Lawmakers worldwide are questioning the legality of the Worldcoin project, while Worldcoin claims to be compliant with all the related regulations. However, cyber security experts need more details before they can trust Worldcoin.

Creator: Rokas Tenys Credit: Shutterstock

Open AI's CEO Sam Altman started the Worldcoin project three years ago. Soon after the project details were disclosed, the crypto community and the lawmakers started to question the legality of the protocol.

Despite the concerns, the project launched on June 24, which amplified the reactions. Many governments worldwide have taken legal action against the protocol over privacy concerns, while some started investigations.

On July 31, France's privacy watchdog CNIL publicly expressed concerns about the world coin project and said its biometric data collection "seems questionable." On the other hand, Germany has been investigating Worldcoin since mid-2022 to discover the details of its large-scale processing of sensitive biometric data. Finally, on August 2, Kenya announced that it suspended Worldcoin's operations in the country due to safety concerns.

Are Worldcoin's assurances on privacy enough?

The Privacy Notice on Worldcoin's official website states that the project is adhering to the "principles stated in the European Union’s General Data Protection Regulation (GDPR)" even though they were not legally required to do so.

The project team replies to this phrase to all requests asking for more detailed information on data privacy. However, more explanation is needed to convince cybersecurity experts or lawmakers.

Arthis Bruyère, a cybersecurity expert at the French IT firm Capitole Consulting, spoke to Foretoken Media to share his personal views on the Worldcoin project. He stated:

“The Worldcoin project is based on Ethereum, which definitely gives it a certain amount of credibility and stability. However, it still has its own economy, which makes the network prone to certain problems.”

Bruyère said, and added:

“Also, even though the company talked about the GDPR [General Data Protection Regulation] with regard to confidential data, it’s still an evasive subject. We know for a fact that there are a lot of companies that employ different countries with data management to leverage their laws to avoid the restrictions of the GDPR.”

It is worth mentioning that the Privacy Notice on Worldcoin's official website does mention that the firm is working with data processors that operate outside the European Economic Area (EEA). The section states that Worldcoin:

“…only share data with data processors outside of the EEA if such a transfer is lawful and if we are confident that the data processor will protect your data as required under applicable laws and, further, in accordance with our standards. When transferring data to a country that does not have an adequacy decision, we utilize the EU Standard Contractual Clauses.”

What is the problem with the data collection?

Worldcoin's primary offer is a digital identity recorded on the Ethereum blockchain, which the holders can use to prove their humanness online. So far, the project offers a valuable service. However, concerns arise regarding the method of creating digital identities: because the users are required to have their iris imprint scanned by a device called the Orb.

The Orb is a silver, round device the size of a bowling ball. It captures the image of a person's eye to generate a distinctive identification code called the IrisCode.

Ethereum's founder Vitalik Buterin was the first to raise concerns about the user authentication process. In a blog post, Buterin listed four major concerns about privacy, accessibility, centralization, and security.

He warned that the Orb device might be a weak spot and inadvertently leak information. Secondly, incorporating this information into the blockchain might be compromised, which could create fake human identities. Moreover, regardless of how strongly the projects highlight data privacy, the network is still prone to attacks due to the nature of blockchain.