In wake of Banjo controversy, auditor warns against expansive state deals with firms collecting personal data

Governments should ensure vendors prove their marketing claims and don’t collect too much data, according to commission.

(screengrab from Banjo company website) Park City-based Banjo had a contract with the state of Utah last year to create a live-time surveillance system to help law enforcement and other entities respond to situations faster. Some experts worried about privacy implications.

The Utah state auditor’s office may have delivered a final blow to Banjo, a Park City-based surveillance tech company, when it released a series of recommendations Monday.

Banjo spurred a nationwide dismay nearly a year ago when news emerged that Utah Attorney General Sean Reyes had signed a controversial data-sharing contract with the company, then persuaded other law enforcement to jump on board as well. Now the auditor is out with some guidelines calling on governments to limit partnerships with software vendors who collect private and sensitive data.

The attorney general’s office said it supports the findings.

“This will be valuable to our office, law enforcement statewide, and all levels of government,” the office said in a statement.

Data privacy experts began sounding the alarm about Banjo after learning of some of company’s claims — that it listens in to 911 calls, watches public traffic and surveillance cameras feeds, monitors social media accounts, and potentially collected health data related to the pandemic. Perhaps most troubling, Banjo wouldn’t share how much public data it was ingesting, where it was getting it, how long it was keeping it or how many police agencies it was working with. The attorney general’s office didn’t seem to know, either.

Reyes’ representatives claimed Banjo’s “Live Time” software could help solve crimes in a matter of seconds or minutes.

Problem is, they could never point to a real-world example of that actually happening.

Public perception of the company took an even bigger turn for the worse when news broke that Banjo’s founder and CEO, Damien Patton, had years earlier identified with white supremacist groups. Patton stepped down in May, but concerns lingered about state-supported tech being used to spy on or target Utah residents.

The attorney general’s office opted to suspend its contract with Banjo, pending the results of a review by the state auditor. Several other Utah departments followed suit or canceled their Banjo contracts altogether.

The results of the auditor’s review are out, and they offer guidelines for state government entities on signing up with companies that collect state data, provide artificial intelligence services or use machine-learning technology.

The objective, according to a news release, is to provide best practices for “technologies that have the potential to impair the privacy of Utahns or could lead to discrimination against them.”

Requests for comment sent to Banjo were not immediately returned Monday afternoon. Banjo appears to have taken down its website sometime this year. Its Twitter and LinkedIn social media pages remain active, but they have not been updated for more than a year.

Justin Lindsey, who stepped in to take Patton’s place as CEO, is now listed at the CEO of safeXai, a Utah-based software company that “uses advanced signal processing and artificial intelligence to make the world a safer place,” according to LinkedIn.

A four-page procurement principles document released by the auditor’s office calls on governments to limit sharing of sensitive data, such as personally identifying information, with tech vendors. It notes that software applications shouldn’t collect more sensitive data than needed and that such data shouldn’t be stored longer than necessary.

Companies should also be able to demonstrate the “validity of marketing claims,” the report cautioned. In the past, Banjo’s promotional materials touted its software as providing a “crystal clear view of what’s happening anywhere right now.” It claimed it could locate a kidnapped child moments after abduction, notify highway patrol of a car wreck before anyone dials 911 or alert fire departments of a blaze soon after it starts.

None of those scenarios seem to have happened after Utah departments began working with Banjo, except for a practice kidnapping exercise vaguely described by the attorney general’s office.

“Vendors make various claims about the ability of their software applications to deliver value within a given accuracy or efficiency measure,” the auditor’s procurement principles document warns. “Do not rely on anecdotes as validation of these claims.”

The document also guides governments to ensure vendors can explain their artificial intelligence software, how it anonymizes data and whether the company can thwart hackers.

The recommendations came from a Commission on Protecting Privacy and Preventing Discrimination, formed by Auditor John Dougall last June specifically in response to the Banjo controversy.

The commission also issued a companion document with a series of questions government entities can ask when evaluating software vendors to further ensure companies protect data privacy and limit discrimination.

That document also seems to be critical of companies like Banjo, cautioning against vendors that claim to have “real-time” capabilities, surveillance activities, or purport to integrate “disparate” data sources, like social media, commercially available information, government data and private information.

“I expect that the report that we have produced will provide very effective guidance for state agencies, and places Utah at the forefront of efforts around transparency, privacy protection and bias reduction, especially when using new AI-based technologies,” said Suresh Venkatasubramanian, a commission member and computing professor at the University of Utah, in the news release.

A spokesman for Reyes said his office is “not pursuing a renewed relationship at this point” and that the attorney general would have to “revisit” a contract “since it is a different company now.”

“Our office remains committed to protecting the privacy and civil rights of Utahns, and appreciates the work and expertise of those who contributed to this report,” the attorney general’s office statement said. “Within those guidelines, our office also remains committed to innovation and keeping Utahns safe with the most effective crime fighting tools available.”

Beyond its Banjo contract, Reyes’ office also caused controversy after signing a contract with Liberty Defense in 2019 to test its HEXWAVE technology, which scans large groups of people for weapons without their knowledge.

The ACLU of Utah praised the privacy commission’s findings, particularly its recommendation that the state use independent experts to evaluate new surveillance technology.

“These principles, developed by technology and privacy experts, are a good initial step to stop the practice of state agencies and elected officials from being dazzled by the unverified claims of technology companies who often pay lip service to privacy concerns,” ACLU spokesperson Jason Stevenson wrote in an email statement.

Utah House Majority Leader Francis Gibson, R-Mapleton, an outspoken critic of the state’s relationship with Banjo, has introduced legislation creating a data privacy officer position in the state auditor’s office, which the ACLU also supports. That bill, HB243, is scheduled to have a hearing in the House Government Operations Committee at 3:40 p.m. Tuesday.