Security

UK govt publishes contracts granting Amazon, Microsoft, Google and AI firms access to COVID-19 health data

Questions linger over involvement of biz linked to Dominic Cummings and Vote Leave campaign


UK government has published the contracts it holds with private tech firms and the NHS for the creation of a COVID-19 data store, just days after campaigners fired legal shots over a lack of transparency.

Available on the openDemocracy website, the contracts describe how the arrangements between the NHS and Amazon, Microsoft, Google, and AI firms Faculty and Palantir (which subcontracts to AWS) will operate.

Campaign groups Foxglove and openDemocracy, which brought the action, said that the documents show the tech firms were set to build data models for commercial purposes from NHS training data before being challenged.

The contracts show that the companies involved, including Faculty and Palantir, were originally granted intellectual property rights (including the creation of databases), and were allowed to train their models and profit off their unprecedented access to NHS data

"Significantly, the contracts show that the terms of at least one of the deals – AI firm Faculty – were changed after initial demands for transparency under the Freedom of Information Act," the groups said.

"The contracts show that the companies involved, including Faculty and Palantir, were originally granted intellectual property rights (including the creation of databases), and were allowed to train their models and profit off their unprecedented access to NHS data."

However, the government has not released a subsequent contract which it claimed solved the problem of data being exploited for private sector gain.

"openDemocracy and Foxglove are demanding its immediate release," the pair said today.

In May, a broad-based campaign group wrote to UK health secretary Matt Hancock calling for greater openness in the government's embrace of private-sector tech companies contracted to provide a data store and dashboards as part of the NHS response to the COVID-19 outbreak.

The group – including Liberty, openDemocracy, Foxglove and Privacy International – said promises of openness about the role of multiple private-sector tech firms in handling the health data of millions of UK citizens had not been fulfilled.

In March, the government said it would develop a platform designed to provide "secure, reliable and timely data" to national organisations charged with coordinating the response to the pandemic.

Amazon, Google and Microsoft were on the list of contracted companies, along with Palantir Technologies UK, a subsidy of Peter Thiel's controversial analytics firm, and the London AI company Faculty, which worked on the Vote Leave Brexit referendum campaign.

openDemocracy said that it hopes publishing the contracts would facilitate expert analysis of them and support public debate.

In a separate case, campaigner the Open Rights Group has instructed lawyers to lodge a complaint with the UK's data watchdog over the rollout of the Test and Trace system because it says it breaches the General Data Protection Regulation (GDPR).

The Department of Health and Social Care has been contacted for a statement. ®

Send us news
25 Comments

Ex-health secretary said 'vast majority' were 'onside' with GP data grab. Consumer champion Which? reckons 20 million don't even know what it is

Guess what? When people find out about the scheme, trust in the NHS falls

Around 20 million people in England are in the dark over plans to share their GP medical records with a NHS Digital database, according to a study by not-for-profit consumer watchdog Which?

In a survey of 1,700 adults in England, Which? found 45 per cent were unaware of proposals for their medical records held by their doctor to be sent to the non-departmental government body under the controversial plan dubbed the biggest data grab in the history of the NHS.

The proportion unaware of the plans – and therefore their rights to opt out – is equivalent to 20 million people in England and reveals how ineffective the health department has been in informing patients, as required under data protection law.

Continue reading

Nine questions to ask when choosing a CDN provider

Here's your essential checklist for the future

Sponsored Speeding up content delivery seems to be a piece of cake: all you need to do is enable a CDN service.

Yet choosing the best CDN provider may be challenging. You will face many questions: how am I supposed to choose a contractor to whom I can entrust my data, am I sure to achieve cost reduction if I use expensive CDN services, how should I handle the data delivered through latency-sensitive services?

We’ve prepared a comprehensive checklist to help you find the answers to all these

Continue reading

Israeli authorities investigate NSO Group over Pegasus spyware abuse claims

Reason for probe unknown, but CEO claims it will vindicate company's claims

Israel's Ministry of Defense says the nation's government has visited spyware-for-governments developer NSO Group to investigate allegations its wares have been widely – and perhaps willingly – misused.

A Ministry tweet delivered the news in Hebrew, and online translate-o-tronic services render the text as follows:

Continue reading

Here's a list of the flaws Russia, China, Iran and pals exploit most often, say Five Eyes infosec agencies

And you've patched them all, haven't you, diligent readers?

Western cybersecurity agencies have published a list of 30 of the most exploited vulnerabilities abused by hostile foreign states in 2020, urging infosec bods to ensure their networks and deployments are fully patched against them.

Number one on the US, UK, and Australia's jointly published [PDF] list was the well-known Citrix arbitrary code execution vuln in Application Delivery Controller, aka Netscaler load-balancer. Tracked as CVE-2019-19781, the vuln has been the subject of repeated patch-it-now warnings ever since.

"In 2021, malicious cyber actors continued to target vulnerabilities in perimeter-type devices. Among those highly exploited in 2021 are vulnerabilities in Microsoft, Pulse, Accellion, VMware, and Fortinet," said the US's CISA and FBI, Britain's NCSC, and Australia's ACSC, three of the Five Eyes alliance.

