Worldcoin (World ID): Useless, ineffective and dangerous.

Version FR disponible ici.

There’s a lot of noise around Worldcoin orbs that scan the eyeballs (but not only) of willing participants in exchange for a ‘cryptocurrency’ and a new identity. Here is my summary paper on the project, up-to-date with current event.

Disclaimer : since I advocate for the right to privacy, the protection of personal data and more broadly, the right for digital integrity, my opinion is not neutral. I have worked in the digital identity industry for over 15 years and the content of this article is my own.

Note: The name ‘Worldcoin’ is used here to qualify the organizing body, in reference to the German company [1], even if in fact, some operations are controlled by the Californian organization [2] ‘Tools For Humanity’ or by the ‘Worldcoin Foundation’, based in the Cayman Islands or its subsidiary in the British Virgin Islands.

Pre-shot: Hundreds of other digital identity projects do exist and don't have any of the issues discussed below. This is neither to discredit this industry as a whole, nor to highlight any other project in particular. To avoid falling down a conspiracy rabbit hole, I encourage everyone of you to remain vigilant when it comes to leading digital identity projects, whether centralized or decentralized, private or public.

Intro:

Research and drafting still in progress

You’d ask me : ‘Why the hell write such a long article with so many sources?’

Well, I wanted to gather the many existing -but scattered- information and provide further professional arguments. Because I have recently been asked several times for my opinion on Worldcoin, I wanted to be able to refer to a single article, a central source.

This is the result of my own tests and investigation: me and a few friends got our eyes and faces scanned to fully evaluate the solution.

The following content will probably be modified and updated because I have truly started looking for information about Worldcoin only a few days ago, but I have followed the project from afar for months, though. I will certainly make corrections and adjustments based on my research, but also add comments and external contributions (feel free to reach out to me if you have any suggestions).

A version of the finalized article will be published outside Linkedin.

Updates :

• August 1st, 2023: First draft of this article
• August 5th, 6th, 7th: Updates: Worldcoin services discontinued in Kenya (Worldcoin's Nairobi office raided by Kenyan Police). Massive disruption of Worldcoin services
• August 9th: First french version published on Linkedin
• August 14th: First english translation published on Linkedin
• December, 2023 : Worldcoin stop offering Orb-verification in India, Brazil and France [61]

1) Useless

a) Social washing

Let's start by questioning the very usefulness of the project because by focusing too much on its current news, we are going to forget the underlying problem: Worldcoin is first and foremost a social-washing project [3] for OpenAI .

It is possible that some AI marketing tools businesses are genuinely concerned about the fate of the ones ‘left behind’. Sam Altman, co-founder of OpenAI (ChatGPT) and Worldcoin, deserves credit for facing up to his responsibilities when he discusses the impact of new AI tools on the work force:

"Jobs are definitely going to go away." (Sam Altman, july 2023 [4])

The oft-repeated main motivation in Worldcoin's communication, widely ignored, is directly related to the arrival of OpenAI and its competitors. The #1 motivation of Worldcoin mentioned on the official website [5] is however clearly established:

"This enables a path to AI-funded non-state UBI and the equitable global distribution of digital currencies [...] Redistribute wealth created by systems in the age of AI: As AI advances, fairly distributing access and some of the created value through UBI will play an increasingly vital role in counteracting the concentration of economic power"

Thus, no need for AI income to be taxed, private entities will take care of distributing them. You can see it as ‘comforting fatalism’ : people who will lose their jobs might receive a universal income…

It is hard to believe in the realism of this discomforting utopia when we are aware of OpenAI company’s past reversals – the same company which was initially supposed to share its research transparently, collaboratively, and non-profitably, and which ended up becoming the complete opposite [6] of what it preached, while keeping a name that doesn't really make sense anymore (there is hardly anything left ‘Open’ in ‘OpenAI’). Over time, the initial arguments against transparency and sharing have become increasingly difficult to believe, especially as other projects offer more openness and even Meta releases its own models with Llama [7].

In any case, it is highly unlikely that an entity like OpenAI would genuinely intend to share any surplus profits, especially considering how investor returns in OpenAI have been ‘limited’ to being multiplied ‘only’ by 100 [8]. This ridiculously high figure was supposed to be reduced with new rounds of funding, but nothing has been heard since, especially as Microsoft has just invested an additional 10 billion and is now said to own half of OpenAI [8b].

OpenAI is also already known to treat poor workers with little consideration [8c].

This theoretical income redistribution sounds even more unlikely since American people are already deprived of these famous WLD tokens [9].

Furthermore, the argument for an ‘equitable’ income distribution among an international group of ‘unrepresentative’ strangers is not a strong one.

Worldcoin will therefore not solve the concentration of power and profits issues that OpenAI claims to denounce, while actually exacerbating them.

b) No/little interest other than a financial one

After putting aside the initial argument of a redeeming universal salary, we need to look at the other benefits mentioned BY Worldcoin... and the ones that are evident FOR Worldcoin.

Interests mentioned by Worldcoin:

In practice, businesses and individuals very rarely have a genuine need to verify the authenticity of a source of information or an action on the Internet.

