Worldcoin’s approach to decentralized identity: Privado ID CPO weighs in
Worldcoin, the ambitious brainchild of Open AI CEO Sam Altman and two of his partners, has been marred by controversies since it debuted in late July last year.
The idea was simple: establish a global digital ID system, introduce a global currency, in this case, Worldcoin token (WLD), and develop the World App, a universal wallet that leverages World ID to facilitate payments.
When the project launched, the initial reception was divided. On the one hand, privacy advocates and regulators across several jurisdictions argued that collecting biometric data on such a large scale poses many risks. On the other hand, the project managed to draw in over 2 million users who signed up for a digital ID during its initial rollout phases.
The regulatory pressure prompted Worldcoin to implement the Secure Multi-Party Computation system that encrypts the scanned iris data into secret shares to be distributed among multiple parties in a bid to address concerns about data centralization.
At the time of publication, the project was banned in some countries, while others were investigating its data collection practices.
Despite the mixed reception, the project had 119 ‘orbs’ – a spherical device that scans a user’s iris—across 18 countries within the first few months and now plans to expand that number to 1500 globally. Meanwhile, the World App has raked in over 10 million users.
While Worldcoin’s approach to decentralized identity shows promise, there are ongoing debates about whether it truly tackles the broader issues at play.
Speaking to crypto.news, Sebastian Rodriguez, chief product officer at decentralized identity platform Privado ID, said that while Worldcoin’s use of cryptographic techniques is commendable, the broader issues of governance and transparency remain unresolved.
What are your thoughts on Worldcoin’s biometric data collection efforts?
Worldcoin has recently announced that they will delete all the biometric data and distribute it in a MPC network. This removes one of the major concerns about data concentration from the technical point of view. Worldcoin also uses nullification to protect the user against cross-application tracking, so technically speaking, we consider the new Worldcoin approach technically secure.
Do you see any shortcomings with the project’s current approach to security?
Security is more complex than its technical component – it’s a property of the entire solution (technology, people, processes and power structures). In our opinion, Worldcoin is using many of the right cryptographic primitives to achieve privacy and security, but they are not following the principles of decentralization and transparency that most Web3 projects embrace. They have made efforts to open source most of their technologies (including hardware to a certain degree), but the governance of the project, its long-term goals and tokenomics are still a source of concern.
Basically, their model only works if they become a monopoly for proof of uniqueness – this is a type of credential (when it’s based on non-standard biometric templates) that can only be provided by a single provider. It’s not based on national ID documents (that would allow for multiple providers of Identity Verification) but on a non-standardized biometric hash database controlled by a single private organization.
Worldcoin claims that Secure Multi-Party Computation will enhance data privacy and security by distributing biometric data across multiple parties. Do you believe this approach can effectively address the ethical concerns?
No. Technical security should never stop the ethical debate around the implications of a unique identifier that can’t be changed for my entire life. This is an identifier that I can’t deny to have; I can be forced to present, and I can’t change. The implications are deep and, in some cases, dangerous.
Despite the controversies, Worldcoin has garnered considerable attention. What do you think is driving its appeal?
Every tokenized project is susceptible to speculation, and Worldcoin is no different. They are also linked to Sam Altman and OpenAI, which has a “winner” aura that, in my opinion, has attracted controversy and investor interest at the same time. There is a sentiment that OpenAI is investing in a problem they are helping to create (synthetic identities) that is both ethically reprehensible and economically attractive.
Can identity verification systems be enhanced in security and efficiency while minimizing reliance on biometric data?
Biometrics is at the core of all identity systems, even National ID and Passports. It’s not about the technology, but about who is the source of trust and how centralized it is. We believe that governments should play that role, and with projects like EUDI [the European Unitons’s digital identity solution] it’s going to become more available for many citizens. Some alternatives are based on networks of trust (social graphs, p2p vouching, etc.), but none of these has seen mass adoption so far.
From your experience at Privado ID, what are the key considerations for creating identity solutions that align with international data protection standards?
We advocate for open ecosystems of interoperability. Centralizing everything in a single identity provider is always tempting (faster, easier, simpler) – but we need to allow for a healthy open ecosystem of competing and local identity providers that avoid concentration of power, provide choice and alternatives, and can also adapt to local regulations. As an example – it is very tempting to add Age Verification to our Google or Apple accounts and have the verification done by our phones or e-mail accounts. But that will give these companies huge databases of every place where we use these credentials. It will probably also not be fully compliant to every single local regulation about the topic. Having an ecosystem of Age Verification providers with interoperable credentials is better.
How does Privado ID approach the challenge of creating open ecosystems and ensuring interoperable credentials within its platform?
We want to provide the underlying infrastructure to build and support open ecosystems of interoperable credentials. We are not in the business of providing these credentials – we aim to provide identity providers and users the best channels to exchange and monetize credentials in the most privacy preserving way and with the best user and developer experience. We see ourselves as a marketplace of trusted data where consumers (applications) and providers (credential issuers) can connect, integrate and make business, all while respecting the user’s privacy and right to consent.