The Worldcoin deception in Kenya

Crypto aside, this was extraction of Kenyans biometric data for profit

Over the past few weeks, I have had a bee in the bonnet. As were many Kenyans, I was intrigued that there were queues of people in Nairobi who were having their irises scanned in exchange for some cryptocurrency called Worldcoin (WLD). They were getting about 49 US dollars worth per person.

Kenyans queue at KICC to register for class= — *Kenyans queue at KICC to register for Worldcoin*

Disturbing findings

I checked them out and discovered several more disturbing things. The initiative claimed to be scanning the irises to provide people with a “World ID”, which would be used in the fast-developing AI world as “proof of personhood.” The white paper persuasively describes why PoP will be needed as we go forward and to be honest, I don’t have much of a problem with the process. The quest for Proof of Personhood or the “Unique Human” will be an important issue in coming days as Cryptocurrency markets grow and as financial services evolve – as they surely must. It would be instructive for all of us to read some of the literature on it such as this to explain the issue.

The company says that their technology can be used to verify the identity of real humans online, which is becoming increasingly important as AI bots become more common. It can also be used to help distribute a universal basic income in a global economy that is being disrupted by AI. The argument goes that AI bots are becoming increasingly sophisticated and difficult to distinguish from real humans. This is a problem because AI bots can be used to commit fraud, spread misinformation, and disrupt online conversations. The company’s technology can help to solve this problem by verifying the identity of real humans online.

Worldcoin claims that the biometric data collected by the Orb is deleted once it is uploaded to the company’s servers. However, the company has not yet finished training its AI neural network to recognize irises and detect fraud. As a result, it is unclear what happens to the biometric data in the meantime. They give vague descriptions of how it is handling the biometric data. For example, the company says that the data is “sent via secure, encrypted channels.” However, it is not clear who has access to the data, how long it is stored for, and what measures are in place to protect it from unauthorised access.

What’s worse, the consent form that most people do not read, reveals that the orbs also capture high-resolution images of the user’s face, eyes, and body, in addition to recording vital signs such as heart rate and breathing.

Biometric data is especially sensitive because it cannot be changed. Unlike our name or address, we cannot change our iris or fingerprints. This makes biometric data more vulnerable to abuse, as it can be used to identify people without their consent. For example, biometric data can be used to track people’s movements or to create a universal ID system. In addition, biometric data can be used to discriminate against people. For example, the Chinese government has been reported to use biometric data to track and persecute Uyghur Muslims. This is a clear example of how biometric data can be used for harmful purposes.

Many Questions

As I read more on the initiative, I found myself raising many questions, especially the following three:

Why would Worldcoin need to pay people for their scans? Why would money (and Airpods, “social assistance giveaways” in Indonesia, other places) be used as an incentive? It became clear to many, including Eileen Guo and Adi Renaldi who wrote about Worldcoin’s deceptive practices – especially in poor communities. This is for me an extractive exercise, not unlike the deadly extractive practices that saw diamonds, gold and other minerals from many parts of Africa at the cost of blood.
What is the real purpose of this initiative? As I have continued to learn, if you set aside the Worldcoin and treat it as the distraction it is, then you realise that this is really just a massive data collection exercise and that the data will be likely used for teaching AI to recognise and work with irises for future products. They claim to delete the data but like Edward Snowden, remarked, “This looks like it produces a global (hash) database of people’s iris scans (for “fairness”), and waves away the implications by saying “we deleted the scans!” Yeah, but you save the *hashes* produced by the scans. Hashes that match *future* scans. Don’t catalogue eyeballs.”
Why is there such a complex company structure? There’s Truth for Humanity (registered in Delaware, USA and with a subsidiary in Germany). There’s Worldcoin Foundation, which is concerned with managing the cryptocurrency, registered in the Cayman Islands. The foundation has a wholly owned company, World Assets Limited, in the British Virgin Islands, whose role is entirely unclear. As it turns out, Tools for Humanity GmbH (Germany) is the one that is collecting data in Kenya through a Kenyan agency.
Why are the terms and conditions so insidious and opaque? Why would the company refuse all accountability? “You agree to resolve any disputes between you and TFH through binding arbitration rather than in court,” they say. Why? To make it worse, “Arbitration will occur in San Francisco, California, unless you and we both agree to conduct it elsewhere. You agree that the federal and state courts in San Francisco, California are the proper forum for any appeals of an arbitration award or for court proceedings in the event that this Agreement’s binding arbitration clause is found to be unenforceable.” Is a poor Kenyan from Dandora expected to get justice under these terms?

This looks like it produces a global (hash) database of people's iris scans (for "fairness"), and waves away the implications by saying "we deleted the scans!"

Yeah, but you save the *hashes* produced by the scans. Hashes that match *future* scans.

Don't catalogue eyeballs. https://t.co/uAk0NYGeZu
— Edward Snowden (@Snowden) October 23, 2021

Don’t catalogue eyes

Worldcoin at one point stood behind the “Willing buyer, willing seller” doctrine, making people sign some sot of consent form. While they have stated that consent is the lawful basis for processing personal data, there are reasonable grounds to believe that Worldcoin may not have obtained consent in the meaning of the Data Protection Act. Kenya’s Data Protection Act requires that consent is express, unequivocal, free, specific and informed. When my organisation and our partners checked with people who had submitted themselves to be scanned, we found that most Kenyans who queued to have their irises scanned were not given adequate opportunity to be informed of the Terms and Conditions they were signing up to. The focus of the engagement was to receive the Cryptocurrency. In many places, the communications printed said, “Come get your share.”

I contend that the Worldcoin Deception is possibly the worst, most intrusive privacy hack of human beings that entirely contradicts the good claims it makes for humanity’s future. We must stop them and seek justice for the many poor Kenyans who were hoodwinked and taken advantage of because they needed food.

Read Next

Like Babu Owino or not, we can’t have detention without trial in Kenya

Rare kudos to government, and a warning: don’t mess this up

Data Governance: We must be careful how data is used in fighting COVID

Of bored youth and the rise of pedestrianism

Share on Mastodon