IFF explains: Worldcoin

tl;dr

Worldcoin is an iris-based cryptocurrency that uses the eye to scan and create proof of personhood. This explainer is our attempt to help people understand how this cryptocurrency works and what makes it unique. We will also discuss our reservations about using biometrics to create a global ID and currency.  

What is Worldcoin?

On July 24, 2023, a cryptocurrency project titled Worldcoin was launched globally. Backed by Sam Altman, OpenAI’s Chief Executive, Worldcoin is a digital currency that operates on the 'proof of personhood' principle which has already raised $115 million in funding, even though it will not be available in the United States due to regulatory concerns over cryptocurrency. So how does it work?

There are numerous possibilities that you will spend hours on the internet interacting with someone who turns out to be a bot. Worldcoin claims to make sure that doesn't happen. It functions with the help of an orb (a stand alone spherical device with a fitted camera), which scans your iris in less than 60 seconds. After scanning the iris, it provides the user with a unique, cryptographic hash used to identify the user solely. In order to create one’s ID, one can go to a camp being organised by their local Worldcoin Operators. A Worldcoin Operator, according to their website, has the option of approaching their communities along with their teams to answer questions and help people securely create their accounts.

According to TechCrunch, Worldcoin has a 3-part mission: to create a global identity, a global currency, and an application that enables payment, transfers, and purchases using one's own token, digital assets, and traditional currencies. Worldcoin functions in the following manner:

1. Download the application;
2. Have one’s iris scanned using the orb, which houses a custom optical system;
3. After the scan, an individual is added to the database of verified humans, which leads to;
4. Creation of a unique cryptographic hash that is tied to a person.

The iris scan isn’t saved, but the hash can be used in the future to prove the person’s identity anonymously through the application. In the event someone wants to accept a payment or fund a project, the application generates a mathematical equation that allows the individual to provide only necessary information to third parties.

Comparison with other cryptocurrencies

Cryptocurrency refers to a decentralised system of currency based on blockchain and secured by cryptography. In the context of cryptocurrency, a blockchain is a digital ledger with access restricted to authorised users. To understand blockchain, one needs to comprehend the meaning of the terms ‘ledger’,‘immutable’, ‘decentralisation’ and ‘cryptography.’

The primary distinction between Worldcoin and other cryptocurrencies is the verification process used to determine whether or not the person holding the digital currency is a real person. The concept behind Worldcoin is simple: every person's device should have a crypto wallet, provided there is proof that the holding entity is a person. The iris scan on the orb is used to determine such personhood, and each person is then entitled to a certain amount of the digital currency.

Status of cryptocurrency in India

Under Indian law, cryptocurrencies remain unregulated. Per the judgment in Internet and Mobile Association vs. Reserve Bank of India [(2020) 10 SCC 274], the Supreme Court recognised that the Reserve Bank of India’s power to regulate the monetary and credit systems of India extended to the regulation of virtual currencies. However, it held that a total ban on virtual currency exchanges was a disproportionate measure and hence not a ‘reasonable restriction’ as per Article 19(2) of the Constitution.

The 2022-23 Union Budget imposed a levy of 30% on gains earned from virtual digital assets, applicable from April 01, 2022. In a parliamentary response, the Minister of State for Finance said that for FY 2022-23, the government has collected Rs. 157.9 Crore as tax deducted at source on payments made from the transfer of virtual digital currencies up to March 20, 2023.

Problems associated with WorldCoin

The nature of WorldCoin’s technology and the lack of clarity about how it will be used are fueling concerns around privacy, security, and transparency. When we think of identity and biometrics, the first thing that comes to mind is our Aadhar scheme, the problems with which have been covered extensively. This is not the only instance of biometric technology being used for monetary benefit distribution. In refugee camps in Jordan, the United Nations was using iris scanning technology to distribute aid.  

