Worldcoin Launched. Then Came the Backlash

The controversial cryptocurrency-cum-biometric identification project Worldcoin finally launched last month and now boasts more than two million sign-ups. But the scheme has attracted scrutiny from regulators in several countries, suggesting that its mission to become the world’s arbiter of digital identity could face a rocky road.

Cofounded by OpenAI CEO Sam Altman and backed by renowned Silicon Valley venture capital firm Andreessen Horowitz, the project’s developer, Tools for Humanity (TFH), has received considerable attention due to its unconventional approach to attracting new users. Since 2021, Worldcoin has been using custom-made biometric hardware known as the the Orb to scan people’s irises in exchange for a small allocation of the company’s native cryptocurrency.

The exact purpose and scope of the project has shifted over time. Initially, it was billed as a way to fairly distribute cryptocurrency to every human on the planet, in the process creating the infrastructure needed to dispense a global universal basic income (UBI). But its goals have since morphed; in December, company leaders explained to IEEE Spectrum that they’re now focusing on helping users prove they are humans on an Internet increasingly overrun with AI-powered bots.

The Backlash to Worldcoin’s Launch

Until last month, the cryptocurrency reward for signing up was just an IOU. But on 24 July the token was finally launched and verified users finally received 25 Worldcoins each. That is, as long as those verified users were not in the United States. Worldcoin says that due to regulatory uncertainty on the legal status of cryptocurrencies, they have decided not to launch the token in the United States yet, though people can still get verified by an Orb.

It seems regulators elsewhere are also uncertain about the project. The launch drew swift responses from authorities in Germany, France, Argentina, and the United Kingdom due to concerns about the project’s data-collection activities. Officials in Kenya even ordered the suspension of Worldcoin operations and raided a warehouse used by TFH.

The company claims it has made efforts to comply with all regional laws and guidelines and has actively engaged with authorities. Tiago Sada, head of product, engineering, and design at TFH, says he and his colleagues are confident of their ability to assuage regulators’ concerns, which largely center around data privacy. “It’s very understandable that governments have questions, and we think that is super healthy,” he says. “It’s just a matter of having that meeting.”

The reason for Sada’s confidence is the unique approach the company takes to biometric identification. When a user gets an iris scanned by an Orb, the data is converted into a string of numbers known as a hash, which can’t be used to re-create the original image of the iris. These hashes and a cryptographic key linked to the user’s app are stored in a database on the Worldcoin blockchain.

The Orb’s iris scans are used to create a privacy-preserving and unique digital ID.Worldcoin

The only way this database can be queried is through the Worldcoin app using a cryptographic technique known as a zero-knowledge proof (ZKP), which lets someone prove knowledge of a secret without revealing it. When a request is made, the app generates a ZKP showing that the user’s iris hash is present in Worldcoin’s database without revealing which is theirs. Presently this is used to claim a user’s free tokens, but TFH has also created a system called World ID that will allow third parties to use the ZKPs to verify that someone is a “unique human.”

Crucially, Sada says, the iris hash collected by Worldcoin is not linked to any other personally identifiable information such as names, email addresses, or phone numbers, or any record of online or offline activity. “The World ID essentially generates a disposable user ID every time you’re going to use it with an application,” he says.

Regulators’ Data Privacy Concerns

But it remains to be seen whether regulators will be convinced. In a statement, a spokesperson for the French privacy regulator CNIL said it had initiated investigations into the company last year over its collection of retinal scans, which could fall afoul of the European Union’s stringent GDPR data protection laws. “The legality of this collection seems questionable, as do the conditions for storing biometric data,” the spokesperson wrote in an email.

As TFH’s European headquarters is in the German state of Bavaria, the investigation is now being led by the Bavarian State Office for Data Protection Supervision. That organization’s president, Michael Will, said that Worldcoin appears to have made efforts to comply with GDPR rules. “Whether they are succeeding in compliance, that’s the question we are dealing with,” he adds.

According to the Worldcoin website, the Orb promptly deletes a user’s iris scan after creating the iris hash. But users can also opt in to store their unhashed scans on Worldcoin’s servers to help train the company’s iris-detection algorithms. Establishing exactly how long, where, and in what state iris data is stored is a central question for the investigation, says Will. The possibility that third parties will be able to make use of the data collected by Worldcoin for identification purposes also complicates things. “This raises numerous questions connected with cryptographic ideas and concepts, which have to be examined rather precisely to see whether they work,” says Wills.

One aspect of the GDPR that might pose particular problems for Worldcoin is the user’s right to delete their data. Sada concedes that the use of ZKPs means it’s not currently possible to identify a specific user’s iris hash and delete it. He questions whether that data would count as personal information, though, as the ZKP also means the hash can’t be directly linked to the user in any way.

Whether that argument will wash with regulators remains to be seen. In Argentina, where the Agency for Access to Public Information recently announced an investigation into Worldcoin, privacy legislation defines concepts like personal data in incredibly broad terms, says Lisandro Frene, head of the IT and data privacy department at the Argentine law firm Richards, Cardinal, Tützer, Zabala, and Zaefferer. While the question would have to be settled by the courts, he’s highly doubtful that the kind of technical argument Worldcoin is employing would hold sway.

The Argentinian regulator has never levied a fine of more than US $1,000, according to Frene, so falling afoul of its privacy rules may not have significant consequences for Worldcoin. But elsewhere the blowback has been more serious.

Worldcoin’s Problems in Kenya

On 2 August, Kenya’s Interior Ministry ordered Worldcoin to halt all activity in the country while it investigated potential risks to the public. Five days later, police raided a Nairobi warehouse operated by Worldcoin and confiscated documents and devices, according to local reports.

The company had actually been ordered to cease data collection and processing by Kenya’s Office of the Data Protection Commissioner on 30 May. But according to TFH, after they met with officials to discuss the order, the regulators stopped engaging with them. TFH says it sent the office a letter in June addressing outstanding concerns raised at the meeting, and included an ultimatum that if it didn’t receive a response within a week it would assume the matter was resolved and resume data processing.

Not getting a response to a letter is not justification for ignoring orders from local regulators, says Bridget Andere, senior policy analyst at the digital rights nonprofit Access Now, and she highly doubts that TFH would have made a similar ultimatum to a regulator in a developed country. “It’s really just speaking to how unethical tech companies are when they come to this region, how extractive they are, and how much they ignore the laws,” she says.

More concretely, there are significant concerns about whether the Kenyan people that Worldcoin is signing up are in a position to provide informed consent, says Andere, which is a key element of the country’s privacy laws. “You look at the demographics and it’s not people who know their privacy, rights, or data rights,” she adds.

Ultimately, this perception that Worldcoin is taking advantage of people could prove to be a major hurdle for Worldcoin, says Andrew Bailey, an associate professor of philosophy at Yale-NUS College in Singapore who studies cryptocurrencies. He suspects regulators may be acting less on solid privacy concerns and more on a gut feeling that there’s something “icky” about a crypto project hoovering up people’s biometric data, particularly when much of the activity is focused on the developing world.

“Something about Worldcoin gets people passionate, regulators included,” Bailey says. “It might well be that a Worldcoin developer could run circles around them when talking about how ZKPs work, but I don’t think that’s going to change a lot of people’s minds.”