New UN deal with data mining firm Palantir raises protection concerns

Spydata OverLord and MyLady of Poverty paired - Josh Harris with Enrica Porcari - Photo Credit: Ben Parker/IRIN

Critics say it could put ‘highly sensitive’ data about millions of food aid recipients at risk

By Ben Parker - IRIN - 5 February 2019

CIA-linked software firm Palantir will help the UN’s World Food Programme analyse its data in a new partnership worth $45 million, both organisations announced Tuesday, drawing immediate flak from privacy and data protection activists.

The California-based contractor, best known for its work in intelligence and immigration enforcement, will provide software and expertise to the UN’s food relief agency over five years to help WFP pool its enormous amounts of data and find cost-saving efficiencies.

At a press conference in Geneva, WFP’s chief information officer Enrica Porcari said the plan was to launch a data integration effort that would include records of distributions to beneficiaries but, she stressed, not personally identifiable data. “Can all the data pour into one lake?” she asked, rhetorically. The system would then, she explained, work like a bank whose algorithms flag unusual credit card activity, picking up “anomalies” in beneficiary locations and behaviour that might signal misuse.

"WFP is jumping headlong into something they don’t understand, without thinking through the consequences, and the UN has put no frameworks in place to regulate it."

In future, if multiple aid agencies connected to the WFP’s SCOPE beneficiary management system and used it as the basis for recording what people received, a powerful overview could be achieved, Porcari said.

Palantir executive vice president Josh Harris said WFP’s 92 million aid recipient “customers”, its more than 30 data systems, and its difficult operating environment represented a “complex data landscape”, but something his company’s software was built for. The opportunity to provide support to WFP is a “dream combination” that fits “mission-driven” Palantir’s philanthropic goals, Harris added.

Palantir has already worked with WFP on a pilot project on food procurement in Iraq that has produced over $26 million (or about 10 percent) in savings, the two organisations said.

‘This data is highly sensitive’

Privacy and data protection activists cried foul at the new tie-up, questioning if WFP understood what it was getting itself into and if proper safeguards had been put in place.

“The recipients of WFP aid are already in extremely vulnerable situations; they should not be put at additional risk of harm or exploitation,” a spokesperson for activist NGO Privacy International told IRIN. “This data is highly sensitive, and it is essential that proper protections are put in place, to limit the data gathered, transferred, and processed.”

Asked for the legal basis for any data-sharing with Palantir, Porcari said: “there is no data-sharing”. She insisted that all data instead would rest under WFP’s control, with personal data being kept separate and secure.

But Privacy International, which recently analysed the (unintended) risks of humanitarian data misuse, warned: “We've seen examples of systems that are produced in agreements such as the one between WFP and Palantir increasing risks to the people the systems are aiming to benefit. There are risks to both individuals and whole populations from the gathering and processing of data from humanitarian activities.”

A humanitarian data analyst, who requested anonymity due to work relationships, was also alarmed at the news, saying: "WFP is jumping headlong into something they don’t understand, without thinking through the consequences, and the UN has put no frameworks in place to regulate it."

Palantir was established with the help of seed capital from a CIA-linked investment body. Its main clients have been US security and intelligence bodies.

Its capacity to structure and overlay vast datasets has led it to be credited with helping the US government to find Osama bin Laden. However, its work with US police and, most recently, immigration enforcement, has come under fire for secrecy, profiling bias, enabling human rights violations, and the wholesale harvesting of personal data.

“It is the height of irony that the very company that faced direct criticism in its role facilitating US immigration authorities' human rights abuses is now promoting itself as trustworthy of working in humanitarian aid,” the Privacy International spokesperson said.

Gaining ground in the industry

From the 2013 Haiyan super-typhoon in the Philippines to the 2014-2016 Ebola outbreak in West Africa, Palantir has often sought opportunities to deploy its technology in the humanitarian arena.

Few analysts contacted by IRIN in this 2016 investigation doubted the software had powerful potential, but reputational concerns made a number of potential partners walk away, even when offered free access to Palantir products and software advisors.

