Editor’s note: This is an in-depth investigation article on Worldcoin, published by MIT Technology Review in 2022. Carbon Chain Value believes that the content of the article is an information supplement for everyone’s current understanding of Worldcoin, proof-of-personhood, and iris scanning, and also has some reference value and inspirational value. Therefore, Carbon Chain Value, in collaboration with WEEX Exchange, spent two days recompiling this article for the readers to enjoy.
This startup promises to provide a cryptocurrency-based, fair distribution of universal basic income. But so far, all it has done is establish a biometric database based on the bodies of the poor.
On a sunny morning in December 2021, Iyus Ruswandi, a 35-year-old furniture maker from Gunungguruh village in Indonesia, was awakened early by his mother. She said a tech company was holding a “social assistance gift event” at a local Islamic school and asked him to attend.
Ruswandi joined the long queue of residents, mostly women, some of whom had been queuing since 6 a.m. In the economic environment devastated by the pandemic, any form of assistance was welcome.
- UniswapX Protocol White Paper
- Identity authentication systems you must know besides Worldcoin
- 5 DeFi Projects Worth Paying Attention to Recently
At the front of the line, representatives from Indonesia’s Worldcoin were collecting email addresses and phone numbers, or aiming a futuristic metal ball at the faces of villagers, scanning their irises and other biometric data. Village officials were also present, handing out numbered tickets to the people in line to help maintain order.
Ruswandi asked a representative from Worldcoin what kind of charity organization this was, but did not learn any new information: they were donating, as his mother had said.
Gunungguruh was not the only village visited by Worldcoin. Representatives from Worldcoin appeared for one or two days in villages in West Java, Indonesia, as well as university campuses, subway stations, shopping malls, and city centers in more than 20 countries, most of which are developing countries, collecting biometric data. It is understood that they offer various rewards, ranging from free cash (usually in local currency and Worldcoin tokens) to Airpods, and even promises of future wealth. In some cases, they also pay local government officials. However, they do not provide much information about their true intentions.
This has left many, including Ruswandi, confused: What exactly does Worldcoin want with iris scanning?
To answer this question and gain a better understanding of Worldcoin’s registration and distribution process, MIT Technology Review interviewed over 35 people from six countries: Indonesia, Kenya, Sudan, Ghana, Chile, and Norway. They either work for Worldcoin, represent Worldcoin, have been scanned, or have participated but were not successfully recruited.
In a registration event in Indonesia, we observed the scanning process, read conversations in social media and mobile chat groups, and reviewed comments on the Worldcoin wallet in Google Play and Apple Store. We interviewed Alex Blania, CEO of Worldcoin, and submitted a detailed investigation report and list of questions to the company for comments.
Our investigation shows that while Worldcoin emphasizes privacy protection in public information, users’ actual experiences are quite different. We found that the company’s representatives used deceptive marketing tactics to collect more personal data than they admitted, without obtaining valid informed consent. These practices may violate the European Union’s General Data Protection Regulation (GDPR) – the company’s own Data Consent Form acknowledges this possibility and requires users to accept these terms, which may also violate local laws.
In early March, during a video interview conducted in Erlangen, Germany, where the company produces the sphere, Blania admitted some “frictions.” However, he attributed this to the company being in its early stages.
“I’m not sure if you realize this,” he said, “but you’ve seen test operations of Series A companies. It’s a group of people trying to make certain ideals a reality. It’s not like Uber, where hundreds of people have done it many times.”
Identity Verification
Two months before Worldcoin appeared in the village of Ruswandi, a San Francisco-based company called Tools for Humanity emerged from stealth mode. Worldcoin is its product.
The company’s website describes Worldcoin as a “new, collectively owned global currency based on Ethereum, distributed fairly to as many people as possible.” The company suggests that everyone in the world will receive a free share as long as they agree to use a special device for iris scanning, which resembles a beheaded robot head and is referred to as the “Chrome Orb” by the company.
The website continues to explain that this sphere is necessary because of Worldcoin’s commitment to fairness: everyone should receive the allocated digital currency share for them – nothing more, nothing less. To ensure no double-dipping, the Chrome Orb will scan participants’ irises and several other biometric data points, then use a specially developed algorithm by the company to cryptographically verify that they are human and unique in the Worldcoin database.
