Law-enforcement surveillance software that was suspended by the Utah state government last year was “much less likely” to have improperly used personally identifiable information than previously feared, the state auditor’s office announced Tuesday.
The software, Live Time, produced by a company called Banjo, is unlikely to have violated the public’s privacy because its actual capabilities were found to be “inconsistent” with the company’s claims about what the product can do.
“Banjo previously represented the ability for Live Time to perform live ‘event detection’ based on integration of data from outside sources [such as] social media or private security data. Banjo touted the ability for Live Time to identify child abduction cases, active shooter cases, traffic accidents, event detection, and real‐time events,” read a March 26 letter from Utah State Auditor John Dougall to state Attorney General Sean Reyes.
Those claims, which led to the award of a five-year, $20.8 million contract with the state, were at odds with the product’s actual capabilities, which according to Dougall’s office totaled to “a dashboard of data aggregated from Utah governmental sources, such as 911 dispatch centers, police agencies, and [Utah Department of Transportation] traffic cameras.”
Banjo claimed it had an agreement to gather data from Twitter, but the auditor found no evidence that any social media data had been incorporated into Live Time. Through interviews with several public safety answering points, auditors also found that none of the information shared by those offices was considered sensitive PII, though direct connections between Live Time and PSAP databases were identified as security risks.
“In theory, Banjo could alter those queries without knowledge of the PSAP,” the auditor’s letter read. “This could have allowed unauthorized access to other sensitive PII. … Clearly, Live Time’s configuration lacked certain key security features and Banjo’s approach didn’t follow best practices.”
The audit of Banjo was prompted last year after the revelation last year that its founder, Damien Patton, was a former Ku Klux Klan member who’d participated in a 1990 drive-by shooting of a synagogue near Nashville, Tennessee. According to Dougall’s investigation, the failure of the state to vet key personnel, such as a company’s founder, before awarding contracts was of “significant concern,” particularly when the contracts include the use of products that potentially touch the private data of residents.
Dougall’s office included in its correspondence to Reyes a list of principles that might help the state avoid Banjo-ing again in the future. These include steps such as limiting the sharing of sensitive data, minimizing sensitive data collection, validating technology claims through independent review and vetting key vendor personnel through more rigorous background checks.