The 24 March, 2020 will be remembered by some for the news that Prince Charles tested positive for Covid and was isolating in Scotland. In Athens it was memorable as the day the traffic went silent. Twenty-four hours into a hard lockdown, Greeks were acclimatising to a new reality in which they had to send an SMS to the government in order to leave the house. As well as millions of text messages, the Greek government faced extraordinary dilemmas. The European Union’s most vulnerable economy, its oldest population along with Italy, and one of its weakest health systems faced the first wave of a pandemic that overwhelmed richer countries with fewer pensioners and stronger health provision. The carnage in Italy loomed large across the Adriatic.
One Greek who did go into the office that day was Kyriakos Pierrakakis, the minister for digital transformation, whose signature was inked in blue on an agreement with the US technology company, Palantir. The deal, which would not be revealed to the public for another nine months, gave one of the world’s most controversial tech companies access to vast amounts of personal data while offering its software to help Greece weather the Covid storm. The zero-cost agreement was not registered on the public procurement system, neither did the Greek government carry out a data impact assessment – the mandated check to see whether an agreement might violate privacy laws.
The questions that emerge in pandemic Greece echo those from across Europe during Covid and show Palantir extending into sectors from health to policing, aviation to commerce and even academia. A months-long joint investigation by the Guardian, Lighthouse Reports and Der Spiegel used freedom of information laws, official correspondence, confidential sources and reporting in multiple countries to piece together the European activities of one of the most secretive companies in the world. The findings raise serious questions over the way public agencies work with Palantir and whether its software can work within the bounds of European laws in the sensitive areas where it is being used, or perform in the way the company promises.
Greece was not the only country tempted by a Covid-related free trial. Palantir was already embedded in the NHS, where a no-bid contract valued at £1 was only revealed after data privacy campaigners threatened to take the UK government to court. When that trial period was over the cost of continuing with Palantir came in at £24m.
The company has also been contracted as part of the Netherlands’ Covid response and pitched at least four other European countries, as well as a clutch of EU agencies. The Palantir one-pager that Germany’s health ministry released after a freedom of information request described Europe as the company’s “focus of activities”.
Founded in California in 2003, Palantir may not have been cold-calling around European governments. It has, at times, had a uniquely powerful business development ally in the form of the US government.
On 23 March, the EU’s Centre for Disease Control (ECDC) received an email from their counterparts at the US CDC, extolling their work with Palantir and saying the company had asked for an introduction.
Palantir said it was normal practice for some of its “government customers to serve as reference for other prospective customers”. It said the ECDC turned down its invitation “out of concern of a risk of the contact being perceived as prejudicing ECDC’s independence”.
The Greek government has declined to say how it was introduced to Palantir. But there were senior-level links between Palantir, the Trump administration and the Greek government. The US ambassador to Greece, Geoffrey Pyatt, has spoken publicly of the contacts between Pierrakakis and Michael Kratsios, a Greek-American and chief technology adviser to then-president, Donald Trump. Kratsios joined the White House from a role as chief of staff to Peter Thiel, the billionaire Silicon Valley tech investor and founder of Palantir.
When news of Greece’s relationship with Palantir was disclosed, it was not by government officials or local media but by ambassador Pyatt. A teleconference followed in December between Greece’s prime minister, Kyriakos Mitsotakis, and Palantir CEO Alex Karp, where the latter spoke of “deepening cooperation” between them.
Journalists who asked for a copy of the agreement were refused and it took opposition MPs to force disclosure via parliament. The tone then abruptly changed.
Eleftherios Chelioudakis, a data protection lawyer and member of digital rights group Homo Digitalis, was among the first people to read the two-page document and was stunned by what he found. It appeared to give Palantir phenomenal access to data of exactly the scale and sensitivity that would seem to require an impact assessment. Worse, a revision of the agreement one week after the first deleted any reference to the need to “pseudonymise” the data – to prevent it being relatable to specific individuals. This appears to be in breach of the General Data Protection Regulation (GDPR), the EU law in place since 2018 that governs how the personal information of people living in the EU can be collected and processed. Palantir says that, to its knowledge, processing was limited to “open-source pandemic and high-level Greek state-owned demographic data directly relevant to managing the Covid-19 crisis”.
