Worldcoin says SDK lets you prove you’re a human online. Coins not included
Worldcoin’s dream of providing biometrically unique “proof of personhood” for the entire globe takes a step forward with the release of its software development kit and updated protocol. The aim is to reduce fake social media accounts, prove whether you are chatting with a human or chatbot and reduce fraud, while creating a platform for far loftier goals such as universal basic income.
An integration with social platform Discord was available on release this week. Signing in to Discord with a World ID, and therefore proving a user is human, grants special privileges.
The protocol and World ID do not prove who a person is: no biographic information is collected according to the firm (other reports vary, see below). It also does not prove that a person using it is the person who initially underwent registration.
Ultimately, as no further biometric check is made at the point of use, it does not appear to deliver proof of personhood or humanity, more a proof that an individual’s smartphone was involved rather than a botnet.
Reporting and research so far has called the venture a “scam-experiment” and exploitative of vulnerable people. Our own look at the claims versus the technical setup of the scheme has led to many questions which have not been satisfactorily answered by the project.
Overall scope of Worldcoin to World ID
Worldcoin has already biometrically registered more than 1.36 million individuals at the time of writing with paid ‘operators’ taking around 250 custom-built, iris-scanning Orbs into communities around the world. The aim would be to grow this fleet to as many as 50,000 scanning devices at peak registration.
The original vision was for a cryptocurrency where everyone in the world would be issued an equal amount with the potential to redistribute wealth more evenly.
This would require a way to check whether an individual has already registered. The team decided that only iris scanning offered the accuracy and scale for a global operation, due to the richness of irises themselves.
Individuals registering are promised that 25 Worldcoins will be transferred to an account when the cryptocurrency launches later in the year, a date which seems to keep shifting.
The idea is that every person on Earth (except anyone living in Iran, Cuba, and the U.S., while residents of the states of Illinois, Texas or Washington or the cities of Portland, Oregon or Baltimore, Maryland are not permitted to even present their biometrics to the Orb) will be allotted 25 coins, no more, no fewer, with disincentives built in for selling them on. There are few details on this aspect of the project and the emphasis is increasingly on the proof of personhood which has developed from the project.
Criticism of Worldcoin, World ID
An excellent piece by IEEE Spectrum explores how Worldcoin realized that World ID could be a bigger deal than the cryptocurrency, and compares registrants’ expectations for the currency to signs that even before launch it is becoming a DAO (decentralized autonomous organization) token, to give those registered a stake in the blockchain-based venture and a say in how it is managed. The IEEE piece argues there is no mention of this at enrollment campaigns it has observed.
The MIT’s Technology Review reports in depth of cash bribes and payments to local officials, as well as promises of future wealth to registrants during sign-up campaigns in Indonesia and around the world, where more personal details were collected than advertised. What their reporters witnessed contradicts what Biometric Update has been told about what biometrics are captured.
In ‘Web3 and Communities at Risk: Myths and Problems with Current Experiments,’ Dr. Margie Cheesman considers Worldcoin to be one of many “scam-experiments” underway around the world.
The latest release on the protocol and SDK also does not even mention Worldcoins.
The firm is currently seeking US$120 million in investment at a valuation of $3 billion before going public later in the year.
New protocol, SDK and World ID integration
The Worldcoin and World ID ventures are complex and intertwined. Here we attempt to address the technical, biometric and ‘identity’ aspects of the World ID side.
Ahead of SDK launch, Biometric Update spoke to Tiago Sada, head of Product at Tools for Humanity, the organization providing the tools behind the development of the Worldcoin protocol.
Private keys and zero-knowledge passport stamps
Users first download the World App, rolling out in 50 countries (not yet in the UK where this reporter is based). It generates a private key for their World ID. They can then undergo two levels of increased verification: linking a phone number or undergoing iris scans – both eyes – with the soccer-ball sized chrome-effect Orb.
“When you go to an Orb, what is happening is it’s using biometrics to decide whether you’ve previously verified or not a World ID,” explains Tiago Sada. “And so if you haven’t, what it does is it essentially stamps that passport. So when you’re using your World ID, you basically take that passport and only show the page that has your stamp from the Orb.
“You’re proving that you are a person that is unique, meaning you already have one of these World IDs – a verified World ID – but you’re not revealing any other information about yourself.”
This is not the same as biometric binding for typical (digital) identity systems. The Orb process creates a hash of the irises, no iris images are kept claim the team, unless you opt in, in which case the images are kept. Not opting in may require subsequent visits to an Orb, according to the biometric consent form (6 March 2023 version).
