SALT LAKE CITY — A host of personal privacy concerns raised by Utah-based high-tech surveillance company Banjo, and its one-time multimillion-dollar contract with the state and numerous local law enforcement agencies, are being parlayed into a series of efforts by elected officials to bolster protections for Utah residents.
On Tuesday, HB243 found support from lawmakers in an initial committee hearing and is aiming to create a new panel of experts and a lead officer tasked with vetting government technology systems with the goal of blockading any tools that lead to personal privacy invasions.
The bill’s sponsor, House Majority Leader Rep. Francis Gibson, R-Mapleton, said the proposal seeks to form an answer to a key question for Utah residents.
“As it relates to government, how do we maintain privacy?” Gibson asked the members of the House Government Operations Committee. “How do we know that information is being kept private ... and the things we give to government for our benefits are not being abused or taken elsewhere?”
Utah State Auditor John Dougall — who formed a special, temporary personal privacy commission last summer to assist in an audit of Banjo’s contract with the state — helped Gibson outline the goals of his proposal. Dougall noted the findings of his panel helped inform the best way to address personal privacy protections in the new legislation.
“This commission worked diligently and one of the first things that was recognized is that while many government entities have good intentions ... they often times don’t know which questions to ask,” Dougall said.
In a riff on Dougall’s specialty panel, Gibson’s proposal would create a permanent committee, housed within the auditor’s office, that would include topic experts from the realms of internet technology, cybersecurity, law enforcement, data privacy law, data privacy technology and civil liberties law. The collected experts would be responsible for reviewing technology products and services for how they collect, assess and store personal data and information for state agencies as well as those of Utah municipal and county government operations.
In addition, the bill proposes to create a new data privacy officer who would be overseen by the auditor and tasked with implementing committee recommendations.
Connor Boyack, president of Utah-based libertarian think tank Libertas Institute, helped Gibson craft the bill’s language and told the Deseret News Tuesday before the hearing that the proposal, if implemented, would make landmark improvements to the state’s personal privacy protections.
“What we’re excited about with this bill is the opportunity for the government to be proactive rather than reactive when it comes to putting restrictions on new technology that can undermine personal privacy,” Boyack said.
Last spring, Utah Attorney General Sean Reyes announced the state had suspended use of the technology services of Park City-based Banjo after it was revealed company founder Damien Patton has past connections with a white supremacist group and was involved in a shooting at a Jewish synagogue in the early ’90s. The $21 million contract had also opened the door for dozens of local Utah law enforcement agencies to use Banjo’s services under existing preferred provider agreements.
The company had claimed its technology could provide critical information and investigative direction by constantly gathering and processing massive amounts of data from multiple sources, including networks of public and private video surveillance cameras, social media sites, 911 call centers, vehicle tracking devices and other inputs.
Privacy watchdogs questioned the methods by which Banjo gathered information, whether the data was being appropriately scrubbed of personally identifying characteristics and the veracity of security measures in place to ensure access was limited to appropriate agencies and, even then, used only in specific and justified circumstances.
Electronic Frontier Foundation policy analyst Matthew Guariglia told the Deseret News last year that not knowing exactly how Banjo’s Live Time platform operated left unanswered questions about public accountability.
“The fact that nobody really knows how this technology works is incredibly troubling,” Guariglia said. “A company that exists behind a black box, operating all this supposed advanced equipment on which the state is relying to direct where first responders should be sent ... these are matters of real civic importance.
“When governments rely on private companies that spit out answers, and they don’t say how they’ve arrived at those answers, you’re giving up public accountabilities.”
The American Civil Liberties Union of Utah had similar concerns at the time and the group’s legislative and policy counsel Marina Lowe said in a Tuesday interview that the mandates of HB243 had the potential to limit further intrusions into Utahns’ personal privacy via government operated technology.
“We’ve had a spate of new technology advances coming forward and being used by the government without any real opportunity for outside review,” Lowe said. “This effort seeks to create a body tasked with affirmatively reviewing and overseeing appropriate use of technology tools.”
Lowe also noted the privacy panel proposed under HB243 puts up-to-date expertise in the loop of lawmakers and state administrators who are increasingly challenged with deciphering the implications of fast-evolving systems that rely on artificial intelligence, machine learning and other complicated and cutting edge tech innovations.
On Monday, Dougall’s office released a report following a six-month assessment of the Banjo contract that included scans for privacy and discrimination issues. Last June, Dougall assembled a panel of topic experts to conduct the assessment. The release from the nine-member Commission on Protecting Privacy and Preventing Discrimination includes a set of principles intended to help guide government entities when considering adopting new, high technology products or services.
“These principles are most suited to new or emerging technologies, such as artificial intelligence or machine learning, that may not have a long history to draw upon for software application and vendor evaluation as well as for ‘startup’ or young vendors that likewise may not have extensive history,” the report reads.
The principle list includes 12 main items and various subcategories that encourage government agencies to take steps such as limiting sharing of sensitive data, validating technology claims, performing in-depth reviews of claims related to the function of artificial intelligence and/or machine learning engines and vetting key vendor personnel. Many of the items appear to be direct responses to issues revealed in Banjo’s operations and contract with the state.
In a statement, Reyes’ office, which initiated the Banjo contract, said the attorney general supported the auditor’s conclusions.
“The Attorney General’s Office supports the recommendations, standards, and benchmarks in the commission’s final report,” the statement read. “This will be valuable to our office, law enforcement statewide, and all levels of government.
“We currently employ many of these principles in our vetting processes and look forward to utilizing the specific benchmark questions presented by the commission.”
Boyack said Dougall’s efforts to create a technology vetting mechanism aiming to protect the rights of Utahns is the perfect wind-up to what HB243 is looking to make a permanent body.
“Auditor Dougall has initiated a short-term effort on his own in this area and what this bill does is formalize that in a long-term approach,” Boyack said.
HB243 was passed unanimously by the House Government Operations Committee and now heads to the full House body for further consideration.