The Greek government has denied sharing patient data with Palantir, claiming that the software was used to give the prime minister a dashboard summarising key data during the pandemic. However, the contract, seen by the Guardian, specifically refers to categories of data that can be processed and includes personal data. It also includes a clause that has come to be known as an “improvement clause”. These clauses, identified in the rare examples of Palantir contracts released in answer to freedom of information requests, have been studied by Privacy International, a privacy watchdog in the UK. “The improvement clauses in Palantir’s contracts, together with the lack of transparency, are concerning because it enables Palantir to improve its products based on its customers’ use of the Palantir products,” said Privacy International’s Caitlin Bishop.
The company rejects this reading of their activities and states: “Palantir does not train algorithms on customer data for Palantir’s own benefit or to commercialise and sell to Palantir’s other customers.”
“We do not collect, mine, or sell personal data from or for our customers,” it said, adding: “Palantir does not use its customers’ data to build, deploy, transfer, resell, or repurpose machine learning or artificial intelligence models or ‘algorithms’ to other customers.”
Greece’s data protection authority has since launched an investigation. The government says it has ended cooperation with Palantir and that all data has been deleted.
Lord of the Rings mystique
Even by the standards of Silicon Valley tech companies, Palantir has been an outlier in creating a mythology around itself. The name is taken from the powerful and perilous “seeing stones” in Tolkien’s Lord of the Rings. Its leadership often claims the mantle of defenders of the western realm. Early employees cast themselves as brave hobbits and one of Thiel’s co-founders wrote about his departure from the company in a post entitled “leaving the Shire”.
But Palantir polarised opinion in the US before the backlash against big tech. Its critics do not focus on the fortune its founder Thiel made with PayPal or as an early investor in Facebook but on his support for Trump. Palantir has faced protests in the US over its role in facilitating the Trump administration’s mass deportation of undocumented migrants through its contract with US immigration enforcement agency ICE.
Palantir was also reported to have been involved in discussions over a campaign of disinformation and cyberattacks directed against WikiLeaks and journalists such as Glenn Greenwald. It later insisted that the project was never put into effect and said its association with smear tactics had “served as a teachable moment”.
And Palantir was willing to step in at the Pentagon after Google employees rebelled over its involvement in Project Maven, which seeks to use AI in battlefield targeting.
Until Palantir undertook a public listing in September last year, relatively little was known about its client list beyond services to the US military, border enforcement and intelligence agencies.
Media coverage of Palantir has been shaped by its unusual protagonists as well as its national security clients. The company’s CEO is Alex Karp, who studied in Germany at Frankfurt University under the influential philosopher Jürgen Habermas, and often makes corporate announcements in philosophical language in unconventional clothing or locations. His most recent message was tweeted from a snowy forest.
Rumours over Palantir’s possible involvement [with the CIA] in the operation to find Osama bin Laden have been met with coy non-denials.
The colourful backstory has added mystique to a company which, when it listed on the New York stock exchange, had only 125 customers.
Why did Palantir meet Von Der Leyen?
Sophie in ‘t Veld, a Dutch MEP, has tracked Palantir’s lobbying of Europe’s centres of power. She notes the company’s unusual “proximity to power” and questions how it was that an EU delegation to Washington in 2019 met with US government officials and only one private company, Palantir. What was discussed, she wanted to know, when Karp met the president of the European commission, Ursula von der Leyen or when Palantir met the then EU’s competition commissioner, Margrethe Vestager, who is now in charge of making the EU fit for the digital age?
In June 2020, In ‘t Veld sent detailed questions to the commission and published her concerns in a blogpost headlined: “Palantir is not our friend”. The commission took eight months to give even partial answers but the company emailed In ‘t Veld three days after she went public with her questions, offering a meeting. She talked to them but questions why the company felt the need to contact “an obnoxious MEP” to reassure her.
In ‘t Veld characterises the commission’s eventual answers as “evasive” with officials saying no minutes were kept of the conversation between Von Der Leyen and Karp because it was on the sidelines of the World Economic Forum at Davos and they already knew each other.