Anti-spam / anti-bot:

When businesses need to filter certain activities, they generally use tools like reCaptcha [10] or similar options [11]. It is quite unthinkable to constantly ask random Internet users to use a mobile application to prove that they are human. Furthermore, as we will see later, Worldcoin identities can be transferred, making it impossible to effectively prevent the creation of bots or spam using Worldcoin-provided identities, which can be therefore shared, borrowed, purchased, or stolen.

E-reputation / verified reviews:

‘Verified reviews’ will not gain additional reliability through Worldcoin either, as identities controlled by World ID could just as easily generate the same kind of fake reviews as seen today. On the contrary, Worldcoin risks creating a new market for fake profiles, generating new ‘certified’ fake likes, similar to the many existing ones.

Authentication:

Regarding the argument of a new strong authentication system, it took 10 years to convince all web players to adopt the FIDO/Webauthn protocol (recently renamed/devolved to ‘passkey’) to obtain phishing-resistant solution : Worldcoin is merely another solution based on QR codes vulnerable to phishing. Not very compelling.

Electronic voting:

Electronic voting, mentioned as a potential use case, faces numerous other issues not addressed by Worldcoin, and we will touch on the dangers of an all-in-one, unique, and non-repudiable identity for privacy at the end of the article. This specific topic would require an entire book. Again, there is little hope for genuine usefulness in this context.

Interests noted for Worldcoin:

Funding yourself while creating an initial market for WLD tokens

Sam Altman was already known for his career at Y Combinator, but the widespread media attention on the co-founder was essentially due to the success of ChatGPT.

Worldcoin greatly benefited from this newfound visibility, to the extent that it was presented as ‘the other project by the co-founder of OpenAI’ or ‘the crypto project by OpenAI's Sam Altman’ [12]. This has undeniably added renewed credibility to the project, even though Sam Altman is also involved in various other ‘cutting-edge’ ventures [13].

Individual investors and major media outlets fail to grasp the real connection between Worldcoin and the artificial intelligence sector [14]. The buzz surrounding the shiny little orbs that ‘give away money for free’ fueled investor interest when millions of tokens became available for sale on major exchanges on July 24. Originally theoretically priced at $1.70, the actual price turned out to be closer to $3 (as observed on exchanges shortly after availability).

Tokens were not available for purchase to Americans and citizens of other countries such as Turkey and China. The way these tokens were distributed raises broader questions.

A notable peculiarity is that the official Worldcoin website blocked access to information about token distribution, initial sales conditions (also known as ‘tokenomics’), and how they were distributed from many countries. This restriction applied even to countries where the WLD (Worldcoin) token was available for purchase. For instance, visitors from Greece, India, Italy, England [15], and even France were unable to access these crucial pieces of information on the official Worldcoin website.

With the help of a VPN or by reading information on other websites, careful observers could realize that the market was controlled by market makers connected to cooperating marketplaces where the token was being sold. The idea of a 'fair price discovery' was questionable at best [16].

Given the only few tokens initially available compared to the total number that will be available, the unfiltered air-drop (without KYC) obtained in exchange for biometric data, the ‘unusual’ [17] contracts involving token loans with market makers and investors given incomplete information… These odd conditions, already criticized by experts, are likely to be watched closely by regulators. Worldcoin is being careful not to call it an ICO, possibly to avoid certain laws, as they only lend/sell tokens to market makers (who then offer them to individuals).

"There is no "ICO" of WLD" (Worldcoin official website [17b])

To precisely determine how much the concealed initial token offering from Worldcoin will yield for the project's associates, it is necessary to make a first assessment in three months after the loan to market makers (with purchase option) is concluded. This assessment will continue over the next three years as associates and the team gain access to their reserved tokens. It's likely that the contribution could reach tens of millions of dollars if the hype continues [18] [19].

Most media miss the big picture to understand that the value of tokens ‘generously’ and ‘freely’ given to the application testers only came from the anticipation of the token's sale price to other individual investors during the ICO, while simultaneously providing a source of funding for Worldcoin.

Thus, Worldcoin is truly generous with other people's money.

In fact, the Worldcoin team and its investors reserve a significant share of the tokens (23.3%) [17b].

In the end, even if Worldcoin does not offer any meaningful solution, it will likely be, at least initially, a successful instance of financial social washing fueled by the hype surrounding chatGPT, disregarding the numerous negative controversies that come along with it.

In the following sections, let's try to concretely analyze the ineffectiveness of this ‘solution’ to finally grasp the real dangers posed by Worldcoin.c

2) Inefficient

a) How is it supposed to work?

It is easy to get lost in the architectural details, and I will cover the technical aspect in a separate article. But for the sake of simplification here, let's say that the Worldcoin solution is built upon 3 main components:

• A mobile application called ‘World App’ [20] which acts as a wallet for managing a new type of identity called ‘World ID’ [21] and a cryptocurrency named ‘WLD tokens’.
• A complex set of centralized and decentralized services that enable external services to utilize these identities and tokens.
• Hardware devices called ‘Orbs’ managed by trusted operators [22] which allow volunteers to scan their iris to obtain a unique World ID identity [23] and some WLD tokens. The Orbs essentially serve as the entry point into this system.

