Deception and exploitation : How Worldcoin recruited its first million test users
I’ve seen some of the registration kiosks for Worldcoin have closed shop
with the sign “closed until further notice”.
This is likely because of this advisory from the Office of the Data
Protection Commissioner (ODPC) “Calls for Vigilance from the Public as It
Engages WorldCoin on Compliance with Data Protection Act, 2019.”
https://twitter.com/ODPC_KE/status/1684869953378283520
In the Press Release, ODPC
1. “calls for increased vigilance from the public as it continues to engage
with Worldcoin, and entity processing activities of iris data through an
Orb, to ensure compliance with the Data Protection Act, 2019″
What does increased vigilance from the public mean?
2. “As the ODPC conducts its assessment of WorldCoin’s practices to ensure
compliance with the law, Kenyans are urged that they receive proper
information before disclosing any personal or sensitive data. Individuals
are advised to thoroughly inquire about how their data will be used.”
Here the public is advised to exercise informed consent. Should Worldcoin
continue collecting iris data if it is not compliant with Kenya’s DPA, or
properly licensed?
3. “The office will continue to engage with organizations to prompt
compliance with the law and protect the privacy of Kenyans”
Finally, the way Kenya’s Data Protection Act, 2019 is framed, can Worldcoin
be compliant even if they tried? To be compliant, they would need to have
the following in place
1. Worldcoin must respect individuals’ rights regarding their personal
data. This includes the right to access, correct, and delete their data, as
well as the right to object to processing in certain situations.
2. Data Minimization: Worldcoin should only collect and process the minimum
amount of personal data necessary to fulfill its purpose. It should avoid
unnecessary data collection and ensure that data is not retained longer
than required.
3. Lawful Basis: Worldcoin should identify a lawful basis for processing
personal data. This could be based on obtaining explicit consent from users
or any other lawful basis specified in the Data Protection Act, 2019.
4. Implement appropriate technical and organizational measures to safeguard
the personal data it collects. This could include encryption, access
controls, and regular security audits.
5. Cross-Border Data Transfers: If Worldcoin transfers data outside of
Kenya, it must comply with the regulations regarding cross-border data
transfers, which may require obtaining explicit user consent or ensuring
the receiving country has adequate data protection laws.
6. Data Breach Notification: In the event of a data breach that poses a
risk to individuals’ rights and freedoms, Worldcoin should promptly notify
the relevant authorities and affected users. We are hoping Worldcoin is
acting in good faith, and if they are breached, they will notify the data
subjects and the authorities.
7. Appointment of Data Protection Officer (DPO) to oversee data protection
compliance.
8. Data Protection Impact Assessment (DPIA) to assess and mitigate
potential risks to individuals’ privacy.
9. Avoid sharing users’ personal data with third parties unless necessary
for the purposes of the cryptocurrency project and with the explicit
consent of the user.
Best Regards,
______________________
Mwendwa Kivuva, Nairobi, Kenya
www.linkedin.com/in/mwendwa-kivuva
On Wed, 26 Jul 2023 at 23:43, Paul Magacha <magacha.cirrus.techvue@gmail.com>
wrote:
> There’s Gardrn city, two rivers mall, next gen mall and now sarit centre
>
> I’m yet to understand why Sam Altman of OpenAI is targeting third world
> and developing countries with this.
>
> Sent from my iPhone
>
> On 24 Jul 2023, at 23:47, Peter Wakaba via KICTANet <
> kictanet@lists.kictanet.or.ke> wrote:
>
>
> Worldcoin’s cryptocurrency token WLD debuted today on the world’s largest
> cryptocurrency trading platform Binance to quite a bit of hype.
> The company defines its tools as a digital identity protocol aiming to
> support humanity in the age of AI, which consist of a privacy-preserving
> digital identity and a digital currency (WLD) received simply for being
> human (and registered on their platform via the ‘orb’.