“There’s something that doesn’t add up here between the circumventing of procurement practices, meetings at the highest level of government,” said In ‘t Veld, “there’s a lot more beneath the surface than a simple software company.”
For its part, Palantir says it is “not a data company” and all data it interacts with is “collected, owned, and controlled by the customers themselves, not by Palantir.” The company says “it is essential to preserve fundamental principles of privacy and civil liberties while using data” and that Palantir does not build algorithms off its customers’ data in any form but provides software platforms that serve as the central operating systems for a wide variety of public and private sector institutions.
Palantir said: “We build software products to help our customers integrate and understand their own data, but we don’t collect, hold, mine, or monetize data on our own. Of course, our engineers may be required to interact with some customer data when they are at customer sites, but we are not in the business of collecting, maintaining, or selling data.”
Europol entanglement
Covid has been the occasion for a new business drive but Palantir did not arrive in Europe with the pandemic. It has also found opportunities in European fear of terrorism and its sense of technological inferiority to Silicon Valley.
When health concerns are driving business, the software product Palantir sells is Foundry; when terrorism fears are opening up budgets, it is Gotham.
Foundry is built to meet the needs of commercial clients. One of its champions in Europe is Airbus, which says the system has helped identify supply chain efficiencies. Foundry has more recently found its way into governments, and Palantir’s CEO, Karp, has called Foundry an “operating system for governments”.
Gotham has long been used by intelligence services in the UK, the Netherlands, Denmark and France and was built for investigative analysis. Some Palantir engineers call what it does “needle-in-haystack” analysis that agencies can use to look for bad actors hiding in complex networks.
Since 2013 Palantir has made a sustained drive to embed itself via Gotham in Europe’s police systems.
The first major opportunity to do this came at the EU’s law enforcement agency, Europol, when it won a tender to create a system to store and crunch the reams of data from member states’ police forces. The Europol Analysis System was meant both to store millions of items of information – from criminal records, to witness statements to police reports – and crunch this data into actionable intelligence.
The agreement signed in December 2012 with the French multinational Capgemini, subcontracted the work to Palantir and Gotham.
Over the next three years, heavily redacted Europol documents, obtained under freedom of information laws, tell a story of repeated delays, “low delivery quality” and “performance issues” related to Gotham. Amid the blacked-out lines there is mention of technical shortcomings such as the “inability to properly visualize large datasets”.
By May 2016 the issues were so entrenched that Europol agreed a settlement with Palantir, the terms of which they have refused to disclose. Capgemini, the contractor which brought in Palantir, also declined to comment.
It is also clear that Europol considered suing Palantir and Capgemini. In an internal briefing document ahead of an October 2018 meeting of the organisation’s management board, it is made clear that litigation was considered but rejected: “despite the performance issues identified [litigation] is likely to lead to costly court proceedings for which the outcome is uncertain.”
Palantir declined to comment on these issues specifically but said: “Any issues arising at Europol had nothing to do with the software’s ability to meet GDPR or data protection requirements, and were solely the result of a large, complex software implementation with multiple stakeholders.”
The caution was well advised. Palantir has form for suing large public bodies, including the US army, and winning.
When access was requested from Europol to all records relating to contractual matters with Palantir, 69 documents were identified, but the EU agency twice refused full access to 67 on the grounds of “public security”. An appeal has been lodged with the European ombudsman’s office, a complaint that was ruled admissible and a decision is pending.
The settlement did not disentangle Europol but it brought the project in-house and the effort to use Gotham as a data repository was abandoned but it remained as the main analysis component. In July 2017, a real-world trial of the system on counter-terrorism work found Gotham “suffering from significant performance issues”. Palantir said: “Any issues arising at Europol had nothing to do with the software’s ability to meet GDPR or data protection requirements, and were solely the result of a large, complex software implementation with multiple stakeholders.”
Despite these issues, Palantir has received €4m (£3.4m) from Europol.
The concerns went beyond performance when the EU’s privacy watchdog, the European data protection supervisor, began inspections. Heavily redacted copies of their reports in 2018 and 2019 register the inspectors’ concern that Gotham was not designed to ensure that the Europol analysts made it clear how people’s data had come to be entered into the system. The absence of this “personal implication” meant the system could not be guaranteed to distinguish whether someone was a victim, witness, informant or suspect in a crime. This raises the prospect of people being falsely implicated in criminal investigations or, at the very least, that their data may not have been handled in compliance with data protection laws.