“It is the height of irony that the very company that faced direct criticism in its role facilitating US immigration authorities' human rights abuses is now promoting itself as trustworthy of working in humanitarian aid.”

Nevertheless, Palantir’s pro-bono “Philanthropy Engineering” has provided support to numerous non-profits, including the Carter Center, Team Rubicon, the Enough Project, and the Rockefeller Foundation. The UN’s nuclear watchdog, the International Atomic Energy Agency (IAEA), is a paying customer.

WFP has been working with Palantir since 2017 – a WFP spokesperson said an encounter at the World Economic Forum in 2015 kicked off the relationship. Gaining greater insight from a mountain of internal and external data with the help of Palantir’s Foundry system has already led to cost savings and efficiencies, according to the Rome-based UN agency.

A starting point for the Palantir work inside WFP was Optimus. According to a recent update from WFP, Optimus is an internal tool to help guide purchasing and other planning decisions, for example in Ethiopia or Yemen, to assign different commodities to make up a mixed basket of food for distribution depending on funding and seasonal market prices. 

Poncari described WFP as being on a “very aggressive digital transformation journey” and said it had a “moral imperative” to leverage technology to achieve efficiencies. “We just want to go with the best,” she told reporters.

Listen to the event




Even more sensitive data are held by the offices of the United Nations High Commissioner for Refugees, whose internet communications and databases are highly insecure. Numerous abductions and murders of dissidents among the UNHCR "protected" refugees could have been averted by better protection.



EXCLUSIVE: Audit exposes UN food agency’s poor data-handling

A key World Food Programme web-based computer system is unreliable and the agency doesn’t protect sensitive personal data

By Ben Parker - 18. January 2018WFP's SCOPE card for aid operations

A sample of World Food Programme's SCOPE ID card (Ben Parker/IRIN)

GENEVA - Vulnerable people in the world’s troublespots could be at risk because of sloppy handling of sensitive data by a UN agency, according to an internal audit. In response, the World Food Programme told IRIN it was “working to get ahead of the curve” on data-handling, would address weaknesses, and spend more on systems.

The internal audit of WFP beneficiary management, dated November 2017, found a litany of data protection failings across the UN agency’s digital and paper-based systems. WFP handles huge amounts of personal data without proper safeguards, according to the review. The audit says “major improvement” is needed to reduce risks in systems that powered aid for over 82 million people in 2016.

Despite the criticisms, WFP vowed to press on with its initiative to build a large centralised system. The agency told IRIN in a written response that its goal was to have a platform that could power more than just food-related aid. It should be “holding data for WFP’s entire caseload of some 80+ million people and providing a platform to deliver assistance for all the needs of a household, beyond food,” the response said.

WFP said its flagship SCOPE management platform, which the audit found to be seriously flawed, “will significantly improve beneficiary information and identity management”, insisting, “the audit findings back this up”. The agency told IRIN it would be “working through the challenges of bringing the new system up to speed”.

The damning audit emerged as aid agencies worldwide adjust to sweeping new EU legislation that governs personal data and enters into force in May, the General Data Protection Regulation. IRIN interviews suggest the GDPR will lead to an overhaul of best practice in the humanitarian sector.

‘Accident waiting to happen’?

According to the audit, WFP fails to follow rules it has set itself, which are aligned with international best practice and the GDPR. “Policies have been designed to protect the data and privacy of beneficiaries and comply with local requirements, but have not yet been effectively implemented,” the audit said. In its response to IRIN, WFP said the agency was “closely following developments, standards and best practice in this field”.

WFP stall at conference

WFP's promotional stand for its SCOPE system - Ben Parker/IRIN

Data specialists contacted by IRIN were alarmed but not shocked at the report. “This set of findings screams ‘accident waiting to happen’, as well as a lack of understanding by senior [WFP] management of WTF is going on with their data at country level," said one.

The audit appears tough, but data protection officials in other aid agencies said WFP’s issues were not unique: the findings could apply to many in the sector and some applauded the transparency. One said, after reviewing the report: “I’m sure that other entities both in and out of the UN who are delivering digital forms of aid, including identity management, would fail a similar audit.” Sean McDonald, CEO of messaging platform FrontlineSMS, told IRIN: “these problems are big and difficult everywhere.” WFP’s response said the findings were “challenges that should be expected.”

