Robert Gehrke: How Utah became a digital privacy leader, while making a few mistakes along the way

An audit of the state’s contract with Banjo helps refine the government’s relationship with Big Data.

(Francisco Kjolseth | The Salt Lake Tribune) Robert Gehrke.

Last week, we got a long-awaited audit into the state’s controversial and ultimately aborted contract with Banjo, a company that touted its ability to gobble up vast amounts of public and state-held data on all of us and use it to fight crime.

Auditors found the Big Brother tech didn’t follow industry best practices and shouldn’t have been allowed access to our personal information. That’s the bad news.

The good news — if you can call it that — is that Banjo’s product never actually worked as promised, which limited the exposure of our private data. Banjo talked a good game and even offered a simulation where it located a kidnapped child in a matter of minutes.

The Utah Attorney General’s Office bought it and became a major proponent of the company, helping to steer millions of dollars to the company based on that simulation, without verifying it would work in a real-life scenario. (It apparently wouldn’t.)

The state, as you probably remember, cancelled the contract after Banjo’s founder, Damien Patton had, as a young man, participated in a white supremacist attack on a synagogue, something the state didn’t know in advance because it didn’t conduct thorough background checks (although the AG said the records of the case had been sealed by the court).

The review by state Auditor John Dougall and his staff closes the book, it would appear, on the state’s involvement with Banjo (renamed safeXai following the Patton scandal).

But it also tees up the much larger discussion: How much of our personal information should the government be able to access, and how should they protect that data?

It didn’t get a bunch of attention, but on the heels of the Banjo fiasco, Dougall convened a panel of experts to formulate best practices, intended as a roadmap for state and local government entities dealing with Big Data contracts.

It includes only collecting the data an entity needs and destroying it once it’s not needed to limit exposure to hacking; limiting data sharing among agencies to avoid data creep; validating that a company’s product can actually do what it claims it can do; and understanding the threats to exploitation and misuse of the data an entity gathers.

After the recommendations were released, the state purchasing office held an online seminar attended by more than 150 state and local purchasing agents.

“To have that many folks immediately engaged,” Dougall said, “to me that says folks on the front lines are grasping the importance of this.”

That’s a good start. What ultimately will make an even greater impact is HB243, which passed unanimously in the recent legislative session and was signed into law by Gov. Spencer Cox a few weeks ago.

The legislation, sponsored by House Majority Leader Francis Gibson, R-Mapleton, creates two state privacy officers — one in the governor’s office who will monitor state technology functions and another in Dougall’s office, who will head a 12-member Personal Privacy Oversight Commission that will oversee other state departments — school districts, the offices of the state treasurer and attorney general, police departments, colleges and universities, and local and county governments.

“It just really made sense to us to have some sort of vetting, because it seems like there are all these contracts that are entered into with tech companies and there’s just zero screening,” said Marina Lowe, legislative and policy attorney with the American Civil Liberties Union of Utah, who worked with the Libertas Institute on the bill.

“We’re trying to figure it out after the fact and struggling to catch up,” she said, “so it’s nice to know there’s some sort of body being constituted for that express purpose.”

Individuals or governments with concerns about an entity’s use of personal information can request a review from the commission. And, Dougall said, the commission will likely take an inventory of how entities use Big Data and look for red flags.

“I’ll give you an example: In Mantua, news recently bubbled up about their license plate reader camera,” Dougall said. “So for various folks there are concerns about that kind of technology and who can access that information. Who else has those systems deployed around Utah, what exists out there and what kind of controls exist on those systems?”

He also sees “algorithmic bias” — how emerging technologies like facial recognition programs can be biased against people of color — as an emerging issue ripe for review by the commission.

This focus on state privacy is not exactly a new thing. Within just the last few years Utah lawmakers have:

• Required police to get a warrant to access data from a cellphone provider;

• Put guidelines on the state running facial recognition searches of the state driver license database;

• Required police to get a warrant to use “stingrays,” which mimic a cell tower and suck up information from users;

• Mandated that law enforcement get a warrant to access the prescription drug database;

• Limited the use of license plate readers along Interstate 15.

“I think Utahns value their privacy,” Lowe said. “These issues resonate with people.”

They do resonate, whether it’s a libertarian streak, the western “rugged independence,” or a mistrust of big government infused in the state’s predominant religion. Whatever the reason, Utah is quietly and incrementally leading the nation in protecting our personal information from government overreach, and we’re all benefiting as a result.