The Orb then sends the iris hash and a hash of the public key to Worldcoin (the Orb has Wifi and a SIM card slot) which checks the iris hash in the central database. If it is already in the database, the registration is rejected. If not, the iris hash is added and the public key enters the Worldcoin blockchain. The iris code cannot be deleted, according to the biometric consent form.
That passport stamp is just a stamp, says Sada. It is not linked to a person’s biometrics or anything else they use such as a crypto wallet. It is proving that a unique person owns the World ID private key. The system works on the cryptographic concept of zero-knowledge proofs: the prover can prove something to the verifier – that they have a unique World ID – without revealing any of the content – who they are.
It requires a smartphone as the private key is kept on the secure enclave. Desktop use directs the user to their smartphone, as with Nametag.
While getting a World ID seems easy, there may be a wait for a user to reach an Orb: “A user downloads the World App. When they do that, the application then generates a random private key for the World ID, and then you essentially already have World ID,” says Sada.
“It just has a really low level of verification then if you verify the phone number, then it’s a little bit more verified. And then if you visit an Orb or it’s even more verified, makes the ultimate level of verification.”
Telephone number checks are conducted by Twilio and play a significant role. The Privacy Notification states that the Proof of Personhood process “may allow developers to use other signals such as phone number verifications instead of, or in addition to the IrisCode.”
The Biometric Consent form also states that without biometric verification, “you will not be able to use certain features in the App, such as claiming your share of WLD [Worldcoins] for free or establishing a unique, portable digital identity. Like every user, you still must agree to the Privacy Notice and User Terms and Conditions.”
For example, by creating a World ID, details are automatically collected on “geo-location and tracking details, computer or mobile phone operating system, web browser name and version, and IP addresses.”
Users will be able to access maps showing Orb locations within the World App.
Proof of Personhood, not identity
In theory, no biographic details are captured on registration (the IEEE, MIT report otherwise). The World ID at this stage is proof of individuality. Biographic details such as name and age would have to be added via other integrations at the point of use.
“Today the way it works is about custody of the World ID,” says Sada. “So there is no check, there is no authentication stuff that happens. It’s simply ‘hey, I’m proving to you that I hold the private keys of a World ID and I can make you these statements about that’.”
There is also the problem that the current system does not prove that the unidentified user is the same unidentified person who originally registered.
“That is something that we’re working on. The way this will work is very cool,” says Sada. “For global deduplication you need iris because of the fraud and more importantly the entropy guarantees that you get from it, because that’s a 1 to N comparison. But reauthentication is only a 1 to 1 comparison.
“So something like face is more than sufficient and this is why your phones and whatnot use face authentication. So the way we envision something like reauthentication working is in particular for the biometric credential — for the phone credential is very simple, you just reverify the phone number.
“For the biometric credential, you can imagine that a device like the Orb or any other devices that that are supporting the protocol in the future could issue actually two credentials tied to each other, but issue the iris uniqueness credential.
“But it could also issue a face embedding credential that instead of being stored on a server would be sent to your device and you would be able to hold, assign the embedding of your face locally on your device. And so when you want to authenticate, you would be able to, using a new type of cryptography called zero knowledge ML.
“Locally on your device, take a second selfie and generate a zero-knowledge proof that shows that just your current face matches the embedding that the Orb saw when if first issued your credential.”
This would “unlock things like more serious financial applications where you want to make sure those this is truly still the same person that was issued this World ID,” adds Sada.
Using iris for reauthentication is not currently possible, explains Sada: “It would not be possible today because all the iris images and generally face data gets destroyed locally in the Orb – that memory doesn’t even touch the storage of the Orb.”
Adding face images could open up the functionality of World ID considerably.
The February 2023 ‘Opening the Orb’ tear down of the hardware, getting on for nearly 3,000 words, does not mention image capture beyond irises, although states the article will be updated.
The company User Terms and Conditions state: “The Orb captures a series of high-resolution images of your eyes (specifically, your irises) and face (both your head and shoulders).”
The company’s Biometric Consent form covers the no-biometrics route, plus two options for biometrics. Both “allow us to collect images of your irises, eyes, and face when you sign up at an Orb,” but if you opt out of biometric sharing:
“The Image Data is deleted after the Orb creates the IrisCode based on your iris image. We do not retain or transfer the Image Data to our database. The Image Data will not be transferred out of the Orb. You may, however, later need to revisit an Orb so that your IrisCode can be reverified as we update our algorithms.”
If you opt in, then your future could be different:
“You allow us to store this information and transfer this data to our teams in the European Union and the United States, for the purpose of training our algorithms, as detailed below. You will have full functionality and may not need to revisit an Orb if we update the algorithms. Plus, you will help us to build and improve our product.”
