Welcome to GRIP, Global Relay’s new digital information service on practical compliance and regulatory change.

Please enjoy this free trial of our subscription content service, for a limited time only.

  

Rules

Privacy concerns over use of biometrics as Worldcoin rolls out

Giant eyeball
Photo: Ethan Miller/Getty Images

Martin Cloake

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

The ambition is noble, but Worldcoin’s harvesting of biometric data is almost certain to give regulators concern.

A plan to increase economic opportunity, enable global democratic processes, preserve privacy and distinguish humans from machines in an age of AI sounds like a very good thing. But when the same plan can also be described as the use of humans as guinea pigs in a giant experiment requiring them to hand over biometric details to a private company with no guarantee of how that data will be used or safeguarded in exchange for crypto tokens, it loses its allure somewhat.

That’s the conundrum presented by Worldcoin, the brainchild of Open AI founder Sam Altman, backed by venture capitalists including Andreesen Horowitz, that began its rollout last week by offering the opportunity to scan eyeballs in locations across the globe.

Eyeball scanning

To get on board, you simply have to download wallet software called World App and then visit one of the eyeball-scanning verification devices located in cities across the world in order to be scanned and issued with your digital passport. In an indication that the project’s marketing gurus may not be overly familiar with dystopian science-fiction tales, these verification devices are called “Orbs”, and you are invited to “find your nearest Orb” on Worldcoin’s website.

Since the first Worldcoin sign-up on May 5, 2021, over two million more people – or “unique humans” as Worldcoin would have it – have become users, with verifications taking place in 34 countries.

But regulators in Europe are raising concerns. The French Commission Nationale Informatique & Libertés (CNIL) has said: “The legality of this collection seems questionable, as do the conditions for storing biometric data.” It announced it was investigating the project’s collection of data in France.

“The legality of this collection seems questionable, as do the conditions for storing biometric data.”

Commission Nationale Informatique & Libertés

That investigation has been passed on to Bavaria’s Data Protection Authority after it emerged that the authority in the German state was named as Worldcoin’s lead data supervisor in the EU. Elsewhere in Europe, Worldcoin is operating in Spain and the UK. The Bavarian authority is not answering questions while its investigation is ongoing.

In the UK, the Information Commissioner’s Office (ICO) issued a statement saying: “Organisations must conduct a Data Protection Impact Assessment (DPIA) before starting any processing that is likely to result in high risk, such as processing special category biometric data. Where they identify high risks that they cannot mitigate, they must consult the ICO.

“Organisations also need to have a clear lawful basis to process personal data. Where they are relying on consent, this needs to be freely given and capable of being withdrawn without detriment. We note the launch of WorldCoin in the UK and will be making enquiries.”

GDPR legislation

Under GDPR legislation, biometric data is classed as a “special category of personal data” alongside information on race, ethnicity, sexual orientation and religious belief. In the UK, it’s necessary to identify a lawful basis to collect biometric data under Article 6 of the UK GDPR, and satisfy a separate condition under Article 9.

Key to meeting legislative requirements is the concept of explicit user consent to the processing of their data. That consent also needs to be shown to have been “freely given” and there must be the opportunity to withdraw that consent “without detriment”.

As it’s not clear exactly how Worldcoin will develop, it may be difficult to obtain specific consent from individuals signing up for the use of their data that is as yet unspecified. The sign-up process involves signing a biometric consent form and a privacy notice that, together, run to just over 7,000 words. And that’s before you read the governance structure.

What those who do sign up get straight away are 25 WorldCoin tokens. Each one is currently worth $0.013295. So in return for providing your biometric data to be used in a way that is not yet clear, you get $0.332375. While the value of the transaction is so low as to be almost inconsequential, regulators may not look kindly on the principle of offering financial benefit in return for signing away the rights to personal data. And in the US, the tokens are not yet launched.

“With the possibility of mass job displacement, real-time analytics available on all digital information, and the societal strife that could cause, planning for an AI-driven future makes sense.”

Sean Stein Smith, professor, City University of New York

The biometric data consent form also warns those signing up that once their personal data has been harvested and a unique iris code created they will not be able to delete it. But users covered by EU GDPR have the right to ask for their data to be deleted, which will certainly add to the concerns of EU regulators about this scheme.

Laws limiting the use of biometric information also mean US residents of the states of Illinois, Texas or Washington or the cities of Portland, Oregon and Baltimore, Maryland, cannot sign up at an Orb.

One of Worldcoin’s explicitly stated intentions is to “eventually show a path to AI-funded UBI”. In a future in which AI increasingly reduces the number of jobs available to humans, the arguments for the provision of a Universal Basic Income will grow, and implementing such a system will require a way to distinguish humans from machines.

As Sean Stein Smith, a professor at the City University of New York and a member of the Wall Street Blockchain Alliance Advisory Board said in Forbes: “With the possibility of mass job displacement, real-time analytics available on all digital information, and the societal strife that could cause, planning for an AI-driven future makes sense.”

Decentralized cryptocurrency

But that AI-driven future is not just emerging from a void – it is being driven by one of the businesses behind Worldcoin. The prospect of a company benefitting from providing a solution to a problem it has created could also present interesting challenges for regulators.

And if Worldcoin is, as it has claimed, an attempt at “global scale alignment”, how does that fit with the concept of a decentralized cryptocurrency? And what is Worldcoin’s status as a company?

Worldcoin is being developed by Tools for Humanity (TFH), a for-profit tech company founded by Altman and Sam Blania, who is CEO and co-founder of both Worldcoin and TFH. On its website, Worldcoin says: “The Worldcoin Foundation is an exempted limited guarantee foundation company, which is a type of non-profit, incorporated in the Cayman Islands.” It’s not clear what “a type of non-profit” means, and neither is it clear what the legal status of an entity labelled an “exempted limited guarantee foundation company” might actually be.

Foundation companies are a product of the Cayman Islands Foundation Companies Act 2017, and are described as a type of company that “has features and flexibility that have been designed to allow a company, retaining separate legal personality and limited liability, to function like a civil law foundation or common law trust”.

Global democratic processes

For a project that states its ambition is to “enable global democratic processes”, the decision to use a Cayman Islands-based vehicle appears odd, and the opaque status of the business may also exacerbate the concern to regulators.

Tools for Humanity has told the media that: “The Worldcoin Foundation complies with all laws and regulations governing the processing of personal data in the markets where Worldcoin is available, including the General Data Protection Regulation … The project will continue to cooperate with governing bodies on requests for more information about its privacy and data protection practices.”

As the global economy is reshaped by emerging technologies and fundamental changes to the way we do business and live our lives take effect, the Worldcoin story provides a snapshot of the challenges facing regulators around the world.

, , , , , , , ,

You may also like