Weeks after its international launch, Worldcoin is drawing the attention of privacy regulators around the world, with the Kenya’s government going so far as to shut down the service indefinitely.
The international ID start-up, backed by big names in Silicon Valley, is now having to defend itself in investigations over whether the biometric data that the company is collecting is truly secure.
Worldcoin is the creation of Sam Altman, best known as the CEO of OpenAI, the company that has gained widespread recognition with its artificial intelligence chatbot ChatGPT.
The goal of Worldcoin and the company backing it, Tools for Humanity, is to give people a form of identification that could never be stolen or duplicated. Worldcoin creates a ‘World ID’ by scanning someone’s eyeballs through “orbs” – a device that captures an image of their irises, the coloured parts of the eyes.
One possible use for such an ID would be online services, where oftentimes people are having to remember multiple passwords and usernames for various websites they have signed up for.
The security of those sites can be flawed, however, and there have been numerous security breaches where usernames and passwords have been stolen. Instead of using old technology like passwords, a person could just sign up using their World ID.
Worldcoin is first and foremost an identification project but it’s using cryptocurrency to get people to sign up. The Worldcoin token is trading for roughly US$1.90, but its value is largely based on speculation rather than its current usability as a currency.
Worldcoin launched officially in July, and as part of the promotion, early adopters were given an amount of cryptocurrency worth between US$50 and US$60, depending on the jurisdiction. Most of the countries where Worldcoin launched don’t widely use or accept crypto.
Further, US$50 is a lot of money in developing countries where people are being asked to sign up, including Kenya, where the average monthly income is roughly US$170.
Thousands of Kenyans lined up in Nairobi this month at a registration centre where Worldcoin scanned their irises in exchange for 25 coins worth about US$50. The largely youthful crowd included a special line for mothers who waited with children strapped to their backs.
Some of those in line told local media that they had travelled for miles after friends said “free money” was being handed out. They acknowledged not knowing why they needed to scan their irises and where that information would go but just wanted the money.
University graduates were among those who waited for hours, alluding to the high rate of unemployment in Kenya, where many are angry over the rising cost of living.
The Kenyan government has since suspended new sign-ups for Worldcoin as it investigates whether people’s information is being properly protected.
Interior Minister Kithure Kindiki said last week that “investigations of the safety and protection of the data being harvested and how the harvesters intend to use the data” had started.
Worldcoin’s orbs collect biometric data by taking photographs of a person’s iris. While Worldcoin argues that the data is used to create a unique, secure form of identification, privacy experts have concerns that the company may use the information in other ways, like personalised marketing.
That has led some countries to investigate Worldcoin’s operations, including France, Germany and now Kenya.
The Bavarian State Office for Data Protection Supervision says it has initiated a comprehensive investigation of Worldcoin and Tools for Humanity over data security practices.
The agency is looking into whether the rights of people who submitted their personal data were observed. They should have been sufficiently informed about how their data would be used and given the ability to object, have their data deleted or to withdraw their permission, said Michael Will, head of the office.
The data also should be protected from unauthorised access – to prevent identity theft, for instance, he said in a statement.
France’s data privacy regulator said the legality of Worldcoin’s data collection and how it stores the information “seems questionable”. It launched an investigation, finding the German privacy watchdog had jurisdiction under Europe’s strict data privacy rules.
The UK Information Commissioner’s Office says it’s making inquiries about Worldcoin.
Privacy experts are worried that even Worldcoin could eventually be susceptible to criminals infiltrating it, similar to data breaches at other large companies. Privacy experts have said biometric data is already being sold in places like China and that could spread to other countries or jurisdictions.
“When biometric data gets leaked, especially in the poor countries where Worldcoin’s been operating, people’s lives are on the line,” said Pete Howson, a professor of international development at Northumbria University in Newcastle upon Tyne, England.
In a blog post, Worldcoin acknowledged the privacy concerns around its new service but said, “Everything is optional, and no personal data is disclosed by default, enabling each holder to decide which (if any) personal data to share with third parties when using World ID.”
Worldcoin has previously said the company uses industry best practices to secure users’ data, pointing to an audit that two security firms did in late July.