Crypto for biometrics? Privacy fears as Worldcoin scans Mexicans
The Orb, a biometric verification device by Worldcoin, lays on a table in a coworking space in Coyoacán, Mexico City. July 24, 2023. Diana Baptista/Thomson Reuters Foundation
What’s the context?
In countries with weak data protection rules like Mexico, Worldcoin is a threat to users' privacy, say digital rights groups
- Sam Altman's Worldcoin collects biometrics in Mexico
- Digital rights advocates warn of data privacy risks
- Weakened data protection watchdog unable to investigate
MEXICO CITY – Dozens of crypto enthusiasts streamed into co-working spaces in Mexico City this week for the global launch of Worldcoin, hoping to have their irises scanned with a biometric verification device in exchange for cryptocurrency.
Mexico City is one of 35 cities in 20 countries where Worldcoin - founded by Open AI CEO Sam Altman - is pushing its ambitious project to create a unique "digital passport" called World ID, which would help distinguish humans from bots online.
"In the future, proof of humanity will be more relevant than ever to know if you're interacting with a human or with artificial intelligence," said Worldcoin operator Germán González from a small co-working space in the Coyoacán neighborhood.
González is one of a handful of operators dispatched across Mexico by Worldcoin to collect iris scans through a device known as an 'orb'.
But privacy advocates have voiced concerns about building a private database of biometric information - and warned that citizens could be left unprotected in cases of data breaches or abuses in countries with weak data protection like Mexico.
"No technology is infallible," said Agneris Sampieri, Latin America policy analyst at digital rights group Access Now. "There is a margin of error when users lose all control over the data generated through their biometrics."
And the current privacy notice could exclude users in Mexico and other countries in the Global South from legal protection because Worldcoin is headquartered in Germany and the United States, she added.
A spokesperson for Worldcoin said in emailed comments that "privacy is the bedrock on which Worldcoin is built and spans the protocol's entire ecosystem including users, developer partners and Worldcoin Operators."
Worldcoin says the project abides by Europe's General Data Protection Regulation (GDPR), which is among the world's toughest, and deletes the collected biometrics once a unique iris code is created.
The company behind Worldcoin, San Francisco and Berlin-based Tools for Humanity, says users can choose whether their personal data leaves the orb to be sent to a secure data store and may withdraw consent at any time.
'Even banks have data breaches'
The project, which started in 2019, has 2 million users from its beta period - when it was not yet distributing coins but training its iris algorithm on the samples it collected.
The project had come under criticism during that period for paying for iris scans in impoverished areas without fully explaining its purpose.
"A lot of their data was collected without informed consent," said Peter Howson, a researcher at Britain's Northumbria University, who has studied Worldcoin.
Worldcoin did not respond to a request for comment about its data collection during the beta phase.
As an enticement, those who sign up for Worldcoin in Mexico receive a bonus of 25 of its cryptocurrency tokens, plus one token every week for an undetermined period.
In Mexico, most of the Worldcoin interest has come from crypto enthusiasts who say they trust the security of the project and are hoping their tokens will rise in value.
"(Worldcoin) might have a big jump. I'm hoping in a couple of years its value rises," said Hans Trauwitz, a 38-year-old software developer who had his iris scanned in a restaurant in Condesa, a district popular with digital nomads and tourists.
Minutes later, Trauwitz received the promised free share of Worldcoin tokens. Upon its launch, the token hit a peak of $5.29, according to the world's largest exchange, Binance.
Ten people who spoke to Context said they were unconcerned about the use of their biometrics, either because they trusted the project or had already experienced some kind of data breach. None had read the data privacy notice contained in the app.
"Even banks have data breaches," said Trauwitz, who was drawn to Worldcoin because he admired Altman's success with the artificial intelligence (AI) chatbot ChatGPT.
"I don't think I'm a particularly big target."
For IT consultant Ricardo Fuentes, "giving your biometrics is risky but they're encrypted."
"They (Worldcoin) cannot use them for evil unless someone with great coding expertise tries it," he told Context after staring for several seconds into the silver disk-like device roughly the size of a bowling ball.
The World ID is not linked to the name, address or personal data of users - a feature that Worldcoin supporters say makes it safe.
"The government has your biometrics. Same thing with bank apps, and your phone apps," said González, who is not officially hired by Worldcoin but works as a brand ambassador for a monthly grant.
The Worldcoin launch in Mexico comes as President Andrés Manuel López Obrador seeks to scrap the country's INAI data protection body, part of his wider push to abolish autonomous watchdogs and regulators that he deems unnecessary and biased.
Although the proposal is yet to be discussed in parliamentary commissions, INAI is unable to carry out its functions because it lacks one of the five commissioners it needs to operate.
INAI did not reply to a request for comment.
"(Worldcoin's biometric recollection) should be a scandal and the authorities should be alerting users about it," said Diego García, a Mexican lawyer specializing in data privacy. "But what we see in Mexico is a very weakened authority.
On Tuesday Britain's data regulator said it would be making enquiries about Worldcoin's launch in the country.
Although Mexican users agree to a privacy notice before registering to the Worldcoin app, Sampieri said the disclaimer does not explain with enough clarity how users' biometric data will be used, transferred, and stored in the future.
"Unfortunately, users do not have the knowledge to identify what they're agreeing to," she said.
New to Context? We'd love for you to find out a little more about what we do. Click here for a selection of our best work.
(Reporting by Diana Baptista in Mexico City and Avi Asher-Schapiro in Los Angeles; Editing by Helen Popper and Zoe Tabary.)
- Facial recognition
- Data rights