Bloomberg first reported on the company last summer. Sam Altman, co-founder of Worldcoin and former president of Silicon Valley accelerator Y Combinator, told Bloomberg, “I’m very interested in things like universal basic income and global wealth redistribution.” Worldcoin’s goal is to answer the question, “Is there a way we can use technology to achieve this on a global scale?”
“The company is just getting started and aims to have 1 billion registered users by 2023.”
In the same article, Blania, who was 27 years old at the time and joined Worldcoin directly after graduating from Caltech with a master’s degree in physics, added, “There are still many people in the world who cannot use the financial system. Cryptocurrency has the opportunity to help us achieve this goal.” (Blania and others use “Worldcoin” to refer to both the company and the currency; this article does the same.)
But in addition to these good intentions, Worldcoin will also address key technical issues of Web3. Web3 is the heavily promoted, blockchain-driven third generation of the Internet, where data and content can be decentralized and controlled by individuals and groups rather than a few technology companies.
Blania stated in an interview with MIT Technology Review, “Making this new protocol available to everyone” will be the “fastest” and “largest-scale entry into cryptocurrency and Web3” to date, addressing one of the main challenges of Web3: relative scarcity of users.
In addition, according to Blania, confirming that the other party is human through biometric authentication will solve another “very fundamental problem” of decentralized technology: the risk of so-called Sybil attacks, which occur when an entity in a network creates and controls multiple false accounts. This is particularly dangerous in decentralized networks that require pseudonyms. So far, it has been difficult to propose an identity verification that can truly resist Sybil attacks, which is seen as another obstacle to the large-scale application of Web3.
Worldcoin has conducted field tests in 24 countries; (from left to right) these promotional images were taken in Sudan, Indonesia, Chile, and Kenya.
Blania said that with these two solutions, Worldcoin can become “an open platform that everyone can use, whether it is for identity verification or distribution.” This is the promise of Worldcoin: if successful, this protocol may become the universal identity verification method of the new generation of the Internet. If this is achieved, the currency itself may become more valuable. The company stated in an email statement, “Investors hope that the Worldcoin project will bring value to the world, thereby increasing the value of these shares or tokens.”
This may be why Altman and some big names in Silicon Valley have invested heavily in Worldcoin; Andreessen Horowitz recently led a $100 million financing round, doubling the valuation of this startup from $1 billion to $3 billion.
Glimpsing the Sphere
As of March, when we interviewed Blania, Worldcoin had scanned 450,000 eyes, faces, and bodies in 24 countries. Among them, 14 are developing countries (according to World Bank standards), and 8 are in Africa. But the company is just getting started, with the goal of achieving 1 billion registered users by 2023.
According to the company’s description in a blog post, the core of Worldcoin’s issuance is the high-tech sphere itself, equipped with advanced cameras and sensors that can not only scan irises but also take high-resolution images of “users’ bodies, faces, and eyes, including user irises.” In addition, its data consent terms state that the company also conducts “non-contact Doppler radar detection of your heartbeat, breathing, and other vital signs.” In response to our questions, Worldcoin stated that it has never implemented vital sign detection technology and will remove this statement from its data consent terms. (At the time of publication, this statement still exists.)
Biometric information is used to generate “IrisHash” – a code stored locally on the globe. According to Worldcoin, this code will never be shared, but instead used to check if the IrisHash already exists in the Worldcoin database. The company states that to achieve this, it uses a novel privacy protection encryption method called zero-knowledge proof. If the algorithm finds a match, it indicates that someone has already attempted registration. If there is no match, users can continue to register using their email address, phone number, or QR code for uniqueness check, in order to access the Worldcoin wallet. All of this will be completed within seconds.
Worldcoin states that the biometric information is retained on the globe and will be deleted once uploaded, or at least one day when the company completes training its AI neural network for iris recognition and fraud detection. Until then, it is unclear how these data are processed, apart from vague descriptions like “personal data…sent through a secure, encrypted channel.” “During the on-site testing phase, we collect and securely store more data than what will be retained once we’re done,” the blog post notes. “Once our algorithms are fully trained, we will delete all the biometric data collected during the on-site testing.”
Before the publication of this article, Worldcoin stated in response to our questions that the public version of their system will soon eliminate the need for new users to share any biometric data with the company, although it did not explain how this will work.
