Privacy

Worldcoin’s official launch triggers swift privacy scrutiny in Europe

Comment

Kenyan lawmakers recommends for Worldcoin shutdown in the country.
Image Credits: Tools for Humanity

Worldcoin, OpenAI CEO Sam Altman’s bid to sew up the market for verifying humanness by convincing enough mobile meatsacks to have their eyeballs scanned in exchanged for crypto tokens (yes, really), only started its official global rollout this week but it’s already landed on the radar of European data protection authorities.

Why should anyone feel the need to prove their humanness on the Internet? Well one reason is that by unleashing free ‘power tools’ like ChatGPT Altman’s generative AI company is leading the charge to make it harder to distinguish between bot-generated and human digital activity. But don’t worry, he’s got an eyeball-scanning orb-plus-crypto-token to sell humanity on for that!

Pop-up locations where willing guinea pigs (i.e. humans) can get some Worldcoin “digital tokens” in exchange for feeding their biometric data into its proprietary Half Life-esque orbs have sprung up in four markets in Europe so far: The U.K., France, Germany and Spain. And, surprising precisely no-one, privacy regulators in at least three of those markets are already expressing concerns and/or actively investigating WTF Worldcoin is doing with European’s sensitive personal data.

Earlier this week the U.K.’s Information Commission Office (ICO) was asked about Worldcoin launching in the U.K. and said publicly it would be “making enquiries”, before issuing some boilerplate warning that: “Organisations must conduct a Data Protection Impact Assessment (DPIA) before starting any processing that is likely to result in high risk, such as processing special category biometric data. Where they identify high risks that they cannot mitigate, they must consult the ICO.”

The ICO’s remarks also emphasized the need for “a clear lawful basis to process personal data”, adding: “Where they are relying on consent, this needs to be freely given and capable of being withdrawn without detriment”.

One privacy compliance question to consider, then, is can consent be freely given if people are being encouraged to hand over their biometrics in exchange for a token which is being presented as a form of virtual currency?

Fast forward a few days and France’s data protection authority, the CNIL, has followed the ICO’s remarks with even more specific expressions of concern, as first reported by Reuters — out-and-out questioning the legality of what Worldcoin is doing. The French authority also revealed it’s already been actively investigating Worldcoin.

“The legality of [Worldcoin’s data] collection seems questionable, as do the conditions for storing biometric data,” a CNIL spokesperson confirmed by email, adding: “Worldcoin collected data in France, and the CNIL initiated investigations.”

Per the CNIL, the investigation it started has been passed to Bavaria’s DPA — after it found the German state authority was Worldcoin’s lead data supervisor in the EU (owing, presumably, to Worldcoin having a subsidiary in the German state). It added that it is providing support to Bavaria’s probe “under the mutual assistance procedure” in EU law.

The bloc’s General Data Protection Regulation (GDPR) — a pan-EU law which is still baked into legacy U.K. data protection rules (hence the ICO sharing the same sort of concerns as EU peers) — contains a mechanism called the One-Stop-Shop that’s intended to streamline regulatory oversight in instances where concerns cut across Member State borders, as here. Or at least when the data processor in question has a main establishment in the EU, as Worldcoin apparently does.

In this scenario the data controller only needs to liaise with a single lead DPA. And in Worldcoin’s case that’s apparently the state of Bavaria’s DPA.

We contacted the Bavarian authority with questions about the investigation. A spokesperson told us that because it’s an ongoing procedure it’s unable to go into details. But they did confirm one of the first aspects it will look at, out of a range of “many” questions, is the obligation to carry out a data protection impact assessment — which they said “should provide a clear analysis of the impact of the envisaged processing operations on the protection of personal data and the safeguards in place to address these risks”.

Pressed for more, the spokesperson also told TechCrunch the investigation is “intended to clarify questions regarding the transparency and security of data processing”, adding: “This includes whether data subjects are provided with sufficient information to give them a clear understanding of the processing of their data and the purposes pursued with it; whether data subjects’ rights such as the right to erasure and objection or the revocation of consent are guaranteed; or whether sufficient protection against unauthorised access to the data processed by Tools for Humanity is ensured, e.g. to avoid misuse of identity.”

We’ve also reached out to Spain’s DPA to ask if it shares its peers concerns about Worldcoin’s data processing in that EU market and will update this report with any response.

On the legality point, the GDPR classes biometric data that’s used for the purpose of identification — which is exactly what the Worldcoin project intends — as so-called “special category data”. This type of (very sensitive) data has the strictest rules for legal processing.

A spokeswoman for Tools For Humanity, the for-profit technology company that led the development of Worldcoin and operates the World App, confirmed to TechCrunch that consent is the lawful basis being claimed for processing Europeans biometrics data. “Under GDPR, the project relies on the users’ consent for creating the proof of personhood and for opting into data custody,” she told us.

