Deception and exploitation : How Worldcoin recruited its first million test users

I concur with this.
And for this mandate to be effectively protected, we need to be able to
break down the registration process into its bits and pieces. At which
point in the registration process did the
mistake/oversight/negligence/political interference/corruption take place.
Then suggest ways to fix that segment of the registration process to avoid
a repeat of the same. This mandate ought to be an ‘evolving’ process that
can be fine tuned and adaptive to changing demands.

Gibson Maina
Mathare Infotech Lab

On Tue, Sep 12, 2023, 12:16 Grace Githaiga via KICTANet <> wrote:

> Listers
> We need to understand the registration role contemplated in the Data
> Protection Act. The role was to have visibility on who data processors are.
> Issuing a certificate is simply registering a company processing data.
> However, IMHO, the issue here is on understanding the registration mandate.
> As we handle this WorldCoin circus, let us hold sacred the Independence of
> this office contemplated during the crafting of the Data Protection Law in
> order to shield it from political interests.
> Upon investigation, a decision was made and communicated to WorldCoin
> <>
> .
> Rgds
> GG
> On Tue, Sep 12, 2023 at 10:24 AM David Indeje via KICTANet <
>> wrote:
>> Office of the Data Protection Commissioner did not carry out due
>> diligence before registering Worldcoin activities in the country, ICT
>> Cabinet Secretary Eliud Owalo told Parliament on Monday.
>> On Sat, Jul 29, 2023, 3:07 PM Mwendwa Kivuva via KICTANet <
>>> wrote:
>>> There is some development.
>>> I’ve seen some of the registration kiosks for Worldcoin have closed shop
>>> with the sign “closed until further notice”.
>>> This is likely because of this advisory from the Office of the Data
>>> Protection Commissioner (ODPC) “Calls for Vigilance from the Public as It
>>> Engages WorldCoin on Compliance with Data Protection Act, 2019.”
>>> In the Press Release, ODPC
>>> 1. “calls for increased vigilance from the public as it continues to
>>> engage with Worldcoin, and entity processing activities of iris data
>>> through an Orb, to ensure compliance with the Data Protection Act, 2019″
>>> What does increased vigilance from the public mean?
>>> 2. “As the ODPC conducts its assessment of WorldCoin’s practices to
>>> ensure compliance with the law, Kenyans are urged that they receive proper
>>> information before disclosing any personal or sensitive data. Individuals
>>> are advised to thoroughly inquire about how their data will be used.”
>>> Here the public is advised to exercise informed consent. Should
>>> Worldcoin continue collecting iris data if it is not compliant with Kenya’s
>>> DPA, or properly licensed?
>>> 3. “The office will continue to engage with organizations to prompt
>>> compliance with the law and protect the privacy of Kenyans”
>>> Finally, the way Kenya’s Data Protection Act, 2019 is framed, can
>>> Worldcoin be compliant even if they tried? To be compliant, they would need
>>> to have the following in place
>>> 1. Worldcoin must respect individuals’ rights regarding their personal
>>> data. This includes the right to access, correct, and delete their data, as
>>> well as the right to object to processing in certain situations.
>>> 2. Data Minimization: Worldcoin should only collect and process the
>>> minimum amount of personal data necessary to fulfill its purpose. It should
>>> avoid unnecessary data collection and ensure that data is not retained
>>> longer than required.
>>> 3. Lawful Basis: Worldcoin should identify a lawful basis for processing
>>> personal data. This could be based on obtaining explicit consent from users
>>> or any other lawful basis specified in the Data Protection Act, 2019.
>>> 4. Implement appropriate technical and organizational measures to
>>> safeguard the personal data it collects. This could include encryption,
>>> access controls, and regular security audits.
>>> 5. Cross-Border Data Transfers: If Worldcoin transfers data outside of
>>> Kenya, it must comply with the regulations regarding cross-border data
>>> transfers, which may require obtaining explicit user consent or ensuring
>>> the receiving country has adequate data protection laws.
>>> 6. Data Breach Notification: In the event of a data breach that poses a
>>> risk to individuals’ rights and freedoms, Worldcoin should promptly notify
>>> the relevant authorities and affected users. We are hoping Worldcoin is
>>> acting in good faith, and if they are breached, they will notify the data
>>> subjects and the authorities.
>>> 7. Appointment of Data Protection Officer (DPO) to oversee data
>>> protection compliance.
>>> 8. Data Protection Impact Assessment (DPIA) to assess and mitigate
>>> potential risks to individuals’ privacy.
>>> 9. Avoid sharing users’ personal data with third parties unless
>>> necessary for the purposes of the cryptocurrency project and with the
>>> explicit consent of the user.
>>> Best Regards,
>>> ______________________
>>> Mwendwa Kivuva, Nairobi, Kenya
>>> On Wed, 26 Jul 2023 at 23:43, Paul Magacha <
>>>> wrote:
>>>> There’s Gardrn city, two rivers mall, next gen mall and now sarit