Worthless IOUs
However, we know how the registration process works. In order to onboard new users onto Worldcoin’s smartphones, the company has contracts with local “globe operators” who manage the registration process for their respective countries or regions.
Operators apply for the job and undergo an interview and approval process by the Worldcoin team, although company spokesperson Anastasia Golovina emphasized in an email that operators are “independent contractors, not Worldcoin employees.” As such, they have no contract or guarantee of payment, but instead earn commissions based on the biometric data they collect from users. However, Golovina added that they must “comply with local laws and regulations, including local labor laws.”
These national-level operators earn commissions in the stablecoin Tether, a type of cryptocurrency pegged to traditional currencies (usually the US dollar). They determine the fees paid to subcontractors (usually in local currency) as well as the terms of the work (full-time, part-time, or temporary). Both national-level operators and subcontractors are incentivized by a commission-based payment structure to register users as quickly and as many as possible.
On the other hand, currently new users can earn at least $15 worth of Worldcoin by submitting a biometric scan, and an additional $5 when logging into the Worldcoin wallet. The total value of Worldcoin that newly recruited users can earn has changed to $25.
Some users receive the funds all at once, while others receive them in batches of $2.5 per week. Blania stated that this difference is to test which incentive measure is most effective. However, Worldcoin is not a stablecoin, and because the token (at the time, editor’s note) has not been launched yet, the company “doesn’t know how much the equivalent of $20 is in WLD tokens,” as stated in a written statement.
To understand the motivations of users, some people may choose to receive $20 worth of Bitcoin for easy cashing out. Worldcoin stated that it found “the most active users choose to hold onto their WLD,” although most of our respondents hold the opposite view.
But with the termination of the cash-out function in the fall of 2021, currently, the promised value of $20 or $25 worth of Worldcoin is equivalent to the company’s IOU. Regardless of intent and purpose, all tokens in users’ digital wallets are valueless.
Seizing the opportunity
There are many reasons why users join Worldcoin.
“Out of curiosity” is a common reason. Another reason is that the globe operator “looks nice” or happens to be their brother, cousin, or classmate. Some hope to get involved early in what could be the era of the next Bitcoin, some have lost jobs or income during the pandemic, and some feel desperate due to the threat of a resurgence of civil war.
Most people just want free money—some just want to buy lunch. Many suspect it is a scam, but few are willing to give up the chance, just in case it turns out not to be true.
Ruswandi is one of those who joined for the above reasons. During the pandemic, he lost most of his work as a furniture manufacturer and traded stocks and cryptocurrencies in his spare time, often visiting message boards and exchanges related to cryptocurrencies.
“I was curious and thought it wouldn’t hurt to try,” he recalled, considering the attractiveness of the money given the decrease in income.
But he soon became suspicious. The company representatives on-site and village officials couldn’t answer basic questions about Worldcoin. He did more research online but found nothing, so he concluded that it was a scam. He believed that the mysterious gift was a large-scale data collection disguised as a secret offline airdrop—a strategy where cryptocurrency projects distribute free tokens to attract users.
After all, many of his fellow villagers’ understanding of the internet is limited to the Facebook app pre-installed on their smartphones, so before potential users can receive the new currency, Worldcoin representatives “must first help many residents set up email and log on to the internet,” Ruswandi recalled. He wondered why Worldcoin initially targeted low-income communities instead of cryptocurrency enthusiasts or communities if it was to attract users to use the new cryptocurrency.
The picture shows Iyus Ruswandi at the Worldcoin recruitment event in Gunungguruh, West Java. He had many questions about why the company needed iris scanning, but he didn’t get any answers. (Photo by Muhammad Fadli)
Biometric Recognition Issues
In October 2021, when Worldcoin announced “Here we come!”, it immediately faced strong skepticism.
As whistleblower Edward Snowden said in a tweet, “Don’t classify eyeballs. Don’t use biometric technology for anti-fraud. In fact, don’t use biometric technology for any purpose. The human body is not a turnstile.”
Many people have doubts about Worldcoin’s privacy policy, especially because the company has not released a white paper or opened its code for external evaluation. “This looks like a global (hash) database of people’s iris scans (in the name of “fairness”),” Snowden said in a tweet, “and eliminate the impact by announcing “we deleted the scans”. Yes, you deleted them, but you saved the *hash* generated by the scans, as well as the hash values that match *future* scans.”