Among the many issues, grouped under five high-risk and five medium-risk headings, the audit found that extraneous information was being gathered. In more than one case, WFP and its partner organisations collected more personal information than was needed, “without a specified and legitimate purpose”, and again, contrary to policy.

In a particularly charged example, a WFP “cooperating partner” recorded people’s religion. The agency did not clarify the details, and the report does not say where it happened, but the audit team only visited Malawi, Sudan, and Myanmar. Of the three, only Myanmar has any significant diversity of religious adherence, and religion is a key factor in its recent violence. (The audit also made desk reviews of operations in Bolivia, Guinea Bissau and the Occupied Palestinian Territories).

The report also said beneficiaries did not give their informed consent to the use of personal data, and data was routinely copied without encryption or password protection. Both findings go against WFP’s data protection policy.

The SCOPE of the problem

WFP has made numerous public announcements about the innovative impact and potential of its central web-based application SCOPE, which now holds records on 26 million people, 5.8 million of which include fingerprints or photos. The system went live in 2014 and should manage both cash or in-kind programmes. According to WFP, it is designed for “beneficiary registrations, intervention setups, distribution planning, transfers and distribution reporting.”

WFP_Chad @WFP_Chad


In the the biometric registration is ongoing. And despite some obstacles 😉 team is reaching people to improve the efficiency of its operations through a secure platform.


See WFP_Chad's other Tweets

[A tweet from WFP in Chad]

The audit found it unreliable and unable to meet the needs of many country offices. As a result, SCOPE handles less than 10 percent of the WFP’s caseload. Another audit, of WFP’s Bangladesh operation, repeats a finding that the SCOPE system cannot reliably edit and update records.

Most of WFP’s operations were so far unable to use SCOPE. Among the problems were the following:

❌ Data uploaded into SCOPE was “incomplete and/or inaccurate”

❌ Many of the 61 offices in which it had been installed had problems uploading and downloading data

❌ The system did not reliably allow operators to correct errors and update beneficiary data

❌ It does not allow for sufficient “beneficiary conditionality”, customised reporting, data analytics, and reconciliations

❌ User support and help-desks could not meet demand

McDonald, of FrontlineSMS, told IRIN: “They went out too early, with something they didn't fully understand, and are now having to solve the difficult, basic problems that would have been a lot easier 61 countries ago.”

WFP imagines one day earning revenue from running beneficiary management as a service. However, the system is far from ready: also, around three quarters of the records (some 17 million people) aren’t being used, according to the audit.

WFP told IRIN that some dormant records were a “preparedness” measure: “former beneficiaries are kept in the system to ensure that WFP can respond faster when these beneficiaries are again in need.” This contrasts with WFP’s policy, which says “personal data that is no longer needed for fulfilling the purpose for which it was collected should either be destroyed or returned.”

Reviewing the report as a whole, "I'd question whether humanitarian organisations should ever build their own tech, but these are project management, planning, and resource problems,” McDonald added.

WFP claimed it had reviewed its options in 2011, and building the application in-house was the only affordable option. However, the agency said that, over a 10-15 year horizon, it might work with “potential new partners or software providers”.

Data protection “by design and default”

An NGO manager dealing with data protection said the SCOPE database failed the test of data protection “by design and default”, a phrase from the GDPR that summarises the shift the new law aims to promote. Having so much personal information in a single database was "alarming" and a natural target, they said.

The official added that NGO partners of WFP (many are EU-based) are often obliged to share data with the SCOPE system and cede control of the data to WFP without clear data-sharing agreements.

McDonald said technology was only one piece of the puzzle. He argued that humanitarian treaties, accords, and principles are “the product of huge amounts of work on culture and organisational change.” People are trying to “code around the difficult process of building shared cultural and operational infrastructure.”

Authors: bp/ag

Ben Parker - Contact: WhatsApp/Signal/SMS: +44 7808 791 267