>>>> centre
>>>> I’m yet to understand why Sam Altman of OpenAI is targeting third world
>>>> and developing countries with this.
>>>> Sent from my iPhone
>>>> On 24 Jul 2023, at 23:47, Peter Wakaba via KICTANet <
>>>>> wrote:
>>>> Worldcoin’s cryptocurrency token WLD debuted today on the world’s
>>>> largest cryptocurrency trading platform Binance to quite a bit of hype.
>>>> The company defines its tools as a digital identity protocol aiming to
>>>> support humanity in the age of AI, which consist of a privacy-preserving
>>>> digital identity and a digital currency (WLD) received simply for being
>>>> human (and registered on their platform via the ‘orb’.
>>>> On Mon, Jul 24, 2023 at 4:16 PM Mwendwa Kivuva via KICTANet <
>>>>> wrote:
>>>>> Worldcoin was founded by Sam Altman, who also founded OpenAI, the
>>>>> company behind ChatGPT. Worldcoin is an iris biometric cryptocurrency
>>>>> project that has scanned and stored the eyes of millions of people across
>>>>> the world.
>>>>> Apart from invading our shopping malls to harvest eye iris data, I’ve
>>>>> now seen they are operating from inside supermarkets, most recently from
>>>>> inside Quickmarts in Nairobi.
>>>>> This is an important discussion because Worldcoin has been operating
>>>>> in Kenya for more than a year, collecting biometric iris scans of the
>>>>> uninformed consenting public. We had a discussion here, and it was not
>>>>> clear if the Office of the Data Protection Commissioner (ODPC) had given
>>>>> content for such eternal personally identifiable data to be collected.
>>>>> The privacy implications of Worldcoin collecting biometric iris scans
>>>>> of poor people are significant.
>>>>> 1) The data could be used to track people’s movements and activities.
>>>>> Iris scans are unique to each individual and can be used to identify people
>>>>> even if they are wearing disguises. This means that Worldcoin could track
>>>>> poor people’s movements, including where they go, who they meet, and what
>>>>> they do. This could be used to target them for marketing or surveillance
>>>>> purposes.
>>>>> 2) The data could be used to discriminate against poor people. Iris
>>>>> scans could be used to deny poor people access to services or
>>>>> opportunities. For example, a bank could use iris scans to deny a loan
>>>>> application from a poor person, or an employer could use iris scans to
>>>>> reject a job application from a poor person.
>>>>> 3) The data could be hacked or stolen. If the data is hacked or
>>>>> stolen, it could be used to commit identity theft or other crimes. This
>>>>> could have a devastating impact on poor people, who may not have the
>>>>> resources to recover from identity theft.
>>>>> 4. Obtaining informed consent is essential when collecting sensitive
>>>>> biometric data. Poor individuals may not fully understand the implications
>>>>> of providing their biometric data or may feel pressured to participate due
>>>>> to their socio-economic situation, potentially leading to uninformed or
>>>>> coerced consent.
>>>>> 5. There’s a concern that the initial purpose of collecting biometric
>>>>> data for cryptocurrency verification might evolve into other uses without
>>>>> adequate consent or oversight, leading to function creep and expanded
>>>>> surveillance.
>>>>> Informed consent is a process in which data subjects give permission
>>>>> for something to happen after they have been given and understood all the
>>>>> relevant information about it. Informed consent requires data subjects to
>>>>> understand the purpose of the data collection. This is one of the four
>>>>> elements of informed consent, along with information, comprehension, and
>>>>> voluntariness. There are some concerns about Worldcoin’s consent process.
>>>>> 1. The consent form is not clear about what data is being collected.
>>>>> The consent form does not explicitly state that Worldcoin is collecting
>>>>> biometric data, such as iris scans. Instead, the form simply states that
>>>>> Worldcoin is collecting “personal data.” This could lead users to believe
>>>>> that they are only giving consent to the collection of non-sensitive
>>>>> personal data, such as their name and address.
>>>>> 2. The consent form is not easy to understand. The consent form is
>>>>> written in complex legal language that is difficult for many people to
>>>>> understand. This could make it difficult for users to understand what they
>>>>> are consenting to.
>>>>> 3. The consent form is not easy to revoke. Once users have given
>>>>> consent to Worldcoin to collect their biometric data, it is difficult to
>>>>> revoke their consent. Users must send a written request to Worldcoin, and
>>>>> the company is not required to delete the data immediately.
>>>>> There is an exciting read from MIT claiming that Worldcoin has built a
>>>>> biometric database from the bodies of the poor using deceptive practices:
>>>>> Read along here
>>>>> Which direction should African and global majority countries take in
>>>>> regard to Western companies harvesting personally identifiable data from
>>>>> their citizens?
>>>>> Best Regards,
>>>>> ______________________
>>>>> Mwendwa Kivuva, Nairobi, Kenya