The iris-scanning identity technology World has already been banned in some European countries over privacy concerns.

World, a biometrics identification project cofounded by OpenAI’s Sam Altman, has been told it did not meet European data protection rules and has been issued with a corrective measure. 

The company, formerly known as Worldcoin, scans irises and faces and uses this data to create a means of personal identification that can be used for activities online and prove that the user is human and not an artificial intelligence (AI) bot.  

The San-Francisco-based company Tools for Humanity builds World’s technology, which is a sphere device called an ‘Orb’ that scans the eyes, but World’s European headquarters and manufacturing facility is in the German state of Bavaria. 

On Thursday, the German data protection authority, the Bavarian State Office for Data Protection Supervision (BayLDA), concluded a months-long investigation into World and stated that its identification procedure “entails a number of fundamental data protection risks for a large number of data subjects” that does not comply with the European Union’s General Data Protection Regulation (GDPR).

The authority has ordered Word to begin a data deletion procedure that complies with GDPR rules.

“With today’s decision, we are enforcing European fundamental rights standards in favour of data subjects in a technologically demanding and legally highly complex case,” said BayLDA president Michael Will.

“All users who have provided ‘Worldcoin’ with their iris data will in future have the unrestricted opportunity to enforce their right to erasure,” he added in a statement. 

World has appealed the decision and has asked regulators to provide judicial clarity on whether the processes and, in particular, the Privacy Enhancing Technologies (PETs) deployed by World Network meet the legal definition for anonymisation in the EU.

Tools for Humanity’s chief privacy officer Damien Kieran told Euronews Next that Michael Will “is stuck between a rock and a hard place”.

“I do not want to put words in his [Will’s] mouth but I think he thinks that we have done something rather good technically, but I think he’s under a lot of pressure, because I think it’s a complicated environment to be a lead supervisory authority in the EU at the moment,” Kieran said. 

Kieran said that data anonymisation and data deletion are “essential for enabling people to verify themselves as human online while remaining completely private”.

“Without a clear definition around anonymisation, however, we lose perhaps our most powerful tool in the fight to protect privacy in the age of AI,” he added. 

How it works

Kieran also said that the period that the BayLDA is referring to, is a time when World was collecting iris codes and storing them in a database, which was not GDPR compliant according to the authority.

“We’re no longer doing that,” he told Euronews Next. 

Kieran said that now World no longer owns the personal data provided by the iris codes and it is deleted from their systems. What happens is a cryptographic protocol is applied so that code is cut up to make three new pieces of code. 

Those three codes, which are extremely difficult to break are then stored in databases that are owned by third parties, which include the University of Berkeley, Zurich, Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU) university and NeverMind. 

World is currently available in Argentina, Austria, Chile, Colombia, Ecuador, Germany, Japan, Mexico, Peru, Poland Singapore, South Korea, and the US.

Kieran said that it plans to roll out the technology later on in Ireland, the UK, France, and Italy. 

The company also hopes to reach Spain and Portugal, however, both countries issued temporary bans on World earlier this year in response to complaints over data privacy. 

Share.
Exit mobile version