There are also hardware security issues. Jeremy Clark, an associate professor at the Concordia Institute for Information Systems Engineering who focuses on applied cryptography, questioned the security of the sphere: “The machine itself will have some security measures,” he said, “but no technology is absolutely secure. So this is usually an economic issue… If this project succeeds as they wish, then trying to solve this problem will become more profitable.”
Others question the company’s claim of fairness because 20% of the tokens have already been allocated: 10% to Worldcoin’s full-time employees and another 10% to investors such as Andreessen Horowitz.
In addition, many in the blockchain community disagree with the fundamental premise Worldcoin is trying to build: creating an identity on Web3, which is a curse for a movement towards blockchain, DeFi, and DAOs (decentralized autonomous organizations) whose explicit purpose is anonymity.
Others still do not believe that Worldcoin can actually benefit every person in the world, but rather it will distract attention from the ongoing work of creating a new identity paradigm. Identity expert Kaliya Young, while refusing to comment specifically on Worldcoin, said, “Companies often claim in the realm of network identity that ‘if everyone in the world is in our system, everything will be fine.’ The news is: no one will be in your system, so let’s continue the discussion on how to solve the problem.”
Blania and his team believe that this criticism is incorrect. “Most of our team has a cryptocurrency background…so we care a lot about this (privacy),” he told MIT Technology Review. “I fully understand this concern,” he said, but he believes it is more of an “emotional intuitive reaction” rather than “objective criticism.” He added that what critics overlook is how excellent Worldcoin’s protocol will be in protecting privacy once it is completed.
Stephanie Schuckers, Director of the Clarkson University Identity Recognition Technology Research Center, said that this is not impossible because biometric technology has made many advancements recently. One of the latest trends is “Template Security,” which uses encryption technology to transform biometric data. “When you store this data, if it is stolen, it cannot be reverse-engineered back to the original biometric information,” she said.
However, she added that the reason why this technology has not been commercialized is that encryption transformation often leads to “performance degradation.” Template Security does not match new biometric data with existing biometric templates, but matches the computer algorithm’s interpretation of the data with another stored code using some form of hashing or coding. Schuckers said that this increases the margin of error and makes “matching biometric data in this encrypted space more difficult.” However, she added that recent advances in template security have addressed some of these shortcomings.
Template security sounds like something that Worldcoin might be doing, but Schuckers warns that it is difficult to determine without seeing their code or more information beyond Worldcoin blog posts.
Since we first contacted the company in February, Worldcoin has promised to open source its code, repeatedly emphasizing in multiple occasions to MIT Technology Review that this will be achieved “in the coming weeks.”
In addition, the company stated: “It is important to emphasize that the purpose of collecting data is not to profit from it or monitor our users like many other tech companies. Instead, our goal is solely to use this data for algorithm development to minimize fraud and enhance user privacy.”
Let them join
According to interviews conducted by MIT Technology Review, representatives from Worldcoin have used a series of suspicious strategies and incentives to attract new users.
Mohammad Ahmed Abdalbagee, one of Sudan’s four former sphere operators, stated that when they started operations in Sudan in March 2021, it was difficult for operators to “explain the concept of digital currency to those who don’t even have an email.” Therefore, they held an AirPod prize competition to encourage registration, ultimately attracting approximately 20,000 registrants.
In a high school in West Java province, Indonesia, Worldcoin applied to hold a cryptocurrency workshop. Muhammad Hilham Zein, the school’s student activities coordinator, recommended approving the application after reading it, but on the condition that the application is for “sharing encryption knowledge…rather than encouraging students to invest in digital currency.”
“Why did Worldcoin initially target low-income communities instead of cryptocurrency enthusiasts or communities?”
However, the participants (including at least one participant who was under 15, which violated Worldcoin’s own terms of use) and our reporter’s firsthand observations tell a different story. In the 45-minute meeting, Worldcoin staff were busy registering dozens of students, helping them download the app and register their emails, and finally scanning their biometric features to provide information about cryptocurrency, Worldcoin itself, or to guide them on how to agree or revoke consent. (The students at least received the Worldcoin allocated to them, which is distributed weekly).
Recently, many new users like Iyus Ruswandi were attracted by the giveaways during recruitment events held in about 20 villages in West Java.