She also pointed us to Worldcoin’s biometric data consent form and privacy notice — documents that run to almost 3,800 words and almost 3,400 words, respectively.

Since Worldcoin is relying on people’s consent to process their special category data, under EU law it must meet an even higher bar — of explicit consent — in order for this processing to be lawful. This means the description shown to, er, eyeball providers before their biometrics are harvested must be extremely clear and specific about what the processing is for. And let’s just say that achieving the highest bar for clarity when you’re presenting individuals with circa 7,000 words of legalese while simultaneously telling them they’ll get a bunch of crypto if they do the scan looks challenging to say the least. (NB: Consent under EU law must also be freely given.)

Even the governance structure of Worldcoin, a decentralized cryptocurrency project, looks hella complicated for people to even understand who they’re giving their data to.

Asked whether Worldcoin is a for-profit or not-for-profit entity the spokeswoman for Tools For Humanity (which is the entity that has so far responded to queries we’ve directed to Worldcoin’s press email) could not provide a straight answer — because there simply isn’t one. Worldcoin’s organizational structure and decentralized governance does not lend itself to a simple yes or not. But she did confirm that Tools for Humanity (and its German subsidiary), aka the Worldcoin developer, is a for-profit tech company.

The other (main) involved entities are the Worldcoin Foundation and the Worldcoin Protocol, which she suggested are not for-profit entities. A disclosure on Worldcoin’s website states: “The Worldcoin Foundation is an exempted limited guarantee foundation company, which is a type of non-profit, incorporated in the Cayman Islands.” So, er, it’s a “type” of non-profit then with for-profit subsidiaries? (For the lolz we asked ChatGPT what an “exempted limited guarantee foundation company” is and OpenAI’s chatbot responded by telling us that, as of its data training cut-off data in September 2021, “there is no widely recognized legal structure or term known [as that]”.)

Then there’s the question of who is actually processing the data — and thus legally responsible for not breaching EU data protection law? Worldcoin’s biometric consent form appears to list the Cayman Islands-based Worldcoin Foundation as the data controller of “your images and biometric data collected through our Orb”.

We asked Tools for Humanity’s spokeswoman to confirm this and she stipulated that the data controller “now” is the Worldcoin Foundation, with Tools For Humanity being a data processor for Worldcoin. (Albeit, the fact Bavaria’s DPA is leading the investigation into the project suggests Tools for Humanity’s German subsidiary plays a significant role in processing people’s data.)

Another question and potential red flag vis-a-vis GDPR compliance pops up if you eyeball the summary section of the Worldcoin biometric data consent form — which contains a bolded warning that people who “sign-up with an Orb” (i.e. have their biometric data harvested) won’t be able to have their personal data deleted after this step. (“[W]e will create a unique Iris Code (as defined below) that cannot be deleted anymore (if we were to delete it, the proof of uniqueness would not work),” Worldcoin writes.)

Thing is, the GDPR gives Europeans a suite of data access rights over their personal data, including the right to ask for it to be deleted. Saying that deletions aren’t possible isn’t going to cut it. The regulation also broadly defines personal data, as information that could identify a natural person (including when combined with other data), so trying to claim the “unique Iris Code” derived from the biometric scan isn’t personal data to avoid the need to comply with deletion requests seems unlikely to fly with regulators.

All in all, it’s easy to see why European privacy watchdogs have so quickly mobilized to express and act on concerns. Although it remains to be seen how fast regulators might move to enforcement if concerns are stood up.

Asked about the DPAs’ activity, Tools For Humanity’s spokeswoman claimed the Worldcoin project complies with all applicable laws (albeit, in some US states that means residents are outright barred from being scanned owing to local laws limiting biometric data processing. “You cannot provide your biometric information at the Orb if you are a resident of the state of Illinois, Texas, or Washington or the cities of Portland, Oregon or Baltimore, Maryland,” notes Worldcoin’s consent form).

She also confirmed that Worldcoin has undertaken a data protection impact assessment — which she described as having been “rigorously” conducted.

In further remarks emailed to us today after we asked for Worldcoin’s response to the Bavarian DPA’s investigation, the Tools For Humanity spokeswoman added:

Worldcoin was designed to protect individual privacy and has built a robust privacy program. The Worldcoin Foundation complies with all laws and regulations governing the processing of personal data in the markets where Worldcoin is available, including the General Data Protection Regulation (“GDPR”). In the European Union, the project is under the supervision of the Bavarian State Office for Data Protection Supervision (Bayerisches Landesamt für Datenschutz). The project will continue to cooperate with governing bodies on requests for more information about its privacy and data protection practices. We are committed to working with our partners across Europe to ensure that the Worldcoin project meets regulatory requirements and provides a safe, secure, and transparent service for verified humans.

