Worldcoin: Eye-scanning ID is here
As digital identity online becomes more critical, Sam Altman’s old company Worldcoin announced the launch of a protocol that will use blockchain, zero-knowledge proof (ZKP) encryption and financial incentives (in the form of cryptocurrency) for biometric data verification. Worldcoin promises to fight misinformation and AI bot farms with its WorldID.
Back in the golden era of blockchain (2018-2019), when questions raised in everyday conversation were promised to be solved by this technology, a group of people started working on an ambitious project called Worldcoin. This project tried to find a solution for the challenge of unique online identification (our so-called digital identity). In particular, Worldcoin developed a system for recording and storing users’ digital biometric data and offering them a reward in the form of digital tokens. The data that Worldcoin gathered were iris scans. To join the user base, people would go to the designated location and consent to have their irises scanned. This was done using a shiny spherical object they named Orb. In the short period that Orb collected data, a significant database of human irises was collected. Least-developed countries had the most users, as was generally expected, because Worldcoin guaranteed tokens as incentives (i.e. money) ‘simply for being human’.
The technology behind the identification scheme is the following: Iris scans were digitally obfuscated using a hashing function (this is a cryptography technique in which one set of digital data can be encrypted to match a unique digital key for reading these data). That unique hash was added to the database as each person’s unique identifier. Even though this data is encrypted, significant concerns were raised that a possible data breach could create a privacy and data nightmare. The crypto community had serious concerns about a scary dystopian future, undermining the project. The Worldcoin project was almost forgotten and was considered one of the most ambitious and yet obscure in the crypto community.
The rebirth and rebranding of Worldcoin
Fast forward to 2022, when the Worldcoin project leader, Sam Altman, became globally famous as OpenAI’s CEO. Only half a year after the ambitious ChatGPT launch and global excitement about the predictive language models, Altman pushed the ‘old’ Worldcoin idea into the public space again.
Earlier this week, the ‘new’ Worldcoin project launched worldwide, but with one significant difference. It is being publicised as ‘a new identity and financial network owned by everyone’. The rebranding is important, because now, the project team claims that what they are building is not distinguishable from the Public Key Infrastructure (PKI) deployed by big companies or the technical internet society. PKI is a set of standards, software, and hardware used in digital certificates and for managing public-key encryption. This is done via certificate authorities, with one of the most notable implementations being the HTTPS protocol used for secure web browsing. Worldcoin will use a cryptographic technique known as zero-knowledge proof or ZKP.
This obfuscating technique allows verification that the ‘given statement is true while avoiding conveying any information to the verifier beyond the mere fact of the statement’s truth’. This technique is used in some privacy-oriented cryptocurrencies, and it demonstrates the possibility of user-defined online privacy divisions allowing options to decide what information you want to share with whom. For example, your browser doesn’t need to know all your credentials and data. In fact, it only uses your IP (for geolocation) and information like gender or age for advertising or other purposes. ZKP solutions were tested in COVID-19 tracking apps and are at the core of the EU’s new Digital Identity proposal. Significant concerns exist about the gatekeepers of certificate authorities that store the data. This issue is crucial for sensitive data, such as biometric data collected by the Orbs.
How is this data stored? Is any unencrypted version of the iris data stored in a secure manner (e.g. in the Orb’s temporary internal memory)? Who has access to this data? Or even worse, can it end up on the black market or be misused somehow? In its launch report, Worldcoin claimed that: ‘The Orb sets a high bar to defend against scalable attacks; however, no hardware system interacting with the physical world can achieve perfect security’.
One way of looking at Worldcoin is that it is very similar to Apple’s PKI, and there is nothing to be worried about. One difference with Worldcoin is that part of the identifier data will be stored inside Ethereum’s public, open-source blockchain, while World IDs are issued on the Worldcoin protocol The Worldcoin protocol was developed by Tools For Humanity, a company established by the founders of the original Worldcoin project: Alex Blania and Sam Altman. The design ensures that no trusted third party can introduce risks of data handling or accountability related to it. Users have control of the process. However, the past has shown us that human users are usually the weakest link. Human factors include the very real risk that users will share their biometric data like they share their ultrasounds. So far technology has not found a way to limit voluntary violations of privacy and security. The UK data watchdogs at the Information Commissioner’s Office, have already announced a probe into Worldcoin’s privacy and data protection practices.
Another part of the project also makes it significantly different from known PKI schemes, and it’s a digital currency reward that actors get for sharing their biometric data.
Worldcoin was not accessible in the USA at its launch, and anyone wishing to participate had to confirm that they were outside the USA. The Worldcoin launch report clearly stated that tokens distributed in the system will be only available where laws allow this to happen.
Why is this important?
Aside from the technological, privacy and data protection, and other ethical questions raised, the financial incentives and infrastructure that are underlying the project will also be scrutinised.
Only a couple of years ago, Meta (then Facebook) and Mark Zuckerberg announced the launch of the Libra digital token, which, in their words, could offer a solution for cross-globe payments in different currencies across all Meta apps (Facebook, Instagram, and WhatsApp). Meta signed agreements with major payment institutions like Visa and Mastercard and giant online retailers like Ebay, but US legislators torpedoed the project. In three separate hearings in front of the US regulators in the Senate and House, the USA made it clear that no digital coin issued by a private company can be considered an international means of payment, particularly if it is pegged to or in any way related to the US dollar, which is regarded as a global reserve currency. The Libra project was shut down after two years, and mentions of Libra were erased from company websites.
Digital currencies issued by private companies remain of primary interest to major state powers and international financial organisations, like the USA and the UK and the Bank for International Settlements or the G7’s Financial Stability Board. This, in fact, might be a more significant obstacle for Worldcoin than data collection and privacy issues.
Worldcoin promotes the ’proof of personhood’ idea, which establishes an individual as both human and unique, and might become indispensable to discern and identify AI identities, like bots, bot farms, and ‘fake humans’. We will certainly hear more about this project.