Since each person's iris is unique, the Orb would enable the distinction of the individuality of each iris and create a uniquely tailored proof of humanity called ‘Proof of Personhood’ [24] or ‘Humanness’). Verified individuals could manage it through a mobile application called ‘World App’.

In theory, iris images rarely leave the Orb, only the unique ‘iris code’, ‘iris hash’ or ‘irishash’) is transmitted to Worldcoin's services. The iris code is a unique fingerprint, a kind of hash of the iris image with the ability to compare iris images by simply comparing their codes [25], thereby allowing the same person’s enrollment multiple times in their system.

As a side note, individuals who voluntarily enroll in this system are rewarded with 25 WLD tokens initially, and then with 1 token per week. This is the clearly main reason why people, especially in ‘poor’ countries where most of the initial two million participants come from, are willing to take the time to use the Orb.

On Aug. 11th, Worldcoin team announced World App now offers a "new" feature for users to reserve their WLD tokens BEFORE visiting the Orb. These reservations will be valid for 12 months, incitating people to motivate themselves to redeem their reserved world tokens by getting their eyes scanned during that period. It changed nothing (you still get your tokens the same way) and makes little sense except being a nudge [25b]

At the same time, verified enrollees would also receive a new identity called ‘World ID’ which helps distinguish actions carried out online by real individuals from actions performed by automated programs (with or without AI).

This would be technically efficient, safe, and respectful of privacy.

Now, let's focus on the promise of efficiency.

b) Ineffective approach to distinguish human and AI

Worldcoin aims to differentiate humans from ‘machines’ and other increasingly human-like ‘programs,’ especially in the era of artificial intelligence. Personally, I find it rather peculiar to focus more on detecting AI than on the influence of content recommendation algorithms or AI biases we are using. Nonetheless, let's assume it's important...

Firstly, it's worth noting that even OpenAI recently acknowledged that its own tools failed to detect texts generated by AI, including those created with their own ChatGPT technology [26]. This quest to differentiate between content purely generated by an AI (which itself is trained on ‘human’ content) and content authored by a human (enhanced by an AI or not) seems quite futile.

However, even if Worldcoin does not effectively distinguish the origin of certain content, the company would be supposed to help detect and combat certain automated abusive behaviors such as bots, fake reviews.... It's safe to say that this is not the case.

The main error on this subject lies in this persistent fact: just because an identity has been initially verified as being associated with a human doesn't mean that we can subsequently ensure that this identity will be used by the same human.

Today, we might complain about seeing 1000 fake accounts causing a service to be congested or posting fake reviews, but tomorrow, we could face the same issue with 1000 fake World IDs created by real people on the Orbs Worldcoin platform.

Indeed, the unique iris verification was necessary for the creation of identities, not for their use (thank goodness).

It is therefore quite possible:

• to use World App applications without being the owner of the initial iris (phones have no ability to reproduce the initial verification)
• to manage the WorldID identities of Worldcoin without even going through World app (in the end, these are cryptographically weakly protected keys, we’ll revisit this topic in another article).

Thus, Worldcoin’s World ID identities are equally usable by programs, with or without AI.

Conclusion: Worldcoin fails to provide any substantial solution to differentiate between identities individually managed by humans and identities controlled by a single human or a machine. This assurance is deceptive and constitutes a new opportunity for clever fraudsters to easily exploit this technology.

c) A rather relative trust

Is a human truly one identity? That's debatable.

Currently, attackers might not be too interested in testing the validity of this claim, but the idea is that the same human appearing before a Worldcoin Orb multiple times should receive the same identifier.

Over time, even without privileged access to the Orb, it will be necessary to verify that:

• tolerance settings to variations between image captures is sufficient to ensure that ‘duplicates’ are detected on the same Orb.
• differences in capturing images between different Orbs (of the same generation or not, as hardware evolves) do not generate ‘iris codes’ different enough to be accepted as distinct identities.
• an attacker using lenses (textured, colored, distorting, etc.) cannot generate ‘iris codes’ that are sufficiently distinct.

Unlike certain standard security tests in the field of iris-based biometric recognition, the attacker does not have to pretend their iris is someone else's. The challenge here is easier: they just need to make their iris appear different enough from their own iris recorded earlier by the Orb (to independently create multiple identities).

Using enrollment incentives makes fraud easier

Worldcoin has been encouraging volunteers to have their eyeballs scanned in exchange for rewards. Different groups around the world have been offered various gifts for enrolling (like WLD tokens, USD/USDT, local currency, ‘airpods’ etc.).

These rewards are given not only to individuals who use the Orb but also to operators (and maybe even to Orb distributors working with operators in the past [27]).

Regrettably, this kind of 'motivation' has led operators to prioritize quantity and rush people to use the Orb, sometimes inappropriately, without providing necessary information or even ensuring that these individuals understand how to properly use the app (there was even a time when enrollment was conducted without a mobile app, making fake enrollments easier).

Without dwelling on past negative publicity, it is worth mentioning that even Worldcoin has admitted to certain abusive behaviors by former Orb operators in poorer countries (where most of 2 million humans enrollment that Worldcoin boasts about took place). You can read about these issues in the MIT Technology Review article titled ‘Deception, exploited workers, and cash handouts: How Worldcoin recruited its first half a million test users’ [29], as well as a response from Worldcoin [30] (not very convincing) to these claims.

