Eye scan showing biometric data and privacy concerns for Worldcoin

Worldcoin’s Targeting of Developing Countries in Biometric Data Collection Raises Privacy Concerns

Pushed by OpenAI founder Sam Altman and backed by substantial Silicon Valley money, Worldcoin is the newest big name in cryptocurrency. But under a month into the project, privacy concerns have already caused it to be banned by some countries and targeted for regulation in others. The central issue is its collection of biometric data, as it promises “free money” in return for capturing iris scans.

The project is drawing particular scrutiny for setting up these iris scan events in developing countries, such as Kenya, and countries that are largely developed but have significant swathes of poverty and low average incomes, such as India.

Less than a month old, Worldcoin already courting controversy over privacy concerns

First announced in 2021, Worldcoin raised over $100 million in funding by the end of the year. By early 2022 it was also already raising privacy concerns and taking criticism for its collection of biometric data in impoverished regions of Ghana, Indonesia and Sudan among other locations.

Worldcoin has been setting up “registration events” in a variety of locations throughout the world over roughly the last year and a half, and not all have been developing countries or poor villages. However, it has seemed to pay a disproportionate amount of attention to places where cryptocurrency is almost nonexistent, but promises of “free money” will be certain to draw crowds without much further questioning.

The company appears to have varied in what it offered at these events as it was getting off the ground, sometimes paying registrants with local currency, gift cards or Airpods. Since the coin launched in July of this year, they now seem to be offering an amount of Worldcoin worth about $50 in return for biometric data.

One of the places where a registration event recently drew large crowds is Kenya, where the average monthly income is about $170 per month. But the visit raised privacy concerns with the national government, and the Interior Minister has announced that new events and new registrant sign-ups are suspended pending an investigation into the collection and use of all of this biometric data.

While Worldcoin appears to be another cryptocurrency token at first glance, the grand aim of the project actually appears to be adoption as a universal internet-based authentication standard. The company appears to be building a global user base simply by paying people for their biometric data. It has also provided little transparency into this process as it has built up, offering little more than a promise that data is stored securely on the “orbs” it uses to scan irises and that it will be deleted once it is no longer needed. Edward Snowden was one of the first to point out that though the company promises to delete personal data, it uses that data to create unique hashes (stored indefinitely) that will then be matched against future scans that generate the same hash.

Worldcoin’s use of biometric data, ability to secure it remains unclear

At minimum, Worldcoin’s collection of biometric data during its ramp-up may have violated several different aspects of the General Data Protection Regulation (GDPR). The company has also made orb-scanning stops in Germany and France, and France has already initiated an investigation focusing on whether registrants provided true informed consent and whether the collected data is being handled securely. A similar investigation has been launched in Bavaria due to privacy concerns, and it appears the German Federal Data Protection Authority will have jurisdiction.

The UK’s ICO, which maintains standards very similar to those of the GDPR, has also said that it is making inquiries into the matter. Argentina’s Agency for Access to Public Information (AAIP) has also announced an investigation due to public privacy concerns.

Most of these investigations are centering on national regulations and attendant privacy concerns, but there is an additional serious concern about Worldcoin’s biometric data collection. A recent Gizmodo report found that a black market of iris scans obtained from Worldcoin has cropped up in China, likely fed by direct payments made to people in Kenya and Cambodia who already registered for Worldcoin. This development undercuts two of Worldcoin’s primary selling points as a new global ID: the idea that it “cannot be stolen,” and the removal of crypto attacks based on the use of numerous fake accounts.

Worldcoin has said that one of its future aims is for governments to use the system as a secure means of paying out universal basic income. However, it is rapidly onboarding people without necessarily fully informing them of what is being done with their biometric data or what the ramifications might be if they sell off a personal account or if an iris scan is somehow stolen. Some of the early registrants have already found that deleting a Worldcoin app that was causing performance issues on their phone caused the money they were paid to be permanently removed from their account along with it.