A posthumous state audit of high-tech surveillance startup Banjo — which briefly held a contract worth tens of millions of dollars with Utah law enforcement agencies — found the Park City company was never capable of delivering on promised services and had inappropriate access to databases with sensitive information.

State Auditor John Dougall also raised questions about the state procurement vetting process in a report issued last week, including whether criminal background checks should be conducted on the people who run businesses that earn lucrative public contracts.

That last issue has a direct tie to the incident that would prove to be Banjo’s undoing — revelations that Banjo founder and CEO Damien Patton had connections to white supremacist groups and participated in an incident as a teenager in which shots were fired at a Jewish synagogue in Tennessee.

A best-practices guide that Dougall’s office released in February, one inspired in part by the missteps revealed in the Banjo audit, suggests future government contracts, and particularly those aiming to engage new and emerging technologies like artificial intelligence and machine learning, should include vetting “key vendor personnel.”

Patton was not subject to any type of background check because it is not required under current state procurement rules. And, Utah Attorney General Sean Reyes, whose office was the lead agency in a state cooperative contract struck with Banjo in 2019, wrote in a letter to Dougall that even if Patton had been screened, his past issues would likely not have been discovered anyway.

“As a preliminary matter, in (requests for proposals) such as the one in which Banjo participated, there is no requirement in the state procurement process for the Utah Attorney General’s Office to investigate companies and particularly not their employees,” Reyes said. “The Utah Attorney General’s Office, however, went above and beyond what is normally done for contractors including conducting interviews with colleagues, technology experts, leaders of other companies familiar with the CEO, law enforcement officials, elected officials, etc.

“The subsequent negative information that came out about Mr. Patton was contained in records that were sealed and/or would not have been available in a robust criminal background check.”

The state’s contract with Banjo extended five years and was worth a potential $21 million. Dozens of Utah municipal agencies and institutions also entered into agreements with Banjo under state preferred-provider agreements. The state suspended its principal contract following revelations of Patton’s past last April but not until, according to state records, over $3 million had been paid out to the company.

Banjo touted its software platform as a tool that could provide critical information and investigative direction by constantly gathering and processing massive amounts of data from multiple sources, including networks of video surveillance cameras, 911 call centers, emergency vehicle data and social media content that could be leveraged to get first responders to incidents faster and help solve crimes by saving police hours of old-fashioned detective work.

Then-Utah Lt. Gov. Spencer Cox, left, sits down with Damien Patton, founder and CEO of Banjo, Daniel “Dan” Gelston, president of the broadband communications sector at L3 Technologies, and Shawn Newell, former University of Utah and Chicago Bears football player and vice president for Industrial Supply Co., at the 13th annual Utah Economic Summit at the Grand America Hotel in Salt Lake City on Friday, May 17, 2019. | Scott G Winterton, Deseret News

Auditors, however, said their examination of the system, one that had to be pieced together since Banjo’s Live Time apparatus was no longer actively processing Utah information when the assessment was done, fell far short of promised performance.

“The actual capabilities of Live Time appeared inconsistent with Banjo’s claims in its response to the (request for proposals),” auditors reported. “The Attorney General’s Office should have verified these claims before issuing a significant contract and recommending public safety entities to cooperate and open their systems to Banjo.”

In its contract with the state, Banjo described its service as “live artificial intelligence capable of accessing, compiling, analyzing and validating thousands of live data sources simultaneously to provide real-time information to eligible users.” Auditors found Banjo’s Live Time platform was only utilizing a small number of data inputs that mostly stemmed from Utah governmental sources, such as 911 dispatch centers, police agencies and Utah Department of Transportation traffic cameras, and during the assessment, Banjo representatives acknowledged their system “does not use techniques that meet the industry definition of artificial intelligence.”

Auditors also found evidence that some Utah agencies with which Banjo was working provided access to databases that should have been off-limits and that some of those sources may have included personally identifiable information on individual residents. However, based on the auditors’ assessment, they do not believe that information was accessed or used by Banjo, and since the suspension of the contract, no Utah data, or access to Utah data, is part of the Live Time system.

Auditors said that might not have been the case if Live Time had actually performed at the level that Banjo had claimed in its contract.

“Because of the reduced capability of the Live Time system, it appears much less likely personally identifiable information (PII) was accessed, transferred, and used than was previously feared,” the report reads.

A Reyes’ spokesman said Banjo is now doing business under a different name and the contract remains suspended. He also noted the attorney general’s office will not be reengaging the company, which now operates as safeXai.

Last May, the company announced Patton had stepped down as CEO and “is not an employee, no longer on the board and has no operating capacity on the company.” Dougall’s report indicates auditors attempted to review records to determine what, if any, ongoing financial connections Patton has with the company, but reported that “Banjo did not provide any documentation that demonstrated that its founder was no longer a beneficial owner of any part of the company’s stock.”

Court records and federal hate crime investigation documents detailing Patton’s association with a Ku Klux Klan faction and his involvement in violent actions directed at a religious group were first reported by online forum Medium’s technology news outlet OneZero. After becoming aware of the reporting, the facts of which Patton has not contested, Reyes’ office announced suspension of the state’s contract with the company and called for further review.

At 17 years old, Patton was involved with a faction of the Ku Klux Klan and participated in a drive-by shooting of a Nashville synagogue on June 9, 1990. According to court records, Patton was driving the vehicle on that day as a Klan leader shot out windows of the synagogue with a semi-automatic weapon. No one was injured in the incident, but the gunfire was directed at a building not far from where the congregation’s rabbi was at the time.

In his letter to Dougall while the contract was still active, Reyes wrote that his office did not believe Patton’s involvement in the incident carried over into the work conducted by Banjo on behalf of his office and other Utah agencies and institutions.

“Based on our firsthand experience and close observation, we are convinced the horrible mistakes of the founder’s youth never carried over in any malevolent way to Banjo, his other initiatives, attitudes, or character,” Reyes said.

Even before Patton’s personal history became a public matter, Banjo’s services were raising concerns with civil rights watchers and personal privacy watchdogs.

Electronic Frontier Foundation policy analyst Matthew Guariglia told the Deseret News in 2020 that not knowing exactly how Banjo’s Live Time platform operated left unanswered questions about public accountability.

“The fact that nobody really knows how this technology works is incredibly troubling,” Guariglia said. “A company that exists behind a black box, operating all this supposed advanced equipment on which the state is relying to direct where first responders should be sent ... these are matters of real civic importance.

“When governments rely on private companies that spit out answers, and they don’t say how they’ve arrived at those answers, you’re giving up public accountabilities.”

In the recently completed legislative session, Utah lawmakers created a new vetting body that will be tasked with working to ensure mistakes like those made with the Banjo contract do not occur again.

HB243 creates a permanent committee, housed within the state auditor’s office, that would include topic experts from the realms of internet technology, cybersecurity, law enforcement, data privacy law, data privacy technology and civil liberties law.

The collected experts will be responsible for reviewing technology products and services for how they collect, assess and store personal data and information for state agencies as well as those of Utah municipal and county government operations, including school districts. Overseeing that work will be two new state data privacy officers, one of whom would also be a part of the auditor’s staff and another in the governor’s office.