“This was held during the pandemic, when the government usually distributes social assistance packages,” explained Ece Mulyana, a principal at an Islamic elementary school who was informed the previous night that his school would be used as a Worldcoin registration site. “I couldn’t refuse this request,” Mulyana said, because the instructions came from a higher-ranking official – Ade Irma, the street management officer who is helping Worldcoin coordinate village registrations.
Mulyana said Irma paid 2,000 Indonesian rupiahs (about 14 cents) for each successful scan. Mulyana estimated that 170 people participated, totaling 340,000 Indonesian rupiahs (about $23.8) in payment.
Irma’s superior, Heni Mulyani, the street leader who approved these activities, said the money was used to “buy coffee and cigarettes,” which is a euphemism for a reward to government officials for their assistance in the requested activities. She said the money was not used for rent, but added, “We assure you that this money does not come from village funds or budgets.”
Gunungguruh night view, one of about 20 villages visited by Worldcoin for recruitment activities. (Photo by Muhammad Fadli)
Instead, the money comes from a company called PT Sandina Abadi Nusantara, which was co-founded by a person named Muhammad Reza Ichsan and his mother. Muhammad Reza Ichsan happens to be the “best-performing operator” of Worldcoin (according to a blog post published by Worldcoin). The company is the legal entity for Worldcoin’s activities in Indonesia; his mother’s job is to contact local government officials to coordinate recruitment activities.
Ichsan told MIT Technology Review, “We do not pay fees to the villages, but we provide an operational fund for those who help us gather the public on-site.”
Even though Mulyani did not misuse village funds, according to Indonesia’s anti-corruption and anti-bribery laws, these tips (with a few exceptions) are also illegal, and both givers and receivers may face criminal penalties.
In response to questions about payments to village officials, Worldcoin representatives said they were unaware of the matter, calling it an “isolated incident,” and stating that they have launched an investigation to learn more. While they have not yet reached a conclusion, Golovina wrote, “Most or all of these payments may be legitimate operating expenses, such as fees required to conduct business in schools or other facilities, or fees to pay for licenses or permits required to operate in certain places.” This contradicts the description given by officials and their operators.
Worldcoin also refers to other examples they provide as “the independent and isolated work of local globe operators,” including the gift of AirPods in Sudan and the deceptive behavior in Indonesian schools, adding that “we are fully focused on incentivizing operators to register active users who are excited about using Worldcoin.”
As for the villagers, they were not informed that at least some officials were receiving compensation to promote Worldcoin; in fact, as recalled by school principal Mulyana, many people thought the activity was organized by the government. “We have to explain to them that this is not a government project,” he said. “Worldcoin is a foreign company, and they need the assistance of village staff after they arrive.”
Now, some villagers are skeptical whether they will receive the money, as they were told that Worldcoin representatives would return to the village to distribute funds in late January 2022, a time that has already passed (note: this article was published in April 2022). For those who are familiar with digital technology, there is also no functionality to transact Worldcoin in their wallets.
Operational Blind Spots
Misinformation and mixed messages are not necessarily intentional. The globe operators we interviewed often mentioned that they received very little information from the Worldcoin representatives who recruited them, even though they were well aware that their rewards were linked to the number of people they registered (Worldcoin states that it provides a code of conduct for its national-level globe operators, and sub-operators must also comply with this code of conduct, and they are phasing out the practice of paying commissions based on the number of registrations).
Bryan Mtembei is one such operator. He is a civil engineer who recently graduated from a university in Nakuru, the fourth largest city in Kenya. After being scanned on campus in September last year, he became a freelancer for Worldcoin.
He hoped to receive “short training or basic knowledge about Worldcoin.” Instead, the only instruction he received was “to get more people involved and earn more money for himself,” he said. “The rest depends on my social marketing skills.”
Therefore, he tried his best to answer new users’ questions, most of which were about privacy concerns. Mtembei estimates that about 40% of the people he interacts with are concerned about sharing their biometric data.
When he initially expressed similar concerns, a representative assured him that all his questions had been addressed in the Worldcoin “white paper.” But in reality, there is no such document. According to the company, this is due to design considerations – people are unlikely to read “long, highly technical academic-style papers,” and their shorter blog posts can be considered as white papers.