This report was updated with additional comment from the Bavarian DPA

Sam Altman’s Worldcoin eyeball-scanning crypto project launches

France fines Clearview AI maximum possible for GDPR breaches

More TechCrunch

Mobile app developers, including Patreon and Grammarly, are already integrating with Gemini Nano, its smallest AI model, the company announced during its I/O developer keynote on Tuesday. The companies, along…

Patreon and Grammarly are already experimenting with Gemini Nano, says Google

As part of the update, Reddit also launched a dedicated AMA tab within the web post composer.

Reddit introduces new tools for ‘Ask Me Anything,’ its Q&A feature

Here are quick hits of the biggest news from the keynote as they are announced.

Google I/O 2024: Here’s everything Google just announced

LearnLM is already powering features across Google products, including in YouTube, Google’s Gemini apps, Google Search and Google Classroom.

LearnLM is Google’s new family of AI models for education

The official launch comes almost a year after YouTube began experimenting with AI-generated quizzes on its mobile app. 

Google is bringing AI-generated quizzes to academic videos on YouTube

Around 550 employees across autonomous vehicle company Motional have been laid off, according to information taken from WARN notice filings and sources at the company.  Earlier this week, TechCrunch reported…

Motional cut about 550 employees, around 40%, in recent restructuring, sources say

The keynote kicks off at 10 a.m. PT on Tuesday and will offer glimpses into the latest versions of Android, Wear OS and Android TV.

Google I/O 2024: Watch all of the AI, Android reveals

It ran 110 minutes, but Google managed to reference AI a whopping 121 times during Google I/O 2024 (by its own count). CEO Sundar Pichai referenced the figure to wrap…

Google mentioned ‘AI’ 120+ times during its I/O keynote

Google Play has a new discovery feature for apps, new ways to acquire users, updates to Play Points, and other enhancements to developer-facing tools.

Google Play preps a new full-screen app discovery feature and adds more developer tools

Soon, Android users will be able to drag and drop AI-generated images directly into their Gmail, Google Messages and other apps.

Gemini on Android becomes more capable and works with Gmail, Messages, YouTube and more

Veo can capture different visual and cinematic styles, including shots of landscapes and timelapses, and make edits and adjustments to already-generated footage.

Google Veo, a serious swing at AI-generated video, debuts at Google I/O 2024

In addition to the body of the emails themselves, the feature will also be able to analyze attachments, like PDFs.

Gemini comes to Gmail to summarize, draft emails, and more

The summaries are created based on Gemini’s analysis of insights from Google Maps’ community of more than 300 million contributors.

Google is bringing Gemini capabilities to Google Maps Platform

Google says that over 100,000 developers already tried the service.

Project IDX, Google’s next-gen IDE, is now in open beta

The system effectively listens for “conversation patterns commonly associated with scams” in-real time. 

Google will use Gemini to detect scams during calls

The standard Gemma models were only available in 2 billion and 7 billion parameter versions, making this quite a step up.

Google announces Gemma 2, a 27B-parameter version of its open model, launching in June

This is a great example of a company using generative AI to open its software to more users.

Google TalkBack will use Gemini to describe images for blind people

Firebase Genkit is an open source framework that enables developers to quickly build AI into new and existing applications.

Google launches Firebase Genkit, a new open source framework for building AI-powered apps

This will enable developers to use the on-device model to power their own AI features.

Google is building its Gemini Nano AI model into Chrome on the desktop

Google’s Circle to Search feature will now be able to solve more complex problems across psychics and math word problems. 

Circle to Search is now a better homework helper

People can now search using a video they upload combined with a text query to get an AI overview of the answers they need.

Google experiments with using video to search, thanks to Gemini AI

A search results page based on generative AI as its ranking mechanism will have wide-reaching consequences for online publishers.

Google will soon start using GenAI to organize some search results pages

Google has built a custom Gemini model for search to combine real-time information, Google’s ranking, long context and multimodal features.

Google is adding more AI to its search results

At its Google I/O developer conference, Google on Tuesday announced the next generation of its Tensor Processing Units (TPU) AI chips.

Google’s next-gen TPUs promise a 4.7x performance boost

Google is upgrading Gemini, its AI-powered chatbot, with features aimed at making the experience more ambient and contextually useful.

Google’s Gemini updates: How Project Astra is powering some of I/O’s big reveals

Veo can generate few-seconds-long 1080p video clips given a text prompt.

Google’s image-generating AI gets an upgrade

At Google I/O, Google announced upgrades to Gemini 1.5 Pro, including a bigger context window. .

Google’s generative AI can now analyze hours of video

The AI upgrade will make finding the right content more intuitive and less of a manual search process.

Google Photos introduces an AI search feature, Ask Photos

Apple released new data about anti-fraud measures related to its operation of the iOS App Store on Tuesday morning, trumpeting a claim that it stopped over $7 billion in “potentially…

Apple touts stopping $1.8B in App Store fraud last year in latest pitch to developers

Online travel agency Expedia is testing an AI assistant that bolsters features like search, itinerary building, trip planning, and real-time travel updates.

Expedia starts testing AI-powered features for search and travel planning