We will see the consequences of these problems in the future when many of these ‘poorly’ enrolled individuals do not come forward to claim the tokens that they are supposed to receive.

Unfortunately, we won't be able to detect tokens that are falsely claimed on their behalf.

The financial incentive for enrollment can also benefit fraudsters who might want to create a large number of ‘zombie’ identities controlled by a single individual.

Indeed, it is easy for an attacker to exploit a group of vulnerable individuals by providing them with preconfigured phones to enroll for their own individual use, compensating these ‘proxy’ individuals fully or partially with tokens received from Worldcoin.

Worldcoin has claimed to improve enrollment security through their app's dynamic QR Code [31], but it is essentially a simple session ID that changes over time and does not provide any stong protection. To bypass this so-called ‘improvement’, one could, for instance, supply phones to accomplices or relay these session codes sent back by the server.

It is possible to buy, sell, or even rent verified identities.

Not only can a single fraudster pay a group of individuals to directly enroll on their behalf, but it is also entirely feasible to trade World ID identities. Furthermore, obtaining these identities from the black market [32] is already a reality.

Here, the steps of the easiest method to create a World ID identity for Worldcoin and offer it for resale:

a) Create a new Google or Apple account with an initial password.

b) Link this account to a reset smartphone.

c) Install World App from Worldcoin and activate backup on your Cloud (using your new account) by choosing a second password (which can be the same as the first one).

d) Stand in front of the Orb to obtain your World ID.

e) You can now offer your World ID for sale. When you receive payment, you only need to provide the reference of the Google or Apple account and the two passwords for the buyer to take over.

From the moment an anonymous restoration procedure is possible [33], it is difficult to fight effectively against this type of fraud.

Another more complex solution is to extract the private key from the application... but we will probably come back to this track in another article.

Apart from cases of verified identity sales, if this type of solution gains adoption, it is likely that illegitimate offers for ‘renting’ IDs for occasional massive uses (votes, reviews, etc.) will emerge.

A not very decentralized solution for now

Worldcoin recognizes that the decentralization of their solution is incomplete and they have some ideas to make it better [34]. Here are some points of centralization that distance the solution from a ‘common’ decentralized web3:

• centralized manufacture of Orbs
• private oversight of enrollment (even if you could purchase an Orb)
• numerous centralized web servers essential to the operation of Worldcoin services
• private governance of the project (illustrated by its previous reversals)

3) Dangerous

a) Too much collectible personal data

When you quickly look over certain Worldcoin pages, you might assume that they do not collect any personal information. But, if you read the fine print, you realize that is not always the case.

Worldcoin tries to defend itself by stating that very few pieces of information are mandatory, even among those that are requested.

Actually, from one version of the app to another, there are differences, but unfortunately, there is a common practice of using typical techniques to request and gather more user information than necessary. Even if users can choose to share minimal personal details, it is challenging not to fall into the traps of the interface (dark patterns).

Here is an example of a ‘dark pattern’ trick to get your phone number: a subtle button to skip the step and an alert message that makes you think twice about not giving your number.

efore the smartphone app became available, user registration could require additional personal information such as email (and possibly even name, though I couldn't confirm) through a standard web login [35]. There is still a trace on https://getworldcoin.com/signin.

In the version I used in July to enroll for the Orb, the ‘Data Custody’ option was not very clear. You had to understand that it was an optional ‘Help improve Worldcoin’ choice for sharing data. It was not straightforward, and the August version is a bit clearer.

But what does this ‘Data Custody’ option really involve, concerning the data collected by the Orb?

On its promotional website, Worldcoin sometimes uses the term ‘biometric data’ to refer to the data that can be optionally stored on their own servers. Worldcoin ‘Help Center’ alternately uses the terms ‘Biometric Data’ and ‘Image Data’ [37].

Contrary to what one might think, it is not just a simple photo of an iris, but rather both irises and also photos of the entire face, in 2D and 3D, captured in visible light and under two types of infrared.

Here is the argument that Worldcoin website mentions to encourage you to agree to send your photos to their servers: if their algorithm changes later on, you would usually need to visit the Orb again to update your identity. However, if Worldcoin has your photos stored, you will not need to come back and the update will happen automatically. Orb operators also use this point to persuade people when enrolling.

In the end, all the collected data is detailed in the legal consent documents for data collection (Biometric Data Consent Form [38]) and the privacy notice (Privacy Notice [39]), which include:

• images (face, iris, etc.) described above
• other info provided by the user and stored separately, which can be, depending on the situation, name, email, phone number, support exchanges via email or chat, geographical location...
• other info that might be automatically collected by the application or their web services, such as details about the operating system, browser, IP addresses, timestamps...

The constraints of GDPR seem to be clearly outlined in these documents, and even though you automatically give permission for image transfer to the USA, it is noted that European data remains on European servers.

In the past, Worldcoin stated that their Orbs also took photos of verified humans' bodies in both 2D and 3D [39b], but this does not appear to be the case anymore.

