Deception and exploitation : How Worldcoin recruited its first million test users

Worldcoin’s use of biometric data (such as iris scans) for identification is a more enhanced, and at the same time, sensitive form of online ID creation compared to typical methods that rely on non-biometric data. The sensitivity of biometric data makes its handling more crucial and necessitates robust protections.

In terms of regulatory frameworks, it’s vital for countries to establish and enforce comprehensive data protection laws that adequately address the collection, storage, usage, and protection of such sensitive biometric data. These laws should ensure transparency, informed consent, data security, and data subject rights, particularly considering the irreversible nature of biometric data breaches.

However, like any legislation, the data protection Act might need to evolve to address novel challenges and specificities introduced by new technologies like Worldcoin.

It’s also important for users to stay informed about their rights and the implications of sharing such sensitive data.

However if users are explained and they agree to walk up the the ORB and have the IRIS scan, done we have to respect their choice.

Sometimes as lobbyists we forget that not everyone sees right and wrong in our paradigm and context

My alternative view


From: Mwendwa Kivuva via KICTANet <>
Reply to: Kenya’s premier ICT Policy engagement platform <>
Date: Monday, 24 July 2023 at 16:03
To: Badru Ntege <>
Cc: Mwendwa Kivuva <>
Subject: [kictanet] Deception and exploitation : How Worldcoin recruited its first million test users

Worldcoin was founded by Sam Altman, who also founded OpenAI, the company behind ChatGPT. Worldcoin is an iris biometric cryptocurrency project that has scanned and stored the eyes of millions of people across the world.

Apart from invading our shopping malls to harvest eye iris data, I’ve now seen they are operating from inside supermarkets, most recently from inside Quickmarts in Nairobi.

This is an important discussion because Worldcoin has been operating in Kenya for more than a year, collecting biometric iris scans of the uninformed consenting public. We had a discussion here, and it was not clear if the Office of the Data Protection Commissioner (ODPC) had given content for such eternal personally identifiable data to be collected.

The privacy implications of Worldcoin collecting biometric iris scans of poor people are significant.

1) The data could be used to track people’s movements and activities. Iris scans are unique to each individual and can be used to identify people even if they are wearing disguises. This means that Worldcoin could track poor people’s movements, including where they go, who they meet, and what they do. This could be used to target them for marketing or surveillance purposes.
2) The data could be used to discriminate against poor people. Iris scans could be used to deny poor people access to services or opportunities. For example, a bank could use iris scans to deny a loan application from a poor person, or an employer could use iris scans to reject a job application from a poor person.
3) The data could be hacked or stolen. If the data is hacked or stolen, it could be used to commit identity theft or other crimes. This could have a devastating impact on poor people, who may not have the resources to recover from identity theft.
4. Obtaining informed consent is essential when collecting sensitive biometric data. Poor individuals may not fully understand the implications of providing their biometric data or may feel pressured to participate due to their socio-economic situation, potentially leading to uninformed or coerced consent.
5. There’s a concern that the initial purpose of collecting biometric data for cryptocurrency verification might evolve into other uses without adequate consent or oversight, leading to function creep and expanded surveillance.

Informed consent is a process in which data subjects give permission for something to happen after they have been given and understood all the relevant information about it. Informed consent requires data subjects to understand the purpose of the data collection. This is one of the four elements of informed consent, along with information, comprehension, and voluntariness. There are some concerns about Worldcoin’s consent process.

1. The consent form is not clear about what data is being collected. The consent form does not explicitly state that Worldcoin is collecting biometric data, such as iris scans. Instead, the form simply states that Worldcoin is collecting “personal data.” This could lead users to believe that they are only giving consent to the collection of non-sensitive personal data, such as their name and address.
2. The consent form is not easy to understand. The consent form is written in complex legal language that is difficult for many people to understand. This could make it difficult for users to understand what they are consenting to.
3. The consent form is not easy to revoke. Once users have given consent to Worldcoin to collect their biometric data, it is difficult to revoke their consent. Users must send a written request to Worldcoin, and the company is not required to delete the data immediately.

There is an exciting read from MIT claiming that Worldcoin has built a biometric database from the bodies of the poor using deceptive practices: Read along here

Which direction should African and global majority countries take in regard to Western companies harvesting personally identifiable data from their citizens?

Best Regards,
Mwendwa Kivuva, Nairobi, Kenya