Last year Banjo signed a $20.7 million contract with Utah that granted the company access to the state's traffic, CCTV, and public safety cameras. Banjo promises to combine that input with a range of other data such as satellites and social media posts to create a system that it claims alerts law enforcement of crimes or events in real-time.Do you work at Banjo or know anything else about the company’s work? Do you know about any other apps that abused data access? We’d love to hear from you. Using a non-work phone or computer, you can contact Jason Koebler securely on Signal on +1 202 505 1702 , or Joseph Cox on Signal on +44 20 8133 5190 , Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de , or email joseph.cox@vice.com.
Before pivoting to artificial intelligence for governments, Banjo was a social media-focused company, offering an app that would show what was happening around a user based on posts from Twitter, Instagram, FourSquare, and other social networks. It then moved onto providing services to media companies, letting them know if something significant and perhaps newsworthy was breaking on social networks. Some similar companies, like Dataminr, have permission from social media sites to use large amounts of data; Twitter, which owns a stake in Dataminr, gives the firm exclusive access to its so-called "fire hose" of public posts.Banjo did not have that sort of data access. So it created Pink Unicorn Labs, which one former employee described as a "shadow company," that developed apps to harvest social media data."They were shitty little apps that took advantage of some of the data that we had but the catch was that they had a ton of OAuth providers," one of the former employees said. OAuth providers are methods for signing into apps or websites via another service, such as Facebook's "Facebook Connect," Twitter's "Sign In With Twitter," or Google's "Google Sign-In." These providers mean a user doesn't have to create a new account for each site or app they want to use, and can instead log in via their already established social media identity."I always knew this moment would come. While I worked there, it felt like I was spying on the world."
Rahjerdi told Motherboard, "They’re a shared codebase made to be super easy to setup new apps."The apps request a wide range of permissions, such as access to location data, the ability to create accounts and set passwords, and find accounts on the device.Multiple sources said Banjo tried to keep Pink Unicorn Labs a secret, but Motherboard found several links between the two. An analysis of the Android apps revealed all three had code that contained web links to Banjo's website; each app contained a set of identical data that appeared to be pulled from social network sites, including repeatedly the Twitter profile of Jennifer Peck, who works for Banjo and is also married to Banjo's Patton. In registration records for the two companies, both Banjo and Pink Unicorn Labs shared the same address in Redwood, California; and Patton is listed as the creator of Pink Unicorn Labs in that firm's own public records."Several projects I worked on were 'make sure you only ever use this VPN to run the code, we can't have this traced back to us','" one former employee recalled being told while working at Banjo. Another said the company carried out a lot of work through Tor, which is a network for using the internet anonymously and avoiding attribution back to identifying IP addresses."Banjo was doing exactly the same thing but more nefariously, arguably."
The Banjo case raises questions around other apps that may have abused similar access.While a Twitter spokesperson said the company had no “active evidence” on the Pink Unicorn Labs example, they wrote in an email they were familiar with Banjo itself, and "We’ve seen examples of similar misuse of OAuth tokens in the past, and have enforced when we’ve seen them." Twitter also confirmed it enforced against this exact sort of violation by Banjo after finding it proactively in 2017, but did not elaborate on which specific Banjo app.A Facebook spokesperson wrote in an email, "Our policies prohibit scraping people's data. We are investigating and will take appropriate action." Facebook said Banjo no longer has access to Facebook's APIs.A Google spokesperson said the Pink Unicorn Labs apps were removed from the Play Store in 2016, but did not elaborate when asked if Pink Unicorn Labs itself removed them or if Google did.Apple did not respond to a request for comment.Update: This piece has been updated to include more comment from Twitter.Subscribe to our cybersecurity podcast, CYBER."You can imagine the luls that were had when we saw Cambridge Analytica take so much heat."