Most of the data collection occurs during the enrollment phase, and although there is a diagram of this process in their White paper [40], here is a more detailed and comprehensive personal version:

To put it simply, the concepts of Identity Commitment [41] and Merkle Tree in this diagram are techniques that help you prove that you are part of a group, keeping your privacy intact when done right. The goal is for users to have a tool so they can prove they are part of a verified human identity group.

It is interesting to point out that the legal papers use the term ‘Data Management App’ for both the ‘World App’ and the former web registration service, which might not make things clearer.

b) Authorities and regulators' investigations

Regulators have pretty much all the same concerns and questions about this project:

• what data is being collected?
• for what purpose?
• where are the stored data kept and how?
• do the people involved truly understand the implications when they participate as users or operators (who should have more responsibilities)?

Whenever journalists or investigators have interacted with people who gather around the Orbs to receive their ‘free money’, it is crystal clear: almost nobody reads the terms of use and the information is often incomplete or wrong. We are far from the professional oversight that would be essential for such spaces collecting personal and biometric data.

Germany

With its headquarters based in Germany, the primary data protection authority, the Bavaria DPA (Bayerisches Landesamt für Datenschutzaufsicht), initiated the first European investigation in November 2022 [42]. The investigation is still ongoing.

England

The English regulator, the Information Commissioner’s Office (ICO), stated on July 2nd that organizations need to conduct a ‘Data Protection Impact Assessment (DPIA)’ before processing biometric data. The regulatory authority has acknowledged the implementation of Worldcoin within the United Kingdom and will initiate an investigation [43].

France

On July 31, the CNIL (Commission Nationale de l'Informatique et des Libertés) confirmed that it had initiated an investigation on Worldcoin. One of its officials (in a conversation with a journalist) reportedly expressed ‘concerns about the legality of data collection and storage’ [44].

On the evening of August 7, the Orb that was in France suddenly disappeared from the list of available Orbs on Worldcoin official website (appointments can no longer be scheduled in France).

Kenya

On August 5th, Kenyan authorities expressed concerns about the collected data and its usage, as well as the chaotic waiting lines [45].

On August 7th, the police conducted a raid at Worldcoin offices to seize documents [46].

2024, February up-to-date world map

In december, 2023, Worldcoin announced they stop offering Orb-verification in India, Brazil and France [61]. List of countries where you can find Orbs is smaller than ever.

c) Users On Their Own

Worldcoin support is weak and rather non-existent:

• the in-app ‘chat’ never responds
• the Zendesk space contains very little information [47]

The World App and Worldcoin services often experience issues, such as:

• Registration services unavailable
• Looping password request messages
• Miscellaneous error messages without any details
• Cloud backup not possible for at least two weeks, etc.

Example below : the service status page on August 7th during a major service outage reported by users and the media [47b].

There are few interventions from official members on Discord, which also serves as a support platform, but where people mostly rely on each other. Thankfully, there is some assistance from the community itself.

Unfortunately, Discord is full of scammers posing as official support. In a matter of minutes, I encountered 3 different types of approaches: the fake airdrop website, the fake troubleshooter, and an invitation to a fake Discord support site.

It is fair to say that the support falls significantly below expectations for a project of this scale and this deficiency provides a fertile ground for scammers of all kinds. [48].

Getting information isn't easy but the relatively less inactive support channel can be found on Twitter/X account @worldappsupport [49].

d) Security Concerns

Operator Reliability

While the way operators are managed and supervised appears to be getting better over time, they play a key role in security.

• They can bypass certain Worldcoin verifications themselves.
• They are responsible for the physical integrity of the Orb.
• Sometimes, they must organize the waiting list management independently.
• They need to properly inform and maintain a good level of security for enrolling users.

The Orb operator control panel has long been accessible without a second factor of authentication, and some accesses have been stolen in the past [50].

These operators are frequently subjected to rushed training and, sadly, lack the necessary environment or time to effectively carry out their duties. Additionally, it is important to note that they aren't genuine Worldcoin employees; rather, they function as subcontractors under precarious agreements.

Since it appears that just about anyone can apply to become an operator, there is a chance of coming across operators with bad intentions and the related risks. What is even worse, security experts found ways to get around Worldcoin's verification procedures to become qualified Orb operators. [50b].

Orb’s Hardware Security

Worldcoin intends to eventually share the software and hardware details of the Orb, so others could also contribute to its development. In the meantime, they do provide a lot of information about the Orb [51] [52].

There is no mention of a Secure Element (like TPM) in the architecture diagram [55] on Worldcoin's Github, or in their component list [56]. There isn't really any more precise information on this point.

The way the camera connects to the main CPU could also be a weakness if someone can tamper with it to send modified content.

Curve Choice (Cryptography)

A security report published by Worldcoin (kudos to them for this) points out that the chosen curve (cryptographic algorithm) does not quite meet the recommendations of certain national security agencies. Without going into details, the Worldcoin team currently uses curves referred to as ‘BN-254,’ whose security level has diminished in recent years [57].

The security report suggests transitioning to BLS12-381, but unfortunately, there's not much cryptographic flexibility beyond BN254 [58], as few curve support requests have been made and accepted in Ethereum (to enable on-chain zkSNARKs proofs).

Thus, the report observes that this issue is acknowledged by Worldcoin team and deemed unresolved [59], due to the lack of feasible technical solutions.