Continue reading

Hungarian tech store closed by World War II bomb

Please shop online instead while it's safely disposed of, says branch of CCTV specialist MASCO

Masco, a Hungarian chain of stores specializing in property surveillance and protection tech, has asked customers to avoid its head office because an unexploded World War II bomb has been found nearby.

An announcement sent to The Register – one of a daily torrent of press releases bafflingly sent to our corrections line – warns that the store in the outskirts of Budapest will be closed on Thursday morning due to the presence of the bomb.

Continue reading

'Woefully insufficient': Biden administration's assessment of critical infrastructure infosec protection

Memorandum details plans to turn that around with rapid development of security baselines, not mandates

The Biden administration has issued a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems to address what it describes as a "woefully insufficient" security posture.

The Memorandum was accompanied by transcripts of remarks made by a "Senior administration official" who said the edicts are needed because "We have a patchwork of sector-specific statutes that have been adopted piecemeal, typically in response to discrete security threats in particular sectors that gained public attention.

"So, our current posture is woefully insufficient given the evolving threat we face today," the anonymous official added. "We really kicked the can down the road for a long time."

Continue reading

Over 100 Taiwanese political figures' messages leaked outta LINE app

Attack turned off encryption function, which made snooping rather easier

Law enforcement agencies in Taiwan are investigating a cyberattack on over 100 local political figures and dignitaries who used the messaging app LINE.

A statement issued Wednesday by LINE confirmed the attack and stated the company took measures to protect its users and reported the incident to relevant law enforcement agencies.

"LINE has been actively and cautiously fighting against global cybercrimes and attacks," the statement reads, adding "Data security and user privacy is one of our most important issues, and we will continue to take necessary responses to this incident."

Continue reading

AWS to retire EC2-Classic – the network connecting the compute service that started the IaaS rush

You've got a year to sort yourself out if you're still using 'em

Comment Amazon Web Services has announced the retirement of the network structure underpinning its third cloud service, the EC2-Classic network underpinning the Amazon Elastic Compute Cloud.

A July 28 post by AWS Chief Evangelist Jeff Barr explains that EC2-Classic was superseded in 2009 by Amazon Virtual Private Cloud, then again by Virtual Private Clouds for Everyone in 2013.

Barr's post explains that customers who signed up with AWS since December 4, 2013, couldn't use EC2-Classic unless they specifically requested it. The bulk of AWS customers will not, therefore, be inconvenienced by the service's retirement.

Continue reading

I'm feeling lucky: Google, Facebook say workers must be vaccinated before they return to offices

As web search giant stalls end to work-from-home to mid-October

Google employees can continue working from home until October 18 – after the web giant pushed back the date for staff to return to its offices from mid-September.

Some of the search giant’s US campuses are open right now, and people can choose to go in if they want to. By mid-October, most staff are expected to return. However, they will have to be vaccinated. CEO Sundar Pichai laid out the rules in an email to staff on Wednesday.

“First, anyone coming to work on our campuses will need to be vaccinated. We’re rolling this policy out in the US in the coming weeks and will expand to other regions in the coming months. The implementation will vary according to local conditions and regulations, and will not apply until vaccines are widely available in your area,” he said.

Continue reading

Er, no, we would like to continue suing Facebook, US state AGs tell courts

Legal eagles determined to overturn decision to throw out antitrust lawsuit targeting Instagram, Whatsapp acquisitions

Attorneys General from 46 US states, plus Guam and Washington DC, have appealed a district court’s decision to dismiss their antitrust lawsuit against Facebook that claims the social media giant illegally acquired its competitors to maintain a monopoly.

That appeal [PDF] was filed on Wednesday in DC. It comes after federal district Judge James Boasberg sided with Facebook and threw out the states' case brought in December. The attorneys general, led by New York’s Letitia James, alleged Facebook violated the Clayton Antitrust Act when it snapped up Instagram in 2012 and Whatsapp 2014.

“We filed this notice of appeal because we disagree with the court’s decision and must hold Facebook accountable for stifling competition, reducing innovation, and cutting privacy protections,” said James, according to CNBC. “We can no longer allow Facebook to profit off of exploiting consumer data.”

Continue reading

About half of Python libraries in PyPI have security issues, Finnish boffins claim

Coding lingo's community says it has a plan to mitigate supply chain vulnerabilities

Boffins in Finland have scanned the open-source software libraries in the Python Package Index, better known as PyPI, for security issues and found that nearly half contain potentially vulnerable code.

In a research paper distributed via ArXiv, Jukka Ruohonen, Kalle Hjerppe, and Kalle Rindell from the University of Turku describe how they subjected some 197,000 Python packages available through PyPI to a static analysis tool called Bandit and found more than 749,000 instances of insecure code.

"Even under the constraints imposed by static analysis, the results indicate [the] prevalence of security issues; at least one issue is present for about 46 per cent of the Python packages," the researchers said.

Continue reading