In the end, Mtembei’s need for money overcame his concerns. He registered 150 to 200 people, earning a commission of 50 KS (Kenyan Shillings, equivalent to 44 cents) for each scan.
The first time Bryan Mtembei met a representative of Worldcoin was on the campus of Nakuru University in Kenya. He underwent a scan and later became an operator. (Photo taken by Brian Otieno)
Mtembei is not alone. Willis Okach is a university student in Nairobi who, like Mtembei, was recruited as an operator after undergoing a scan. He joined for the money. “If you don’t have money, someone gives you some,” he explained. He believes that Worldcoin “feels that students don’t have much money, so they would register.” In two days of work, Okach registered 50 people. For every group of biometric data he brought in, he earned 100KS ($0.88).
Worldcoin spokesperson Golovina stated, “All users registered during the on-site testing phase are fully informed of what data we will collect and how we will use that data, and they are required to give consent before registering. Any individual who consents to us collecting and using their biometric data can revoke their consent at any time, and that data will be deleted.”
However, among the people we interviewed, no one was explicitly informed (or the operators did not inform others) that they were “test users.” Their facial photos, videos, and 3D body images were taken and used to train Worldcoin’s “anti-fraud algorithm” to “distinguish different individuals.” The processing of their data differed from that of other individuals who came later, or they could request the deletion of their data.
Ángel Rodriguez, a subway security guard in Santiago, Chile, recalls selecting a checkbox in the Worldcoin App to agree to the terms of service, which were in English, even though he doesn’t understand English. Additionally, according to Worldcoin, the links to their App and data consent terms were only available until “the end of 2021,” by which time on-site testing had already been conducted for at least a year.
Occasionally, new users are asked to provide additional personal data, but Worldcoin claims they have never made such requests. Almost all the people we interviewed were asked to provide an email address to log into their wallet (even after Worldcoin introduced QR code login). Some people were also asked to provide a phone number.
Golovina denied in multiple email statements that registration requires an email or phone number, but “we do provide certain features for users who choose to provide a phone number or email address, such as sending and receiving Worldcoin. But such things are always optional.” Worldcoin did not explain what users can do with their tokens if they are unable to send or receive them.
Meanwhile, in Nairobi, several students said that the operators of the spheres took photos of their ID cards. According to Okach’s recollection, this was done to confirm that he was “not… a robot.” Worldcoin stated that they never asked users to provide national identification documents, only the sphere operators were required to provide them.
When we shared these responses with the interviewees, they did not agree. Mtembei emphasized that personal information was never optional, and without an email and phone number, he couldn’t register on his sphere. “He’s lying,” he said.
Mohammad Ahmed Abdalbagee is one of the four ball operators employed by Worldcoin in Sudan. He added that it was the efforts of his team that convinced Worldcoin to add phone numbers as the preferred login method. “Before operating in Sudan, they used email as the main identifier, but we told them that this wouldn’t work in Sudan. Many university students don’t even have email addresses; they register on social media using their phones,” he said.
Implicit Colonialism
Some scholars who specialize in the relationship between the technology industry and countries in the southern hemisphere express concerns about Worldcoin’s behavior, but they are not surprised. Digital anthropologist and author of “The Next Billion Users: Digital Life Beyond the West,” LianGuaiyal Arora, said, “This is a race to see who can obtain the most data in this AI-driven economy.” She mentioned that stricter data protection laws in Europe and the United States mean that ambitious entrepreneurs in those regions cannot obtain the necessary training data from their own people, so they have to turn their attention to developing countries.
In fact, according to a blog post released by Worldcoin, the company cannot be used in the United States and China due to regulatory restrictions. Bloomberg also reported that the company has stopped on-site testing in other countries, including Turkey and Sudan, for similar reasons. However, Worldcoin has registered many American users in demonstrations held at cryptocurrency conferences, although the company does not consider its activities in the United States as on-site testing.
“Conducting this type of data collection in places with scarce funding and weak legal protection is cheaper and easier.”
Pete Howson, a senior lecturer at Northumbria University researching international cryptocurrency development, categorizes Worldcoin’s behavior as a form of crypto-colonialism, in which “blockchain and cryptocurrency experiments are imposed on vulnerable communities because…these people cannot fight back,” he told MIT Technology Review in an email.