Summary of Security Level Requirements by Agencies: [60]

• USA: NIST recommends 112 (2019-2030), then 128 after 2030
• France: ANSSI recommends 128 since 2021
• Germany: BSI recommends 128 since 2020

There is also an ongoing debate about the fundamental concept of security level equivalence when comparing highly diverse cryptographic tools.

e) Trust to Restrict

The compromise of Worldcoin's Orbs and services could stem from vulnerabilities and failures, but the combination of various human, material, and centralized interventions makes it challenging to prevent and detect another threat: intentional malicious actions.

Malicious insider

An internal actor might be tempted to create false identities out of a desire for technical challenge (or trolling) or for financial gain, as each fabricated identity becomes a source of token income.

External blackmail

An internal actor, including management, could be coerced by a malicious attacker into creating false identities, providing privileged access, or revealing confidential information.

Worldcoin emphasizes its intention to ‘enable’ large corporations and even states to use its solutions. For these sensitive actors, another type of threat can also be considered:

Privileged Collaboration

An internal actor, including management, might be compelled by a ‘three-letter agency’ (NSA, FBI) to create false identities, provide privileged access, or disclose confidential information.

f) Identity Reduced to a Unique and Non-Repudiable Identifier

[Ongoing testing on the trial platform docs.worldcoin.org/try]. It looks likely that a web service can request an identifier that remains unique and consistent for the same user within a specific context (e.g., a domain / a service).

Given the partnerships with major SSO (Single Sign-On) / authentication portal providers currently underway (Okta, Auth0, etc.), it is possible to envision scenarios where states ask Worldcoin World ID holders to authenticate on a specific portal to access various services using the same identifier.

With this type of functionality, large centralized private or public services could compel users to be linked to a unique and non-repudiable identifier that cannot be changed. Indirectly, this could lead to the development of solutions built on Worldcoin that may not fully respect users privacy.

Conclusion

World ID solution by Worldcom ultimately proves to be of little utility and ineffective in countering the threats cited as primary motivations (apart from the illusory universal income).

The overall security of the solution also appears to be compromised by inflexible architectural choices, resulting in significant areas vulnerable to potential attacks.

In a broader sense, the project demonstrates a notable lack of thoroughness in procedures related to the collection and utilization of personal data.

It is time for regulators to closely scrutinize Worldcoin, a valuable case study. Let's hope that Worldcoin will follow the same path as Libra/Diem.

FAQs (to be updated with upcoming questions):

• "Is Worldcoin's Orb somewhat like Apple's Face ID on their smartphones or even similar to Optic ID, the upcoming unlocking system for the Vision Pro headset?"

No, not at all. With Face ID or Optic ID, the biometric data never leaves Apple's device (even if it's encrypted or transformed into a hash/code) and is only used locally to unlock local access. Apple doesn't have a centralized biometric database, either directly or indirectly, unlike what Worldcoin is suggesting.

Other notable info:

• Edward Snowden has expressed serious concerns regarding the potential risks associated with Worldcoin and, in general, strongly advises against the utilization of biometric-based systems.

His viewpoint is indeed valid. While I won't delve into exhaustive detail, it is crucial to highlight that apart from extremely limited uses such as local access unlocking, it is highly recommended to NEVER use ‘security’ systems based on biometrics, especially when centralized databases are involved. For further insights, you can refer to the article where Snowden offers criticism towards WorldCoin's ocular scans. One issue with biometric systems lies in their inherent inability to provide genuine repudiation. In cases where an individual manages to copy your fingerprints or iris, the potential consequences are being somewhat ‘stuck forever’. Check out the demonstration by the CCC involving a well-known German minister.

• Vitalik Buterin has penned a moderately critical article about the Worldcoin initiative

His article compares Worldcoin's approach with that of other projects and raises some valid criticisms. Read the article on his blog.

• Without an internet connection, the World App is entirely unusable, and a loss of connection interrupts its operation.

This is not a good decision because users should at least be able to access some locally stored information and even provide proof from their application without requiring a connection themselves.

Other less significant info:

• In the past, users were granted permission for capturing vital signs such as heartbeats and breathing.

This clause has been removed from recent document versions, and the technique mentioned in earlier iterations was never actualized.

• Sam Bankman-Fried from FTX was one of the initial investors.

It's common for project backers with ample resources to allocate investments in other ventures. Refer to the Coinpaper article for more details.

• Altman anticipates a dark future

Sam Altman doesn't hide his pessimism but he's not the only ‘prepper’ in Silicon Valley. This perspective is unrelated to Worldcoin. Check out the article: ‘Inside OpenAI CEO Sam Altman's fixation on death and the apocalypse’.

