Robert Gehrke: Utah can be the leader in digital privacy, just pass this bill

House majority leader calls for chief privacy officer.

(Francisco Kjolseth | The Salt Lake Tribune) Robert Gehrke.

It seems like ages ago now that Utah officials were making plans for a massive data-guzzling surveillance program from a company called Banjo, designed to help alert law enforcement to potential crimes as they happen.

The program, promoted aggressively by Attorney General Sean Reyes, fell apart — not because of privacy concerns, but because of revelations that the company’s founder was involved in a white supremacist attack on a Jewish synagogue in his youth. Really.

But the whole notion of the all-seeing-eye of Big Data never sat well with some lawmakers, including House Majority Leader Francis Gibson.

Now he’s poised to do something about it.

Gibson has introduced HB243, which would create a chief privacy officer for the state and a 12-member Personal Privacy Oversight Committee — the first of its kind in the United States, according to supporters — made up of experts in the field and housed in the Utah State Auditor’s Office.

The panel will have the power to review the state’s use of new technologies and advise agencies on best practices and potential privacy pitfalls that could arise.

It’s an idea that I’ve been supportive of since the summer of 2019, when we were learning of government tactics that were raising serious privacy concerns, well beyond the Banjo contract.

For example, that summer we learned that the Department of Public Safety, at the request of federal law enforcement, was running facial recognition searches on the entire state driver license database, drawing criticism from civil liberties groups who contended that the public didn’t consent to searches and the department should get a warrant.

Since then, the Legislature has grappled with what safeguards should be put in place, and legislation on the topic is expected to be considered this session.

In May 2019, Reyes inked a deal with a company called Liberty Defense Technologies to test a product that does body scans of large groups of people to try to detect weapons without the knowledge of anyone in the crowd being searched.

Two years ago, state Auditor John Dougall’s office issued two reports, one that found that the driver license division was improperly sharing data — including Social Security numbers and physical characteristics — with outside entities and another that found vulnerabilities in a state database that houses data on citizens’ prescription drugs.

In the Banjo aftermath, Dougall created an ad hoc privacy task force to explore issues surrounding personal privacy and data surveillance. Dougall told me Tuesday that the group worked for about six months and is planning to release an overview in the next week.

All of these issues came to light just in the past two years and the issues arising out of the collision between technology and personal privacy are only going to become more acute in the future, which is why it’s worthwhile for the state to be proactive about addressing these issues, according to Connor Boyack, founder and president of the Libertas Institute, a libertarian think tank that helped craft the legislation.

“Across the country what has happened with government and new technology is they adopt [the technology], typically quietly, and implement them, also quietly, and only later when the use of these new technologies is discovered does the public become aware, sometimes [gets] upset, court challenges occur and maybe the Legislature reacts,” he said. “It creates this awkward situation where government can use whatever it thinks is appropriate and maybe their hand will be slapped at a later day.”

If Gibson’s bill passes — which, given his position as House majority leader, is likely — the public could request that the privacy office review a specific piece of technology or the office, on its own, can initiate a review of a state agency’s utilization of tech that might cross the line.

If the commission determines that the technology doesn’t meet the minimum privacy considerations, it can suspend the state agency’s use of the product until the following June, giving the Legislature time to weigh in, either prohibiting its use or creating guidelines to address the privacy concerns.

The commission will also offer guidance to county and local governments and police departments regarding best practices, collection and retention of personal information, data security standards, what to watch out for and what issues could arise from different tactics.

“We’d prefer to see elected officials be proactive when it comes to personal privacy,” Boyack said. “Really, what it’s all about is empowering and informing legislative officials and the people they represent.”

And given the choice of where to put the commission — in the governor’s office, the attorney general’s office or under the auditor — Gibson made the right call. The auditor is less directly involved in procuring new technologies and, let’s not forget, it was Reyes’ office that brought us the worst of the intrusive deals and signed off on other problematic surveillance tactics.

So much of our lives these days are floating around in the digital universe, and new technologies are continually being created to gobble up that data and use it in all sorts of ways. Passing HB243 would put Utah at the forefront of the nation when it comes to balancing competing interests and protecting the individual liberty of its citizens.