédération européenne des journalistes (FEJ)

First Department Human Rights Project

Homo Digitalis 

Human Constanta

Initiative für Netzfreiheit

Irídia – Centre for the Defence of Human Rights

IT-Pol Denmark

Media Diversity Institute

Osservatorio Nessuno OdV

Panoptykon Foundation

Privacy International

Privacy Network

Red Line for Gulf (RL4G)

Reporters Without Borders (RSF)

RESIDENT.NGO

SHARE Foundation

South East Europe Media Organisation (SEEMO)

SMEX (Lebanon)

Stay Connected Fundacja 

WHAT TO FIX

7amleh – The Arab Center for the Advancement of Social Media

Aleksei Fokin — Independent Threat Intelligence Researcher, FDC Threat Intelligence

Prof Fionnuala Ni Aolain, KC, University of Minnesota Law School, Former UN Special Rapporteur Counter-Terrorism on Human Rights and Counter Terrorism

Dmitrii Zair-Bek, Threat Intelligence Expert & Human Rights Defender