Références

[1] Worldcoin, based in Berlin?https://www.crunchbase.com/organization/worldcoin

[2] Tools for Humanity, based in San Francisco?https://www.crunchbase.com/organization/tools-for-humanity-a4d2

[3] What is social washing??https://www.esgthereport.com/what-is-social-washing/

[4] ChatGPT creator says AI advocates are fooling themselves if they think the technology is only going to be good for workers: 'Jobs are definitely going to go away'?https://www.businessinsider.com/chatgpt-sam-altman-jobs-replaced-ai-openai-2023-7

[5]?"This enables a path to AI-funded non-state UBI and the equitable global distribution of digital currencies [...] Redistribute wealth created by systems in the age of AI: As AI advances, fairly distributing access and some of the created value through UBI will play an increasingly vital role in counteracting the concentration of economic power"?https://worldcoin.org/blog/engineering/humanness-in-the-age-of-ai,?https://openai.com/blog/planning-for-agi-and-beyond,?https://www.fhi.ox.ac.uk/windfallclause/

[6] OpenAI Is Now Everything It Promised Not to Be: Corporate, Closed-Source, and For-Profit?https://www.vice.com/en/article/5d3naz/openai-is-now-everything-it-promised-not-to-be-corporate-closed-source-and-for-profit

[7] Meta’s Open Source Llama Upsets the AI Horse Race?https://www.wired.com/story/metas-open-source-llama-upsets-the-ai-horse-race/

[8] "Returns for our first round of investors are capped at 100x their investment (commensurate with the risks in front of us), and we expect this multiple to be lower for future rounds as we make further?progress."?https://openai.com/blog/openai-lp

[8b] Worldcoin Investors https://tracxn.com/d/companies/openai/__kElhSG7uVGeFk1i71Co9-nwFtmtyMVT7f-YHMn4TFBg/funding-and-investors

[8c] OpenAI Used Kenyan Workers on Less Than $2 Per Hour to Make ChatGPT Less Toxic https://time.com/6247678/openai-chatgpt-kenya-workers/

[9] Worldcoin is here — just not here in the US?https://blockworks.co/news/worldcoin-not-in-us

[10]?https://fr.wikipedia.org/wiki/ReCAPTCHA

[11]?https://mon-dpo-externe.com/quelles-sont-les-solutions-alternatives-a-google-recaptcha/

[12] Sam Altman's Weirdest Side Projects?https://gizmodo.com/chatgpt-openai-ceo-sam-altman-weirdest-projects-ranked-1850496034

[13] OpenAI's Sam Altman launches Worldcoin crypto project?https://www.reuters.com/technology/openais-sam-altman-launches-worldcoin-crypto-project-2023-07-24/

[14] Billionaire Mike Novogratz Flips Bullish on Worldcoin, Says Bad Idea To Defy Sam Altman’s Crypto Project?https://dailyhodl.com/2023/07/31/billionaire-mike-novogratz-flips-bullish-on-worldcoin-says-bad-idea-to-defy-sam-altmans-crypto-project-report/

[15] Worldcoin Releases Tokenomics, Report Geofenced for Some Countries?https://markets.businessinsider.com/news/currencies/worldcoin-release-tokenomics-report-geofenced-for-some-countries-1032469781

[16] Worldcoin soars despite accusations of fraud?https://blockworks.co/news/worldcoin-token-soars,

[17] Worldcoin Launch Supply Mostly Made of Market Maker Loans?https://decrypt.co/149865/worldcoin-tokenomics-at-launch-supply-market-maker-loans

[17b] Unlocked Supply Schedule?https://whitepaper.worldcoin.org/tokenomics#token-overview

[18] La page "CoinMarketCap" de Worldcoin?https://coinmarketcap.com/currencies/worldcoin-org/

[19] La page "Dune" de Worldcoin pour plus de statistiques?https://dune.com/worldcoin/worldcoin

[20] Application mobile World App?https://play.google.com/store/apps/details?id=com.worldcoin&hl=en&gl=US?https://apps.apple.com/no/app/world-app-worldcoin-wallet/id1560859847

[21] "World ID is a new privacy-first protocol that brings global proof of personhood to the internet"?https://worldcoin.org/blog/announcements/introducing-world-id-and-sdk

[22] Become an Orb Operator?https://worldcoin.org/be-a-worldcoin-operator

[23] Iris feature extraction with 2D gabor Wavelets?https://worldcoin.org/blog/engineering/iris-feature-extraction

[24] Proof of Personhood?https://worldcoin.org/blog/worldcoin/proof-of-personhood-what-it-is-why-its-needed

[25] Iris recognition inference system?https://worldcoin.org/blog/engineering/iris-recognition-inference-system

[25b] Nudge https://en.wikipedia.org/wiki/Nudge_theory

[26] OpenAI arrête silencieusement l’outil de détection de texte AI en raison d’une faible précision?https://windows.atsit.in/fr/15726/

[27] old "Worldcoin University" video about Orb operator opportunities :?https://twitter.com/zachxbt/status/1452065666824028160

[28] Aligning Incentives To Grow The Network?https://worldcoin.org/blog/worldcoin/how-the-launch-works

[29] Deception, exploited workers, and cash handouts: How Worldcoin recruited its first half a million test users?https://www.technologyreview.com/2022/04/06/1048981/worldcoin-cryptocurrency-biometrics-web3/

[30] Responses to MIT Technology Review?https://www.documentcloud.org/documents/21578921-worldcoin-responses-to-mittr

[31] Sam Altman's Worldcoin Rolls Out Fresh Measures To Combat Black Market For Iris Scans?https://www.benzinga.com/markets/cryptocurrency/23/05/32474740/sam-altmans-worldcoin-rolls-out-fresh-measures-to-combat-black-market-for-iris-scans

