The increasing adoption of Worldcoin, an AI-centric identification project with its own cryptocurrency, is alarming privacy advocates and regulators.
According to the project, over 5 million people have already lined up to stare into a silver sphere the size of a bowling ball and scan their irises.
In addition to receiving online ID verification, users are rewarded 25 WLD, worth about $115.
As of April 11, over 10 million people had signed up for Worldcoin’s World App.
Sam Altman, founder of Worldcoin and CEO of OpenAI, claimed that the project aims to create “a global financial and identity network based on proof of personhood,” which is essential for an era where artificial intelligence is commonplace.
However, since its inception, Altman’s startup has received significant backlash from influential privacy advocates, including American whistleblower Edward Snowden.
Despite using cryptocurrency and blockchain technology, the project has received lukewarm support from the crypto community.
Vahan P. Roth, an executive board member at Swissgrams AG, said Worldcoin “blatantly contradicts the central ethos of cryptocurrencies – the core principles of anonymity and decentralization on which Bitcoin and its peers were founded.”
On top of that, regulators in several countries have begun to ban the project outright, fearing that this collection of biometric data could be a critical threat to privacy.
Is Worldcoin’s biometric data collection a real threat to privacy, or do people just misunderstand the company’s goal?
Biometric data is the holy grail of personal info
Data breaches and sales of stolen data online are already a fact of life.
However, an online biometric data record is more concerning due to its sensitive and highly personal nature.
For Rory Mir, associate director of community organizing at the Electronic Frontier Foundation (EFF) — a nonprofit organization defending civil liberties in the digital world — the safety of biometric data is critical, as it is “largely unchangeable and difficult to obscure.”
“You only have one body, so when this data is collected and used to track you, you have little recourse.”
Mir stressed that any biometric data collection “needs very strict protections centering the explicit consent from those being scanned, if not banned outright.”
They said it’s “not clear the Worldcoin contractors collecting these scans come close to clearing this bar for due diligence consistently.”
Privacy regulators are banning Worldcoin worldwide
Regulators have begun to crack down on Worldcoin amid these privacy concerns.
In 2023, regulators in India, South Korea, Kenya, Germany and Brazil began investigating the company’s data collection practices.
More recently, regulators are taking more drastic steps.
On March 18, 2024, Spain became the first country to ban Worldcoin’s biometric data collection.
Recent: SEC’s ETF decision means ETH and ’a lot’ of other tokens are not securities
On May 22, Hong Kong ruled that Worldcoin’s retention of sensitive biometric data for up to 10 years for AI model training was unjustified, halting all Worldcoin’s operations in the region.
The Spanish Data Protection Agency (AEPD) told Cointelegraph that the allegations against Worldcoin are based on several reports from Spanish citizens.
It claimed that Orb data collectors provided “insufficient information, collected data from minors and even failed to allow withdrawal of consent.”
Worldcoin filed an injunction request, but the National Court (Audiencia Nacional) rejected the appeal, stating that the “right to the protection of personal data of the subjects must prevail over the particular interest of the appellant company, which is essentially economic in content.”
Christoph Schmon, international policy director at the EFF, told Cointelegraph that European Union regulation is a type of “one-stop shop mechanism for cross-border data protection enforcement.”
Schmon explained that this type of enforcement produces a central lead authority that will, in cooperation with other national authorities in the EU, decide the ultimate fate of Worldcoin’s activities.
Schmon indicated that the lead authority of Worldcoin would be Germany, as its European headquarters are located in that country.
Although Germany may have the last say, the AEPD told Cointelegraph that Article 66.1 of the General Data Protection Regulation, to which Worldcoin abides, permits other EU national regulators to take action.
Other national regulators can bring enforcement cases in “exceptional circumstances” if a supervisory authority finds it “urgent to intervene” to protect individuals’ rights and freedoms.
The AEPD mentioned that it actively collaborates with its European counterparts, as seen with Worldcoin’s ban in Portugal and probable ban in Italy.
Schmon said that “regulators can use several international cooperation mechanisms” to tackle the activities of globally active entities, such as the Global Privacy Assembly or through intergovernmental dialogues.
How can Worldcoin prove its good intentions?
For its part, Worldcoin has reacted to regulatory pressure and has begun offering more transparency and security to calm users and government watchdogs.
Four days after Spain’s ban, Worldcoin made its Orb software open source.
Additionally, World App users can implement a privacy feature called “Personal Custody,” where they can self-custody their data. The company claims that once the encrypted data is sent from the Orb to the individual’s World App, “no unencrypted copies of this data exist anywhere.”
Worldcoin passed a third-party audit that assessed there was no direct vulnerability in the Orb software’s end-to-end encrypted messaging.
It also open-sourced a secure multiparty computation used in its biometric data system.
The company also claims that users can securely delete their old iris codes.
Sascha Drobnjak, head of legal and compliance at on-chain confidential computing project Arcium, told Cointelegraph that “open-sourcing their software and implementing features like personal custody and the ability to unverify one’s ID certainly appear to be steps in the right direction.”
Mir highlighted how open-sourcing code can allow “independent researchers to test technical claims.”
Lasha Antadze, co-founder of Rarilabs — which is building a privacy-first zero-knowledge social protocol — told Cointelegraph:
“To avoid further bans and extend trust in their product, [Worldcoin’s] primary focus should be on empowering the user.”
Antadze said Worldcoin should focus on improving mechanisms that allow users to give, deny or withdraw their consent and control over their data, including “clear options to opt in or opt out of the service.”
The latest developments from Worldcoin seem to be a step in this direction. These efforts, compounded over time, may convince regulators to repeal their current bans and avoid further issues.
However, most people may find it difficult to swallow the thought of a single private entity gathering their biometric data en masse.
Worldcoin will have to address regulators’ and users’ concerns to prove that its product is safe and guarantees privacy.
While much of the onus is on Worldcoin, Antadze said that regulators also need to “step up their game,” as, in his opinion, they often “do not understand the technology or how to create mechanisms to monitor these technologies effectively.”
He believes regulators’ lack of technological knowledge “leads to misinformed blanket bans, where everyone loses as a result.”
Recent: Ripple taking ‘cheap shots’ at Tether, says Samson Mow
Worldcoin did not answer all of Cointelegraph’s questions but did highlight that its “open-sourced humanness verification process and technology used to verify individuals is novel, complex and easily misunderstood.”
The project added that it’s pleased to ”participate in conversations to help increase understanding and to debunk common misperceptions.”
The core of the controversy surrounding Worldcoin seems to be related to its prior lack of transparency and trust in its technology. Worldcoin has a lot of ground to cover to inform, prove and convince the public and regulators alike that its protocol is private, safe and useful.