Limited and Open Government

New Audit of Banjo Highlights Privacy Issues in Utah

State Auditor John Dougall released a report today regarding the review of the state’s contract with Banjo and its application called Live Time.

Banjo had a contract worth $21 million that would enable them to partner with local law enforcement. The company boasted that the application could provide critical information and investigative direction by constantly gathering and processing massive amounts of data from multiple sources, including networks of public and private video surveillance cameras, social media sites, 911 call centers, vehicle tracking devices, and more.

Their public claims about deep integration with government data prompted many privacy advocates, including Libertas Institute, to express concern over the degree to which a private company was accessing our data and empowering the government to do things it could not previously do.

The company’s efforts came to a screeching halt, however, when the Attorney General’s office announced it was suspending the use of the tech after revelations of the neo-Nazi history of its founder, Damien Patton. The Attorney General further requested that the Auditor review the contract.

Here are some highlights of what the Auditor’s team found in its review of Banjo and its application, Live Time:

  1. The actual capabilities of Live Time versus the claims were vastly distorted and that had the company’s claims matched the capabilities, there were likely competing vendors that could have provided a similar service.
  2. Despite public claims to the contrary, the company’s product seemed to not have any artificial intelligence integrations. From what it appears, the product simply aided an analyst using a comprehensive dashboard.
  3. Due to the technical limitations of the Live Time app, it seems unlikely that individuals’ personally identifiable information was accessed, used, or transferred inappropriately.
  4. Live Time did not possess the algorithmic sophistication that would pose a legitimate risk to discrimination.
  5. The nature of the kinds of systems Live Time would have access to should not have been allowed based on existing industry best practices.

The audit also revealed that Banjo was granted direct access to some databases. “This direct access,” the report reads, “could have allowed a malicious insider to alter, for example, state emergency databases without the knowledge of state officials. It also could have allowed for accidental destruction or modification of state emergency databases if the software was misconfigured. Permitting a third party to have direct database query, as permitted under the agreements with Banjo, exposes the entity and its data…”

To a certain extent, it is comforting to know that the technology being offered by Banjo was not as advertised. However, it clearly demonstrates why it is critical that we scrutinize attempts from the government to be an early adopter of new technologies. Banjo is just one of many companies that are operating in this predictive policing space, and efforts to create the kind of technology the company boasted will not end.

Banjo was merely a side-effect of a much larger problem. Utahns had no clue this company had a contract, what it claimed to do, and how that could impact their daily life. There need to be guardrails put in place before government attempts to become an early adopter of technology. Public buy-in is necessary, and transparency from the government to individuals is critical.

The good news is the Utah Legislature recognized and shared the concerns many expressed in the time since the revelations about Banjo came to light. Following our proposal, Representative Francis Gibson sponsored House Bill 243 to attempt to strike a better balance between public safety and an individual’s reasonable expectation of and right to privacy.

The bill creates two privacy officers who will work with a committee comprised of experts from a variety of fields, to vet various technologies flagged by individuals or organizations for potential privacy and civil liberties issues. In short, these individuals will perform a proactive review—not just of the Attorney General’s use of technology, but that of any and all government agencies. These will be the new watchdogs to scrutinize government use of technology and personal data.

These individuals will subsequently offer recommendations for potential reform or best practices to the appropriate governing body in a public hearing. This would be a major increase in transparency for the public who would thus have a better idea of how the government uses technology; the bill also empowers the public to provide feedback and be part of the reform effort.

The proposal passed unanimously and was signed into law two weeks ago. This new law is a major step in the right direction in establishing accountability, increasing transparency, and informing the public in a more meaningful manner. Our goal is that this process can lead to a future where a more appropriate balance between public safety and personal privacy can be achieved.