Worldcoin (WDC) distributes tokens for people who have their irises scanned to create a “Proof of Humanity.” In Spain, the data protection regulator and the highest court put a stop to the project.

Worldcoin is withdrawing from Spain. OpenAI founder Sam Altman’s crypto project, which distributes Worldcoin tokens to users who have their irises scanned in so-called “Orbs”, is responding to a complaint from the Spanish Data Protection Agency (AEPD) and a ruling from the highest authority court.

The AEPD ruled on March 8th that Worldcoin was violating Spanish data protection laws and should therefore cease all activities in Spain and delete all scans of Spanish citizens. The authority was responding to complaints that Worldcoin collects private data without the adequate consent of users, especially minors, and denies them their right to later withdraw their consent and have the data deleted. The project therefore violates the EU’s general data protection laws (General Data Protection Regulations, GDPR).

The Worldcoin operating company Tools for Humanity (TFH) GmbH, based in Erlangen, has lodged an objection against the decision. She argues that the ban will cause her irreparable harm, both in Spain and globally. Furthermore, the AEPD is not responsible at all, but rather the Bavarian State Office for Data Protection Supervision. Since the TFH and the Worldcoin Foundation are registered in Bavaria, the Ansbach authority is responsible for their supervision across Europe. The TFH is monitoring this intensively and expects a preliminary result in the coming weeks.

Spain’s highest court rejected TFH’s appeal. The protection of personal data, she explains, takes priority over the commercial interests of a company.

What is curious about this case is that Worldcoin does not store any iris scans at all.

From Worldcoin’s image video

How Worldcoin strives for privacy

Worldcoin only stores the hash of the iris or a (slightly more complex) mathematical derivation of it. As a “World ID”, it proves that you are a unique person. According to the central idea, this is essential for an age of artificial intelligence in which humans and machines can no longer be distinguished online.

Worldcoin is therefore not concerned with “who you are, but only with the fact that you are unique.” In this sense, the company strives to reduce the amount of private data to an absolute minimum.

This begins with image files never leaving the “Orb” after it scans participants’ irises. “As soon as you are verified, they will be permanently deleted.” The only thing that remains is a message that contains the Iris Code, “a chain of numbers that the Orb generates.” This is the so-called World ID, which is actually what it is is stored onchain.

However, with another scan of the iris, you could determine what the World ID of a certain person is, for example someone you are robbing, and thereby understand which websites someone has logged on to, what they have bought, where, and how they have paid, and so on further. That’s why Worldcoin uses a zero-knowledge proof: When you log in using World ID, you don’t sign with a private key linked to an address – as Ethereum currently does – but with a cryptographic method that proves that you are the owner of a valid World ID – but does not reveal which one.

The semaphore algorithm co-developed by Worldcoin replicates such a process – a ring signature like Monero – for Ethereum, where the Worldcoin token is currently still running. With the formal verification of “Semaphore Merkle Tree Batcher (SMTB)”, which was only presented in January, the Worldcoin developers achieved a small cryptographic breakthrough that can also be useful beyond the project.

If you were to log in to Web3, as it currently exists, with a Worldcoin ID instead of your Web3 address, this would massively improve privacy here – while users essentially store their backup seed in their own eyes.

Does the court understand the technology? Do they even care?

Worldcoin complains that the AEPD is “spreading inaccurate and misleading claims about our technology, after months of ignoring our efforts to provide them with an accurate view of Worldcoin and the World ID.”

Interestingly, the TFH is not suing the highest court against a misrepresentation of the technology, but rather with economic and legal arguments. The court may not allow the technical protection to apply because there is already a black market for World IDs, for example in China, or because the company cannot guarantee that the operators of the orbs will not manipulate them. Misuse simply cannot be prevented, would be the message if a digital ID and a blockchain are involved.

However, it is possible that the Spanish supervisors and judges are not in a position to adequately assess the technology. Or there is simply no legally valid answer in the EU to the fact that data is stored on-chain and therefore cannot be deleted.

Either way, it’s a shame, because Worldcoin is punishing a company that tackles an important problem – proving to be an individual on the Internet – and makes a serious effort to maintain maximum privacy – even that Promotes open source research for the necessary methods – and documents this cleanly and highly transparently. State authorities in particular should emulate Worldcoin in this regard instead of banning it.


Leave a Reply