Apart from the use of biometrics for verification, the following are some other pressing problems associated with Worldcoin:

1. Collection of excessive data: In an article in the MIT Tech Review, it was reported that the data consent form makes it clear that the orb is not only collecting data from iris scans but is also conducting a ‘contactless doppler radar detection of heartbeat, breathing, and other vital signs.’ The reporter goes on to state that when Worldcoin was contacted about this anomaly, they said they have never done this and will remove the statement from the language of the data consent form. Their current privacy notice does not explicitly mention such collection and the data consent form, although mentioned in their FAQs, has not been linked to. Such excessive data collection violates the data processing best practice of data minimisation, which states that data collection should be adequate, relevant, and limited to what is necessary in relation to the purposes for which the personal data is being processed.
2. Data retention despite warranted deletion: Despite the cryptocurrency being advertised as one in which biometric data is not retained permanently, Worldcoin states that iris scans can be stored if the user opts for data custody to “reduce the number of times you may need to go back to an Orb”. Breached biometric data, like a breached password, can be used to steal financial information and identities. Biometric data may also be used for other types of fraud, such as forgery. However, unlike passwords, biometric data cannot be changed, and thus the harm may be irreversible once breached. Biometric data has also been considered to be inherently biassed on account of design and being excessive, with challenges pending against it in the Allahabad and Telangana High Courts. Such breaches can result in the violation of a user's right to privacy, which is a fundamental right in India after the judgement of the Supreme Court in K S Puttaswamy vs. Union of India [(2017) 10 SCC 1].
3. Orb operators are agents, not employees: The wording of the application to become a Worldcoin orb operator makes it clear that the relationship between the company and the operator is that of a principal and an agent under contract law jurisprudence. While Section 212 of the Indian Contract Act, 1872, states that an agent has a duty to manage the agency's business with as much skill as is generally possessed by persons engaged in similar business, these terms are not defined anywhere. A lack of definition, particularly when dealing with the personal data of users, can lead to a tricky situation in which the collected data is mismanaged.
4. Lack of data protection laws: Per an IMF Working Paper, the lack of a comprehensive data protection legislation in India places the privacy and other digital rights of users at risk. In the absence of a data protection law, any data collection exercise can result in harmful breaches of privacy. The data being collected here is biometric in nature, which increases the risk of any data breach or misuse.
5. Hacking and data breaches: Instances of hacking using biometric information have substantially increased in recent times. iProov, a cyber-security business based in the United Kingdom, reported up to 200 attacks daily using biometric hacking. The firm’s global monitoring centre finds that attacks involving mobile phone emulators on desktops rose 149%, and digital injection face swap attacks are up 295%. Considering that the iris scans collected have not yet been deleted, it makes one’s digital assets susceptible to hacking.

Our recommendations

1. Enact an Indian data protection legislation: In the Indian context, a GDPR-adjacent legislation does not yet exist to constrain the collection of such intrusive data. A data protection law that includes and expands upon data privacy in the context of cryptocurrency is thus sorely needed. Here, it is also important to note that the 2022 draft of the Digital Personal Data Protection Bill fails to include necessary data protection principles which would safeguard the interests of users sufficiently.
2. Make any collection of data compliant to the data processing principles of purpose limitation and data minimisation: Blockchain technologies and data protection law have been at logger-heads since the inception of the European Union’s General Data Protection Regulation (“GDPR”) in 2018. According to Article 5 of the GDPR, personal data should only be gathered for specific, explicit, and legitimate reasons and should not be further processed in a way that is incompatible with those purposes. Furthermore, it states that personal data processing must be adequate, relevant, and limited to what is required for the purposes for which they are processed. The "purpose" of blockchain data processing in cryptocurrency is difficult to establish, especially in the context of storage. The acquisition and storage of such data, which goes beyond the objective of creating a unique identity, is excessive and goes beyond the scope of data collection.
   

This post has been authored by IFF Policy Intern Anahida Bharadwaj and reviewed by the IFF Policy Team.

Important Documents

1. #PrivacyofthePeople: The harms of biometric attendance apps, dated March 07, 2023 (link)
2. #PrivacyofthePeople: The boom of facial recognition technology in private spaces, dated August 31, 2022 (link)
3. Read our public brief on the draft Digital Personal Data Protection Bill, 2022 dated February 16, 2023 (link)