Howson explains that compared to other forms of digital colonialism, crypto-colonialism is more harmful because the core principle of blockchain – decentralization – means that “when problems arise…responsibility is very limited.” “You often hear the phrase DYOR (Do Your Own Research) because these people don’t care much about rules and regulations.”
However, the inequality in information and internet access makes the spirit of “DYOR” almost impractical for many people in developing regions. Similarly, the huge economic gap means that, for example, in Kenya, a promise of less than half a dollar can make people give up their biometric data, while in Norway or the United States, such a promise would not have much effect.
In summary, conducting this type of data collection in places with scarce funding and weak legal protection is cheaper and easier.
Data Errors and Policy Loopholes
Although most of Worldcoin’s field tests were conducted in developing countries, the company emphasizes that it is also active in developed countries, including several countries in Europe. The company told us: “Worldcoin has always tried to conduct field tests in globally representative countries.”
This represents its own challenges. When collecting, controlling, and processing personal data of “data subjects” as defined by the European Union (i.e., anyone within the EU, including citizens, residents, and potential visitors whose data is collected), Worldcoin is bound by the EU’s GDPR.
The GDPR was enacted in 2018 and requires data subjects to be fully informed about why their data is being collected, how the data will be used, who will process the data, where the data will be transferred, how to delete the data, and how to stop data processing. Failure to adequately protect data can result in fines of up to 4% of global revenue or €20 million, depending on the severity of the violation.
In addition, if companies outside of Europe collect or process personal data of European data subjects, the GDPR also applies. Therefore, companies like Worldcoin, registered in Delaware and headquartered in San Francisco, may not necessarily be exempt.
However, this is exactly what Worldcoin mentioned in its data consent terms. Before submitting the questionnaire to MIT Technology Review, the company asks users to accept the following statement:
“We [Worldcoin] voluntarily comply with GDPR policies”
“We have not adopted a data privacy and security policy approved by the board to describe the means and methods by which we plan to protect your data to meet the universal standards in GDPR”
“Our policies and procedures may not be sufficient to meet GDPR requirements”
“If we fail to comply, it may be more difficult to protect your privacy rights in US courts”
Marietje Schaake, the International Policy Director at Stanford University’s Center for Internet and Society and former Member of the European Parliament, reviewed this document and stated that this policy attempts to create “exceptions”. However, according to the GDPR, there are no exceptions. Moreover, the fact that Worldcoin has a subsidiary in Germany has already subjected it to the GDPR.
“As an EU citizen, you have the right to challenge it,” Schaake said, referring to any potential violations. These challenges will be reviewed by European data protection authorities and ultimately debated in European courts, not in US courts as Worldcoin claimed.
Worldcoin states that it fully complies with the GDPR and is registered with the Bavarian Data Protection Authority. They have hired a data protection officer and have conducted a data privacy impact assessment, although they have refused to make the data protection officer or assessment results public. Worldcoin added that the statement in their consent terms “previously included a lot of warnings… they no longer appear in our latest version of the data consent terms.” However, as of the publication of this article, that wording still remains online.
Aida Ponce del Castillo, a researcher at the European Trade Institute, is responsible for studying the regulations of emerging technologies and also serves as the organization’s data protection officer. Lack of transparency is unreasonable to her. “DPIA is not confidential business information,” she told MIT Technology Review. Although publication is not mandatory, she pointed out that the European Commission recommends that companies “consider publishing at least some content, such as summaries or conclusions.”
The Bavarian Data Protection Authority has not responded to MIT Technology Review’s request for an interview to confirm the company’s registration.
“This is manipulation”
In addition to ethical issues, there are practical issues such as how Worldcoin actually operates.
For some test users and on-site operators, the answer is not good at all.
Sometimes, this is caused by problems with the orb. Abdalbargee, an iris recognition operator in Sudan, said that the iris recognition device requires up to 6 attempts to recognize a person’s face. “In fact, my friend took a whole week for the device to recognize his iris,” he added.
The orb is also prone to malfunctions, which slows down the recruitment process, and repairs need to be done in Germany. When Buzzfeed News found similar orb malfunctions in a recent investigation, Worldcoin used the same phrase it repeated to us: calling a particularly serious case an “isolated anomaly.”
Meanwhile, during the upgrade process from web wallet to app wallet, some users lost their entire accounts or all their tokens. For others, the app has been found to have flaws that drain battery life or trap them in a vicious cycle of loading and reloading.
