Worldcoin, OpenAI CEO Sam Altman’s bid to sew up the market for verifying humanness by convincing enough mobile meatsacks to have their eyeballs scanned in exchanged for crypto tokens (yes, really), only started its official global rollout this week but it’s already landed on the radar of European data protection authorities.
Why should anyone feel the need to prove their humanness on the Internet? Well one reason is that by unleashing free power tools like ChatGPT Altman’s generative AI company is leading the charge to make it harder to distinguish between bot-generated and human digital activity. But don’t worry, he’s got an eyeball-scanning orb-plus-crypto-token to sell humanity on for that!
Pop-up locations where willing guinea pigs (i.e. humans) can get some Worldcoin “digital tokens” in exchange for feeding their biometric data into its proprietary Half Life-esque orbs have sprung up in four markets in Europe so far: The U.K., France, Germany and Spain. And, surprising precisely no-one, privacy regulators in at least three of those markets are already expressing concerns and/or actively investigating WTF Worldcoin is doing with European’s sensitive personal data.
Earlier this week the U.K.’s Information Commission Office (ICO) was asked about Worldcoin launching in the U.K. and said publicly it would be “making enquiries”, before issuing some boilerplate warning that: “Organisations must conduct a Data Protection Impact Assessment (DPIA) before starting any processing that is likely to result in high risk, such as processing special category biometric data. Where they identify high risks that they cannot mitigate, they must consult the ICO.”
The ICO’s remarks also emphasized the need for “a clear lawful basis to process personal data”, adding: “Where they are relying on consent, this needs to be freely given and capable of being withdrawn without detriment”.
One privacy compliance question to consider, then, is can consent be freely given if people are being encouraged to hand over their biometrics in exchange for a token which is being presented as a form of virtual currency?
Fast forward a few days and France’s data protection authority, the CNIL, has followed the ICO’s remarks with even more specific expressions of concern, as first reported by Reuters — out-and-out questioning the legality of what Worldcoin is doing. The French authority also revealed it’s already been actively investigating Worldcoin.
“The legality of [Worldcoin’s data] collection seems questionable, as do the conditions for storing biometric data,” a CNIL spokesperson confirmed by email, adding: “Worldcoin collected data in France, and the CNIL initiated investigations.”
Per the CNIL, the investigation it started has been passed to Bavaria’s DPA — after it found the German state authority was Worldcoin’s lead data supervisor in the EU (owing, presumably, to Worldcoin having a subsidiary in the German state). It added that it is providing support to Bavaria’s probe “under the mutual assistance procedure” in EU law.
The bloc’s General Data Protection Regulation (GDPR) — a pan-EU law which is still baked into legacy U.K. data protection rules (hence the ICO sharing the same sort of concerns as EU peers) — contains a mechanism called the One-Stop-Shop that’s intended to streamline regulatory oversight in instances where concerns cut across Member State borders, as here. Or at least when the data processor in question has a main establishment in the EU, as Worldcoin apparently does.
In this scenario the data controller only needs to liaise with a single lead DPA. And in Worldcoin’s case that’s apparently the state of Bavaria’s DPA.
We contacted the Bavarian authority with questions about the investigation. But a spokesperson told us that because it’s an ongoing procedure it’s unable to go into details. (They did confirm one of the first aspects it will look at, out of a range of “many” questions, is the obligation to carry out a data protection impact assessment — which they said “should provide a clear analysis of the impact of the envisaged processing operations on the protection of personal data and the safeguards in place to address these risks”.)
We’ve also reached out to Spain’s DPA to ask if it shares its peers concerns about Worldcoin’s data processing in that EU market and will update this report with any response.
On the legality point, the GDPR classes biometric data that’s used for the purpose of identification — which is exactly what the Worldcoin project intends — as so-called “special category data”. This type of (very sensitive) data has the strictest rules for legal processing.
A spokeswoman for Tools For Humanity, the for-profit technology company that led the development of Worldcoin and operates the World App, confirmed to TechCrunch that consent is the lawful basis being claimed for processing Europeans biometrics data. “Under GDPR, the project relies on the users’ consent for creating the proof of personhood and for opting into data custody,” she told us.
She also pointed us to Worldcoin’s biometric data consent form and privacy notice — documents that run to almost 3,800 words and almost 3,400 words, respectively.