>
> On Mon, Jul 24, 2023 at 4:16 PM Mwendwa Kivuva via KICTANet <
> kictanet@lists.kictanet.or.ke> wrote:
>
>> Worldcoin was founded by Sam Altman, who also founded OpenAI, the company
>> behind ChatGPT. Worldcoin is an iris biometric cryptocurrency project that
>> has scanned and stored the eyes of millions of people across the world.
>>
>> Apart from invading our shopping malls to harvest eye iris data, I’ve now
>> seen they are operating from inside supermarkets, most recently from inside
>> Quickmarts in Nairobi.
>>
>> This is an important discussion because Worldcoin has been operating in
>> Kenya for more than a year, collecting biometric iris scans of the
>> uninformed consenting public. We had a discussion here, and it was not
>> clear if the Office of the Data Protection Commissioner (ODPC) had given
>> content for such eternal personally identifiable data to be collected.
>>
>> The privacy implications of Worldcoin collecting biometric iris scans of
>> poor people are significant.
>>
>> 1) The data could be used to track people’s movements and activities.
>> Iris scans are unique to each individual and can be used to identify people
>> even if they are wearing disguises. This means that Worldcoin could track
>> poor people’s movements, including where they go, who they meet, and what
>> they do. This could be used to target them for marketing or surveillance
>> purposes.
>> 2) The data could be used to discriminate against poor people. Iris scans
>> could be used to deny poor people access to services or opportunities. For
>> example, a bank could use iris scans to deny a loan application from a poor
>> person, or an employer could use iris scans to reject a job application
>> from a poor person.
>> 3) The data could be hacked or stolen. If the data is hacked or stolen,
>> it could be used to commit identity theft or other crimes. This could have
>> a devastating impact on poor people, who may not have the resources to
>> recover from identity theft.
>> 4. Obtaining informed consent is essential when collecting sensitive
>> biometric data. Poor individuals may not fully understand the implications
>> of providing their biometric data or may feel pressured to participate due
>> to their socio-economic situation, potentially leading to uninformed or
>> coerced consent.
>> 5. There’s a concern that the initial purpose of collecting biometric
>> data for cryptocurrency verification might evolve into other uses without
>> adequate consent or oversight, leading to function creep and expanded
>> surveillance.
>>
>> Informed consent is a process in which data subjects give permission for
>> something to happen after they have been given and understood all the
>> relevant information about it. Informed consent requires data subjects to
>> understand the purpose of the data collection. This is one of the four
>> elements of informed consent, along with information, comprehension, and
>> voluntariness. There are some concerns about Worldcoin’s consent process.
>>
>> 1. The consent form is not clear about what data is being collected. The
>> consent form does not explicitly state that Worldcoin is collecting
>> biometric data, such as iris scans. Instead, the form simply states that
>> Worldcoin is collecting “personal data.” This could lead users to believe
>> that they are only giving consent to the collection of non-sensitive
>> personal data, such as their name and address.
>> 2. The consent form is not easy to understand. The consent form is
>> written in complex legal language that is difficult for many people to
>> understand. This could make it difficult for users to understand what they
>> are consenting to.
>> 3. The consent form is not easy to revoke. Once users have given consent
>> to Worldcoin to collect their biometric data, it is difficult to revoke
>> their consent. Users must send a written request to Worldcoin, and the
>> company is not required to delete the data immediately.
>>
>> There is an exciting read from MIT claiming that Worldcoin has built a
>> biometric database from the bodies of the poor using deceptive practices:
>> Read along here
>> www.technologyreview.com/2022/04/06/1048981/worldcoin-cryptocurrency-biometrics-web3/
>>
>>
>> Which direction should African and global majority countries take in
>> regard to Western companies harvesting personally identifiable data from
>> their citizens?
>>
>> Best Regards,
>> ______________________
>> Mwendwa Kivuva, Nairobi, Kenya
>> www.linkedin.com/in/mwendwa-kivuva
>>