Rodriguez, the Chilean metro security guard mentioned earlier, has been struggling with his wallet issues shortly after being scanned. After registering in February, the app asked him to enter his email, phone number, and use a QR code, but the app caused performance issues on his phone, so he completely uninstalled it. When he tried to redownload the app, he found that his username no longer existed.
The local orb operator told him that to resolve this issue, he had to find the orb and rescan his biometric data. But if Worldcoin is true to its claims, rescanning would only match his iris with the existing iris hash. In other words, once the account is lost, it cannot be recovered, and Worldcoin later confirmed this.
There are also cases of identity fraud that the orb cannot detect. In mid-2021, a businessman in Indonesia was able to register and access the wallets of over 200 users who had already completed scanning and identity verification, and transfer out assets that were stored in the form of Bitcoin at that time. Worldcoin stated that this occurred in cases where the wallets were accessed through the web interface early on, rather than the app, and “since the upgrade… we have not found similar fraudulent behavior.”
Meanwhile, those who are concerned that the whole thing may be a scam want to know what they have lost. “50 KS is not enough to attract attention,” said Okach, a university student in Nairobi who spent a weekend recruiting others to join Worldcoin. “It’s manipulation, using students without clearly stating what they are doing or what they want.”
Forgetting early adopters
When we started reporting this story, we noticed that three of the five countries initially cited as successful case studies for on-site testing—Indonesia, Sudan, and Kenya—are classified by the World Bank as low-income or low-middle-income countries. Power and economic disparities seemed ethically troubling, so we began digging.
We wanted to know: what does it feel like to be an early adopter of this global crypto experiment? Do participants actually understand cryptocurrencies, Worldcoin, and the consequences of giving up their biometric data? Or were they told? Did they provide informed consent—and in this case, what does informed consent mean? Finally, many of our interviewees raised the same question—what is the real purpose of iris scanning?
From left to right: Ruswandi’s neighbors Sadili, Solihin (community leaders), and Eli among the 170 villagers being scanned.
Ultimately, it was a comment Blania made in passing during our March interview that helped us start to understand Worldcoin.
In answering strong questions about privacy in the fall of 2021, he said, “Before we deploy a system at scale, we would have privacy experts break down the system over and over again.”
Blania had just shared how his company got 450,000 people to join Worldcoin, meaning its sphere scanned 450,000 sets of eyes, faces, and bodies, storing all that data to train its neural networks. The company recognized the problem with this data collection and plans to stop. But they didn’t provide the same privacy protections to these early adopters.
We were puzzled by this seeming contradiction: were we lacking foresight and perspective? After all, 450,000 might seem small compared to the company’s claimed goal of 1 billion registered users.
But each of those 450,000 people is an individual with their own hopes, lives, and rights, none of which have anything to do with the ambitions of a Silicon Valley startup.
Our conversation with Blania clarified something that had long confounded us: how can a company be so vocal about its privacy protection protocol while blatantly violating the privacy of so many people?
Through our interviews, we saw that for Worldcoin, these large numbers of test users are not their ultimate target users. Instead, their eyes, bodies, and patterns of life are merely raw materials for Worldcoin’s neural networks. Meanwhile, they only need to pay a small amount of money to those lower-level sphere operators to feed their algorithms, while these operators often struggle with their own moral concerns in private. Ironically, for those who have put effort into teaching Worldcoin’s AI to recognize who or what is human, this project is so dehumanizing.
When we submitted the results of our 7-page report investigating Worldcoin and its issues, the company’s response was that almost all the negative issues we found were just “isolated incidents” and ultimately insignificant because the next (public) iteration would be better. The company wrote, “We believe privacy rights and anonymity are crucial, which is why in the coming weeks, every registered Worldcoin user will be able to do so without sharing any biometric data with us.” Nearly 500,000 people have already undergone testing, which seems unimportant.
But what really matters is the result: Worldcoin will have a considerable number of users to support its sales pitch as the preferred identity solution for Web3. And when the real, monetizable product – be it the globe, Web3 passport, the currency itself, or all of the above – is introduced to its target users, everything will be ready, without any signs of artificial confusion or behind-the-scenes human organs.
Like what you're reading? Subscribe to our top stories.
We will continue to update Gambling Chain; if you have any questions or suggestions, please contact us!