[32] Black Market for Worldcoin Credentials Pops Up in China?https://www.coindesk.com/policy/2023/05/24/black-market-for-worldcoin-credentials-pops-up-in-china/

[33] Procédure de backup et de restauration?https://worldcoinapp.zendesk.com/hc/en-us/articles/18948732698771-How-do-I-restore-my-account-

[34] A primer on decentralization at Worldcoin?https://worldcoin.org/blog/worldcoin/primer-on-decentralization-at-worldcoin

[35] Ancien système de login de Worldcoin (simple login web)?https://getworldcoin.com/signin

[36] "With Data Custody"?https://worldcoin.org/privacy

[37] What are the key differences with and without data custody?https://worldcoinapp.zendesk.com/hc/en-us/articles/15276635682963-What-are-the-key-differences-with-and-without-data-custody-

[37b] FAQ : What personal data is collected when I download the World App??https://worldcoin.org/faqs

[38] Biometric Data Consent Form?https://worldcoin.pactsafe.io/#contract-yxxy0cnul

[39] Privacy Notice?https://worldcoin.pactsafe.io/rkuawsvk5.html#contract-9l-r7n2jt

[39b] Privacy During Field Testing, ancienne version capturé en mai 2022?https://web.archive.org/web/20220316151300/https:/worldcoin.org/privacy-during-field-testing

[40] Enrollment Process diagram?https://whitepaper.worldcoin.org/technical-implementation#enrollment-process

[41] Identity commitment, the public Semaphore identity value used in Semaphore groups.?https://semaphore.appliedzkp.org/docs/glossary#semaphore-identity

[42] German data watchdog probing Worldcoin crypto project, official says?https://www.reuters.com/technology/german-data-watchdog-probing-worldcoin-crypto-project-official-says-2023-07-31/

[43] UK Data Regulator Probes Worldcoin Launch?https://www.pymnts.com/cryptocurrency/2023/worldcoin-catches-attention-united-kingdom-data-regulator/

[44] France's watchdog questions legality of Worldcoin biometric data collection?https://www.reuters.com/technology/frances-privacy-watchdog-says-worldcoin-legality-seems-questionable-2023-07-28/

[45] Kenya suspends Worldcoin crypto over privacy concerns?https://mg.co.za/africa/2023-08-05-kenya-suspends-worldcoin-crypto-over-privacy-concerns/

[46] Kenyan Police Raids Worldcoin’s Warehouse In Nairobi?https://en.ethereumworldnews.com/kenya-police-raids-worldcoin-warehouse/

[47] Worldcoin Help Center?https://worldcoinapp.zendesk.com/hc/en-us

[47b] Sam Altman’s Worldcoin App Goes Offline—Limiting Users’ Access To Wallets?https://www.forbes.com/sites/segunolakoyenikan/2023/08/07/sam-altmans-worldcoin-app-goes-offline-limiting-users-access-to-wallets/

[48] Scammers pile on to impersonate Worldcoin on Twitter following token launch?https://cointelegraph.com/news/scammers-impersonate-worldcoin-twitter-following-token-launch

[49] Le compte twitter/X officiel de support pour l'application World App?https://twitter.com/worldappsupport/with_replies

[50] Hackers stole passwords of Worldcoin Orb operators?https://techcrunch.com/2023/05/12/hackers-stole-passwords-of-worldcoin-orb-operators/

[50b] "attacker to become an Orb operator by bypassing the verification process"?https://twitter.com/certik/status/1687129300179243010?s=46&t=RsNj0JuWHwrc_VDTKWi3Hg

[51] Live Worldcoin Orb Disassembly Walkthrough?https://www.youtube.com/watch?v=MA2ttYtUbF8

[52] Orb Hardware?https://github.com/worldcoin/orb-hardware

[53] Privacy at Worldcoin - Technical Deep Dive?https://worldcoin.org/blog/developers/privacy-deep-dive

[54] White Paper - Why Custom Hardware is Needed?https://whitepaper.worldcoin.org/technical-implementation#why-custom-hardware-is-needed

[55] Orb Electronic Diagram?https://github.com/worldcoin/orb-hardware/blob/main/orb/block_diagram_electronics.png

[56] Orb Bill of material?https://github.com/worldcoin/orb-hardware/blob/main/orb/bom/20220403-TLA-PEARL-ORB-EVT-EVT.E-Part-List.csv

[57] Updating key size estimations for pairings Razvan Barbulescu & Sylvain Duquesne?https://eprint.iacr.org/2017/334.pdf

[58] BN254 For The Rest Of Us?https://hackmd.io/@jpw/bn254

[59] Least Authority Security Report for Worldcoin, Issue B: The BN254 Curve Provides Insufficient Security?https://leastauthority.com/wp-content/uploads/2023/07/Worldcoin_Protocol_Cryptography_Final_Audit_Report.pdf

[60] Key length recommendation?https://www.keylength.com/en/8/

[61] Worldcoin is no longer offering Orb-verification in India, Brazil and France https://techcrunch.com/2023/12/20/worldcoin-is-no-longer-offering-orb-verification-in-india-brazil-and-france/