By now, you have probably heard about the Worldcoin craze that has been spreading across the country. Most of us have seen those long lines of Kenyans interested in this new crypto project.
Just to bring you up to speed, Worldcoin is a cryptocurrency project that uses a device, essentially a giant ball, called an “Orb” to scan a human’s iris to create what it calls a World ID. The human iris has a unique pattern and this is why the project founder’s decided to settle for it. When a person’s Iris is scanned, a World ID is created and this will be used to verify the individual’s identity on different online services. Besides getting the World ID, individuals are also rewarded with the Worldcoin Tokens (WLD).
Even though it seems like Worldcoin has come out of nowhere the last few days, the project has had a presence in Kenya the last few years. I first encountered it back in 2021 in a number of malls in Nairobi. They have been registering users for all this time without any comment from the government or the relevant authorities. The latest uproar around Worldcoin is what has gotten the Government’s attention. A number of government officials from the CS of ICT to Interior CS Kindiki have commented on it. All the officials who have commented on Worldcoin have done so in the last couple of days. This is very interesting for a crypto project that has been around for close to 2 years.
The Office of the Data Protection Commissioner (ODPC)
In a move made by someone not wanting to be left behind, the Office of the Data Protection Commissioner (ODPC) has also commented on the Worldcoin craze. The ODPC has issued a joint statement with the Communications Authority of Kenya addressing this new project. In part, the issued statement reads, “Since the launch of WorldCoin operations in Kenya, the Communications Authority of Kenya (CA) and the Office of the Data Protection Commissioner (ODPC) have undertaken a preliminary review and noted a number of legitimate regulatory concerns that require urgent attention.”
The statement points out that there are major issues such as data security, obtaining consent, consumer protection, cybersecurity safeguards, and concerns about private entities holding massive citizen data without a proper framework. One is left wondering how this was never urgent all those years Worldcoin has been operating in Kenya. The issues the statement has raised are valid and should not be brushed under the carpet.
It is also interesting to know that Worldcoin’s parent company, Tools For Humanity, is registered as a data processor by the same Office of the Data Protection Commissioner according to Tech Cabal. Why did it take the ODPC this long to know what an organization registered under them is doing.
Similar Concerns in Other Countries
Kenya isn’t the only country where the government has raised concerns about Worldcoin. According to Reuters, German data watchdog launched an investigation into Worldcoin last year due to concerns over its large-scale processing of sensitive biometric data. Britain and France data regulators have expressed worries and are also looking into Worldcoin and the legality of its biometric data collection and use.
Data Security and Privacy Concerns
For Kenya, even though ODPC is late with its comments, it has raised important points regarding data security and privacy. The ODPC raised 5 main points that are:
- Lack of clarity on the security and storage of the collected sensitive data. Worldcoin says that once collected, the biometric data is processed locally on the Orb and is converted into unique codes and stored in its decentralized blockchain. The unique codes generated are not linked to any of your personal information. This means they cannot be duplicated or spoofed to create false identities. Worldcoin’s claims seem to be valid but then, can you really trust them?
- Obtaining consumer (data subject) consent in exchange for monetary reward which borders on inducement. This is true as the incentive for most people at this point is the over Ksh 7,000 they get in exchange for their iris being scanned. You can argue that the tough economic times have pushed people to this and convincing people not to do it will be difficult.
- Uncertainty regarding consumer protection on cryptocurrency and related ICT services. This I feel is one of the biggest issues. Even though Worldcoin says the biometric data is deleted when the unique codes are generated, we just cannot be 100% sure.
- Inadequate information on cybersecurity safeguards and standards. This is valid but I feel like the ODPC should have requested this information when approving Tools For Humanity as a data processor.
- Massive citizen data in the hands of private actors without an appropriate framework. This is a big issue but then again, it is information they should have demanded from the start.
All in all, Worldcoin says there is no private information that can be used to identify an individual. The project does not collect this and the biometric data is deleted unless an individual opts in to what they call Data Custody to help them reduce the times they need to get back to an Orb. This is all clear but I think the fact that an organization that is relatively young and is collecting such data is what rubs some people the wrong way.
In as much as individuals consent to have their iris scanned, the existence of monetary rewards borders inducement. This raises ethical questions about the consent in data collection. Those ‘Willingly’ having their iris scanned may not have an option with the current economic times and the idea of getting ‘free money’ may cloud their judgment.
Cryptocurrencies are the wild west and there are so many uncertainties surrounding customer protection in this context. The lack of proper regulation and oversight can leave many users vulnerable to scams and fraud. I do not believe that most individuals embracing crypto projects really understand the risks associated with them. Most tend to look at the quick monetary gains they can get and overlook the serious concerns. Most people tend to reference the success of Bitcoin and hope if they are among the first to embrace certain projects, they will make a lot of money at some point.
Even though Worldcoin has said measures are in place to guarantee security, more information should be shared. Having robust security measures while handling sensitive data should not be debatable.
The Role of Regulators
The ODPC has raised its concerns but there is need for comprehensive inquiries by regulators to address the identified concerns and protect the public interest. This is already underway in Kenya as a multi-agency investigation was initiated. I will repeat again, this is something that should have happened over a year ago. The recent publicity of Worldcoin is what has pushed the government to take action and this is just ridiculous. When it comes to personal data, the ODPC should be at the forefront in knowing what is happening and coming up with directives in record time.
For anyone who is interested in Worldcoin, it does seem like an interesting project. All you have to do is be careful when providing personal data to private actors. Also, report any relevant information or complaints to the designated communication channels provided by the ODPC (complaints@odpc.go.ke).
Image source: Reuters