A deleted blog page from October 2021 states that during “field-testing”: “We collect the following data through the Orb after the user gives us their consent:
- Images of users’ body, face, and eyes, including users’ irises (visible, near infrared and far infrared spectrum)
- Three-dimensional mapping of users’ body and face”
While a previous consent form captured by the MIT reporting team goes further still, stating the collection of:
“High-definition video and photographs of your body, face, and eyes, including your irises (visible and infrared); Contactless doppler radar detection of your heartbeat, breathing, and other vital signs; and Three-dimensional mapping of your body and face.”
The company declined to comment on record about what images are captured by the Orb, but noted that there are no incentives to opt in to data sharing.
Pseudonyms, anonymous actions, voting
The protocol intends to prove that a user is a unique individual, but is more sophisticated than that. As Sada points out, biometrics mean a unique individual, and does not necessarily mean only one account.
For example, a social media platform could allow a World ID holder to verify a set number of accounts – say five. The protocol allows the platform to know how many times the World ID has been used, without letting it see who the user is or link those multiple accounts to one individual.
The protocol and SDK pair-up also means that a social platform could require World ID for each ‘like’ of content. These likes could be shown as from a unique individual, but that individual can remain anonymous. It would not be visible to anyone else that likes from different accounts are from one individual.
Sada calls these “anonymous actions.” The protocol could be particularly useful for voting. Votes could be verified as being from an individual, and that individual World ID holder would not be able to vote more than once, but remain anonymous in identity and vote choice.
Global hotspots and GDPR not-spots
Despite the company maintaining that it treats all data in line GDPR, as noted above, shared biometric data can be transferred to the U.S. The U.S. has failed to reach a data adequacy agreement with the EU.
Portuguese capital Lisbon is one of the five focus cities for the project going forward.
The others are Buenos Aires, where crypto is still seen as a safer bet than fiat currency, Santiago, Nairobi and Delhi, which does not yet have a data protection law. Orbs are also in use in Spain.
Reluctantly homemade Orbs
The cost of production for the Orbs, made in Germany, may be “very manageable” according to Sada and “Out of all the bottlenecks that we have, the Orb will not be one of them,” but he notes that taking on the development of the hardware was arduous.
From custom liquid crystal lenses to thermal imaging, the Orbs are packed with tech.
It was an “unfortunate realization” says Sada, remembering the amount of work required when nothing was available off the shelf. “There’s nothing that can do that type of verification for this level of accuracy,” he says, adding that the Orb has to work in all climates, and on the streets.
At this stage in its development, there seems to be more work required to reach the claims “World ID is a new privacy-first protocol that brings global proof of personhood to the internet” and “World ID is a new privacy-first decentralized identity protocol” in its latest announcement.
The company has declined to confirm whether the venture will be possible in China, stating instead the six countries where Orbs are active. Along with other large exclusions such as the U.S., this challenges the ‘global’ aspect.
Without any further attributes beyond a test of the uniqueness of a smartphone or iris, and no way to prove that a user is the same as the person who registered, the ‘ID’ claim seems questionable.
The decentralized element is challenged by the central database of iris hashes which cannot be deleted. The privacy-first part also appears challenged by the metadata captured by the app, global transfer of data to non-data-adequate territories and the practicalities at registration rallies where other reports describe physical identities being photographed and names, numbers and email addresses being taken.
And without a biometric check at point of use, the system seems only to be a test of device or iris uniqueness at the outset rather than proof of personhood.
Updated 3:32pm March 22, 2023 to include this response from Worldcoin
Update: The company claims that the MIT Technology Review does not reflect current registration practices and that the range of biometrics described in consent documentation then “was intended to be overly inclusive” and they “never implemented this functionality in the field or collected data from ‘contactless doppler radar detection of your heartbeat, breathing and other vital signs.’”
The consent forms still require users to consent to face and body images being captured. When asked what the other images beyond iris are, the firm replies:
The Orb checks that an individual is real and is unique or has not previously signed up for Worldcoin. It does this by capturing and processing images of an individual and their unique iris pattern. Since no two people have the same iris pattern and these patterns are very hard to fake, the Orb can accurately tell people apart from one another without having to collect any other information about them—not even their name.
The deleted web page detailing previous registration practices and range of biometrics being captured was inadvertently deleted during website redesign.
The service is also not available in North Korea, Syria or parts of Ukraine. Its operations were wound down in Indonesia after the firm ceased dealings with the Operator concerning allegations of bribery.