Europol, as the data controller, said that such data was “treated with the greatest care”.
‘The hottest shit ever in policing’
In 2005, 15 European countries signed a deal to boost counter-terror efforts by exchanging DNA, fingerprints and vehicle registration data. This led to an IT buying spree as police authorities sought ways to get their systems to talk to each other. Norway was a latecomer when it signed up in 2009 but in 2016 a high-ranking delegation from the Norwegian police flew to Silicon Valley to meet Palantir. When they returned the force decided to set up a more far-reaching system to be called Omnia, running on Gotham.
The abrupt decision caught the attention of Ole Martin Mortvedt, a former senior police officer nearing retirement who was editing the national police union’s in-house magazine. When he started asking questions he found it impossible to establish who had gone to Silicon Valley and why the project had been expanded. The only representative of Palantir whom he could talk to in Norway was a relatively junior lawyer.
A frustrated Mortvedt started calling his former pupils from the police academy where he taught for many years who were now in mid-ranking positions in the police. Over the next three years, his police sources described a litany of missed deadlines.
“Those people who went to Silicon Valley, they were turned around by what Palantir had to offer,” said Mortvedt.
The system was handed over in 2020 but is still not functional. Palantir said that the problems were “not a function of our collaboration and, to the best of our knowledge, have their root cause elsewhere.”
The Norwegian police confirmed that Omnia has cost 93m Norwegian kroner, or slightly less than €10m.
Palantir met Danish officials in Silicon Valley two years earlier than their Norwegian counterparts. The Danes ended up buying Gotham for both the police and intelligence services as part of a counter-terrorism drive. Christian Svanberg, who would become the data protection officer for the system, named POL-INTEL, said he wrote the relevant legislation enabling POL-INTEL.
The tender, which was made public, called for a system with cross-cutting access to existing police and intelligence databases, information exchange with Europol and open-source collection of new information. It also foresaw the need for algorithms to provide pattern recognition and social media analysis.
It was, in other words, a prescription for a predictive policing system, which vendors claim can help police predict where crimes will occur (place-based) and who might commit them (person-based). One of Denmark’s district police chiefs called it a “quantum leap into modern policing”.
Palantir said it understood from the Danish police that they did not use POL-INTEL for predictive policing.
Danish authorities pronounce themselves happy with the performance of POL-INTEL but have so far refused to release an internal evaluation or disclose data to enable any independent assessment of the results.
The police have refused to disclose even redacted versions of the internal evaluations of POL-INTEL. Despite Danish insistence on privacy safeguards with POL-INTEL, the only known internal assessment of the system found that police users had been using it to spy on the whereabouts of former Arsenal footballer, Nicklas Bendtner. A number of police officers were disciplined over the matter.
Norway and Denmark were not alone in the enthusiasm of their senior police for predictive policing, the Germany state of Hesse purchased a similar tool from Palantir in a tender that the opposition in the state parliament considered to be so opaque that a committee of inquiry dealt with it.
A German police official familiar with the development of predictive tools at the time says that senior officers had bought into the hype: “What was promoted three years ago was the hottest shit ever in policing. What we got wasn’t what was expected. You can’t predict crime.”
The Interior Ministry in Hesse said: “The Hessian police has had consistently positive experiences in its cooperation with Palantir.”
A bunker in The Hague
Since the EU passed its GDPR legislation in 2018, setting a global standard for the privacy rights of its citizens, it has talked itself up as a safe haven where digital rights are protected as human rights. While GDPR may still be poorly understood and mainly associated with browser requests to accept cookies, there is a watchdog. The European data protection supervisor and his staff of 75 face the immense task of ensuring that European agencies and the private companies they contract play by the rules. The supervisor himself is Polish lawyer Wojciech Wiewiórowski, who led the inspections at Europol previously. Predictably cautious in his choice of words, he stops short of calling for controversial companies such as Palantir to be kept away from sensitive European data. But he does counsel caution.
