Several groups of young men and women were gathered outside a shopping mall in Kenya’s capital Nairobi last week. They had heard through social media that Worldcoin was offering free money that can be cashed out via popular local mobile money platform, M-Pesa.
These young people, mostly aged between 20 and 35 and likely unemployed or underemployed, turned up to the venue to get their irises scanned. Five or six youths clad in black hoods branded Worldcoin were guiding them, one by one, on how to download and sign up for the platform after it launched worldwide on July 24.
Masai Mall, in Rongai, part of the Nairobi metropolis, is just one of over 25 iris-scanning centers spread across malls and supermarkets in the city. To get started, new users are asked to download the World App onto their smartphones, scan a QR code, and face the orb to scan both irises. This generates a hash known as IrisHash on the Ethereum-based Optimism blockchain and a digital ID, which Worldcoin touts as a unique way to verify an individual’s personhood, avoiding risks of AI-driven fraud. One of Worldcoin’s co-founder, Sam Altman, is the chief executive of OpenAI, the maker of generative AI chatbot ChatGPT.
Signing up instantly earned users one Worldcoin (WLD), but after the cryptocurrency was listed in several crypto exchanges, including Binance, new users were rewarded with 25 extra coins. As at July 31, 26 coins equaled $59. Kenyans who signed up to Worldcoin’s initial recruitment drive in 2021 had as much as $332 in their accounts after the official launch. But this money is not accessible instantly. Users have to transfer it to a crypto wallet, which converts the tokens into the USDT (Tether) stablecoin that pairs 1:1 with the fiat US dollar. Many users prefer Binance because it is already integrated with local mobile money platform M-Pesa. This allows them to sell their stablecoins and get paid local currency via M-Pesa. Over 2 million people were allocated over 43 million WLD tokens as an airdrop on Worldcoin’s launch day last week. By setting it up this way, Worldcoin believes it will help poor communities get a slice of the global wealth.
Excited by the prospect of earnings free money amid a rising cost of living, many new users overlooked the critical step of questioning the privacy and security of the data that they just shared with Worldcoin. “I need the money to settle some bills, we can talk about privacy later,” Jackson Maina, who graduated from university five years ago but is still unemployed, told Quartz.
A Worldcoin spokesperson told Quartz that its registration agents “are expected to follow a strict code of conduct that emphasizes complying with laws and protecting the public.”
Data privacy disclosures weren’t the only issue confronting Worldcoin agents in Nairobi, as new users reported becoming the target of fraudsters offering to buy their newly minted dollars for cash—but at a lower valuation than the tokens’ actual worth. The cash-out process is long and complex for crypto newbies, and fraudsters found an easy way to swindle new users out of their tokens.
“There are many crypto scammers right now in the crowd preying on users with limited knowledge of Worldcoin. Because new users don’t have a crypto wallet to cash out, they are selling off their crypto rewards for little cash,” a Worldcoin agent who asked for anonymity because they were forbidden from speaking to the media told Quartz. “They’re sending all the crypto tokens to their own accounts, worth about $60, to themselves and giving their victims Sh1,000 ($7) in cash.” The fraudsters then cash out the money later. After exchanging $120 worth of Worldcoins for $20 last Friday, one victim told Quartz she felt “heartbroken.”
Crypto fraud aside, the issue of user’s informed consent remains a concern for Kenyan regulators, especially following reports that a first batch of users in Indonesia were not given a proper explanation of what they were sharing in return for the payment.
In a July 28 press release, data protection commissioner Emmaculate Kassait warned Kenyans against letting Worldcoin collect their iris data without proper consent and explanation. “Failure to do so not only puts individuals’ privacy at risk but also exposes an organization to legal and reputational consequences,” she said.
Worldcoin told Quartz that “images collected by the Orb are promptly deleted” and that “the only personal data that leaves the Orb is a message containing the iris code.” It is collecting this data in 35 cities across 20 countries.
Making biometrics a requirement for the cryptocurrency’s use is not necessarily the foolproof identification tool that Worldcoin considers it to be. The biometric data has reportedly appeared in black markets in China where some users are selling their verification for $30.
Worldcoin said it doesn’t see that as a problem, but has detected several hundred cases of fraud involving the World ID verification protocol used to determine real identities.
Tech experts around the world are concerned about Worldcoin’s data collection methods as well. The Orb device, while being perhaps Worldcoin’s greatest innovation, might result in being its Achilles’ heel. Bob Bodily, CEO of web3 infrastructure firm Toniq Labs, told Quartz that while proof-of-personhood is critical for human identity, scalability of the digital ID project faces several challenges, because Worldcoin requires a massive amount of its Orbs to be manufactured and spread worldwide. “Worldcoin’s security can also be considered ‘medium’ due to the possibility of malicious actors 3D printing iris copies and hacking users’ phones to steal their keys,” Bodily said. “This manufacturing process is also hard to decentralize.”
According to Gracy Chen, managing director at Bitget, the Orb hardware device is still a black box for the user. “The user has no way of knowing whether there is a malicious program behind the hardware,” Chen told Quartz. “If a backdoor is installed in Orb, it can steal user information, leading to major user privacy risks.”
Worldcoin maintains that all data it collects “is securely encrypted” and that it “does not, and never will, sell anyone’s personal data, including biometric data.”
According to Nick Daze, CEO of Heirloom, a web3 platform that proves credentials and personhood on the blockchain, all the world needs to solve digital identity problems is a less intrusive way. “A viable solution should not be biometrics first. Instead it should be encrypted, user generated information that can be claimed through biometrics. In this way if access, for whatever reason, to this identity is corrupted—the identifying information can be reset,” he told Quartz.
Daze’s view is backed by that of Toby Rush, the CEO and co-founder of Redeem, another Web3 company. “I feel like what Worldcoin is saying is that the only way to do this is with iris scans, which actually is not true,” he told Quartz. “We should really think about not forcing the world through a monolithic and rigid structure. There’s no composability to it. The whole idea of blockchain is that there are lots of ways to win.”
Giving out tokens was one way for Worldcoin to attract users, but building confidence in Worldcoin’s data safety system will take more efforts. Oliver Linch, CEO of the Bittrex Global crypto exchange, foresees “a backlash among privacy advocates that would lead data watchdogs to scrutinize crypto companies for processing personal data in this way, thereby forcing a rethink.”
The UK’s data watchdog, the Information Commissions Office (ICO), announced on July 25 that it would be examining Worldcoin’s policy on data collection to ensure the organization has “a clear lawful basis to process personal data.” France’s privacy watchdog CNIL has initiated investigations on Worldcoin because “the legality of this collection seems questionable, as do the conditions for storing biometric data.”