Since Worldcoin is relying on people’s consent to process their special category data, under EU law it must meet an even higher bar — of explicit consent — in order for this processing to be lawful. This means the description shown to, er, eyeball providers before their biometrics are harvested must be extremely clear and specific about what the processing is for. And let’s just say that achieving the highest bar for clarity when you’re presenting individuals with circa 7,000 words of legalese while simultaneously telling them they’ll get a bunch of crypto if they do the scan looks challenging to say the least. (NB: Consent under EU law must also be freely given.)
Even the governance structure of Worldcoin, a decentralized cryptocurrency project, looks hella complicated for people to even understand who they’re giving their data to.
Asked whether Worldcoin is a for-profit or not-for-profit entity the spokeswoman for Tools For Humanity (which is the entity that has so far responded to queries we’ve directed to Worldcoin’s press email) could not provide a straight answer — because there simply isn’t one. Worldcoin’s organizational structure and decentralized governance does not lend itself to a simple yes or not. But she did confirm that Tools for Humanity (and its German subsidiary), aka the Worldcoin developer, is a for-profit tech company.
The other (main) involved entities are the Worldcoin Foundation and the Worldcoin Protocol, which she suggested are not for-profit entities. A disclosure on Worldcoin’s website states: “The Worldcoin Foundation is an exempted limited guarantee foundation company, which is a type of non-profit, incorporated in the Cayman Islands.” So, er, it’s a “type” of non-profit then with for-profit subsidiaries? (For the lolz we asked ChatGPT what an “exempted limited guarantee foundation company” is and OpenAI’s chatbot responded by telling us that, as of its data training cut-off data in September 2021, “there is no widely recognized legal structure or term known [as that]”.)
Then there’s the question of who is actually processing the data — and thus legally responsible for not breaching EU data protection law? Worldcoin’s biometric consent form appears to list the Cayman Islands-based Worldcoin Foundation as the data controller of “your images and biometric data collected through our Orb”.
We asked Tools for Humanity’s spokeswoman to confirm this and she stipulated that the data controller “now” is the Worldcoin Foundation, with Tools For Humanity being a data processor for Worldcoin. (Albeit, the fact Bavaria’s DPA is leading the investigation into the project suggests Tools for Humanity’s German subsidiary plays a significant role in processing people’s data.)
Another question and potential red flag vis-a-vis GDPR compliance pops up if you eyeball the summary section of the Worldcoin biometric data consent form — which contains a bolded warning that people who “sign-up with an Orb” (i.e. have their biometric data harvested) won’t be able to have their personal data deleted after this step. (“[W]e will create a unique Iris Code (as defined below) that cannot be deleted anymore (if we were to delete it, the proof of uniqueness would not work),” Worldcoin writes.)
Thing is, the GDPR gives Europeans a suite of data access rights over their personal data, including the right to ask for it to be deleted. Saying that deletions aren’t possible isn’t going to cut it. The regulation also broadly defines personal data, as information that could identify a natural person (including when combined with other data), so trying to claim the “unique Iris Code” derived from the biometric scan isn’t personal data to avoid the need to comply with deletion requests seems unlikely to fly with regulators.
All in all, it’s easy to see why European privacy watchdogs have so quickly mobilized to express and act on concerns. Although it remains to be seen how fast regulators might move to enforcement if concerns are stood up.
Asked about the DPAs’ activity, Tools For Humanity’s spokeswoman claimed the Worldcoin project complies with all applicable laws (albeit, in some US states that means residents are outright barred from being scanned owing to local laws limiting biometric data processing. “You cannot provide your biometric information at the Orb if you are a resident of the state of Illinois, Texas, or Washington or the cities of Portland, Oregon or Baltimore, Maryland,” notes Worldcoin’s consent form).
She also confirmed that Worldcoin has undertaken a data protection impact assessment — which she described as having been “rigorously” conducted.
In further remarks emailed to us today after we asked for Worldcoin’s response to the Bavarian DPA’s investigation, the Tools For Humanity spokeswoman added:
Worldcoin was designed to protect individual privacy and has built a robust privacy program. The Worldcoin Foundation complies with all laws and regulations governing the processing of personal data in the markets where Worldcoin is available, including the General Data Protection Regulation (“GDPR”). In the European Union, the project is under the supervision of the Bavarian State Office for Data Protection Supervision (Bayerisches Landesamt für Datenschutz). The project will continue to cooperate with governing bodies on requests for more information about its privacy and data protection practices. We are committed to working with our partners across Europe to ensure that the Worldcoin project meets regulatory requirements and provides a safe, secure, and transparent service for verified humans.