“It doesn’t make a difference if systems have been produced in the EU or outside of it when considering their compliance with data protection requirements. But software produced by companies that might have connections with intelligence services of countries outside the EU should be of special interest for us.”
It is not always clear who is taking more interest in who. Palantir has shown it has reach and influence over the shaping of knowledge around data and privacy in Europe. Some of the continent’s leading thinkers on big data, artificial intelligence and ethics have worked with the company in a paid capacity. One of them is Nico van Eijk, who held a professorship at the University of Amsterdam. Meeting Van Eijk in his current job is an involved process. These days his office is in a bunker in The Hague in the same building as the Netherlands’ Council of State. It is here that he runs the committee that oversees the Dutch intelligence services.
You can only enter if you leave all digital devices at the entrance – no phones, laptops, no recording devices. Throughout the Covid crisis employees could not work from home as their communications cannot be trusted to an internet connection. The committee has real-time access to all data and investigations by the military and general intelligence services of the Netherlands.
At a meeting in January 2021, Van Eijk declined to discuss a previous role he held on Palantir’s advisory board but commended the company on having an ethical board in the first place. Palantir said Van Eijk was an adviser on privacy and civil liberties and that board members are “neither asked nor expected to agree with or endorse decisions made by Palantir” and are “compensated for their time”.
Corporations, including those in tech industry, are sponsoring an increasing number of academics with potential implications for the production of knowledge on data and privacy.
Many of Van Eijk’s colleagues at the University of Amsterdam take a different view of Palantir. Ahead of the 2018 Amsterdam Privacy Conference (APC), one of Europe’s premier events on the subject, more than 100 leading scholars signed a complaint that stated: “The presence of Palantir as a sponsor of this conference legitimises the company’s practices and gives it the opportunity to position itself as part of the agenda … Palantir’s business model is based on a particular form of surveillance capitalism that targets marginalised communities and accelerates the use of discriminatory technologies such as predictive policing.”
Palantir said it is not a surveillance company. “We do not provide data collection services, including tools that enable surveillance of individual citizens or consumers.”
Inferiority complex
Europe’s dependence on US tech is not a matter of concern only for human rights advocates and privacy scholars. Some of the biggest businesses in Germany and France have been in talks over the creation of something akin to a safe haven for their own commercially sensitive data. Those discussions revealed that German car manufacturers were just as nervous as any privacy campaigner about releasing their data to US cloud services, such as Amazon Web Services.
Marietje Schaake, the director of Stanford’s Cyber Policy Centre, warned that Europe’s “tech inferiority complex” was leading to bad decisions: “We’re building a software house of cards which is sold as a service to the public but can be a liability to society. There’s an asymmetry of knowledge and power and accountability, a question of what we’re able to know in the public interest. Private power over public processes is growing exponentially with access to data and talent.”
Palantir says that “it successfully operates within and promotes the goals of the GDPR and its underlying principles”. It insists it is not a data company but rather a software company that provides data management platforms. It has for a decade, it says, worked in Europe with commercial and government organisations, “helping them successfully meet data protection requirements at scale as mandated at a European and national level”.
The latest European bid for greater digital sovereignty is GAIA-X, wrongly billed in some quarters as a project to make a Euro-cloud. It is, in fact, an association that will seek to set the rules by which Europe-based companies do business with cloud computing services. Just as GDPR means that Europeans’ personal data has to be treated differently on Facebook than that of users outside the EU, GAIA-X would mean commercial data is more tightly controlled on the cloud. Despite its relative obscurity, GAIA-X may go on to have profound implications for the business model of US tech companies, or hyperscalers.
It was a surprise therefore when Palantir proclaimed itself, among other companies, a “day 1 partner” of GAIA-X three months before any decision had been made. Officials at the association complained of “delinquent partners” who had jumped the gun for reasons of commercial advantage. Ultimately, Palantir was allowed to join.
Palantir says it did nothing that other companies involved with GAIA-X did not do.
The chairman of GAIA-X, Hubert Tardieu, formerly a senior executive at French tech firm ATOS, noted that the association did not want to get mired in lawsuits from “companies in California who know a lot about antitrust law.”