World(coin) should allow Europeans to delete their data completely, under a secret command

It took more than a few weeks to arrive, but the important decision that has been hanging over Sam Altman’s World (aka Worldcoin) for months has finally arrived, with the latest decision in December from the Bavarian data protection authorities enforcing the bloc law. The General Data Protection Regulation (GDPR), a comprehensive privacy framework that allows for sanctions of up to 4% of global annual turnover.

Despite the decision on the investigation that was opened back in April 2023 only – finally – coming out just before the holiday break of 2024, the result does not look like what the crypto-scanning identity venture had hoped for: it was issued a correction order that requires it to completely delete the user’s data if requested.

“All users who have provided ‘Worldcoin’ with their iris data in the future will have an unrestricted opportunity to enforce their right to erasure,” said the Bavarian State Office for Data Protection Supervision, Michael Will, in a press release.

The biometric business has been given one month from the date of the Bavarian authority’s decision to implement a removal process “compliant with GDPR provisions” — so mark your calendars for early 2025.

Another part of the Bavarian order requires Worldcoin to obtain express consent for what the press release (vaguely) describes as “certain future processing steps”.

We have asked for more information but this suggests that the global boarding process will have to provide EU users with more information before the eye screens are taken. It was also ordered to delete “certain data records previously collected without sufficient legal basis”, according to the statement.

In addition to our questions about the substance of the order, we have asked the Bavarian authorities why no fines have been issued for what appear to be a number of GDPR violations and will update this report with any response.

The world responded to the rectification order by saying it would file an appeal.

Tricky asking

Why the need to allow users to ask for their data to be deleted, a right included in the European regulation as part of the GDPR on the rights of individuals to access data, looks very tricky in the World[coin]? The identity proof blockchain project is to create a system of immutable and unique IDs to remotely verify identity. So if a person is able to organize all his leads from his book by simply asking it is a challenge to his desire to be the universal authority on human authentication.

A spokeswoman for Tools for Humanity (TfH), Rebecca Hahn – who speaks at the company that develops Worldcoin – said its grounds for appeal will focus on claims that World’s technical architecture “preserves privacy” and results in user data being anonymized.

What that means is that GDPR data access rights (such as being able to request erasure) should not apply, as truly anonymous data falls outside the scope of the law.

Responding to why the world is so hesitant to allow users to delete data, Damien Kieran, TfH’s chief privacy officer, also told TechCrunch: “Our mission is to increase trust in digital interactions. To do that, we created the world’s first anonymous digital passport to prove identity. That means someone can anonymously verify that they are a real person in a place like X [which happens to be Kieran’s former employer] solve problems like bots once and for all.

“The key to that is ensuring that if an unknown person violates the platform’s policies and the platform suspends itself, that person cannot delete their world ID, create a new one and come back to X introducing themselves as a new person. So in order to meet our goals of increasing trust in the Internet in this age of intelligence, we had to make sure that we do this in a way that anonymizes the original data, which means it cannot be removed, and make sure that bad actors cannot abuse the Global network. and other platforms.”

Kieran added that World ID holders “can always delete their personal data that only resides on their phone”.

However, basic account data is not where this GDPR battle is focused. It is about information that can be used to identify an individual.

Earlier this year World introduced an open source Secure Multi-Party Computation system that it said “allows iris codes to be encrypted as private shares and distributed to multiple participants” – without the need for the codes to be decrypted to verify the identity of the site.

The proposal is that this technical structure transforms iris codes through subsequent processing, including encryption and decryption, in a way that limits the risk to individual privacy.

As part of these changes Worldcoin is also introducing a feature that allows users to request the removal of their iris codes. However the level of control it gives users has – apparently – been assessed as not meeting the GDPR standard which requires individuals to have control over their information.

And it’s important to emphasize that GDPR doesn’t just set rules to protect people’s privacy; the framework also aims to ensure that people can be independent over the information held about them. It is that latter aspect that poses a major challenge to the world’s objective of human proof as it does not contribute to supporting that level of individual autonomy.

Fundamental rights

The Bavarian DPA said that Worldcoin’s biometric-based individual authentication process includes “a number of basic data protection risks at least for most data subjects”. And although the authority’s statement makes reference to “improvements” made in the processing of business data, it emphasizes that “corrections are still needed”.

The authority added that its lengthy investigation eventually focused on the need for “complete deletion following the revocation of consent”; and “concurrent review of the consent process”.

“With today’s decision, we apply European fundamental rights standards in favor of data subjects in a highly technical and legally complex case,” said Will.

The international appeal against the Bavarian regulatory order does not address the crux data access issue.

Instead it wants to frame the issue as a technical question, of how European law should define anonymous data. So its blog post about the repair order begins with the line “World ID is unknown by design.” But trying to build momentum to persuade Europeans to deserve minority rights is unlikely to be popular in the region.

Worldcoin has already seen its wings clipped across the globe. Enforcement action from other data protection authorities – including Portugal and Spain – has seen it subject to emergency action that has banned its eyeball scanning operations from their markets. Two DPAs have raised some concerns about the dangers of recording children’s data indelibly.

At the same time, Worldcoin – or World as it was recently rebranded – opened ops in Austria.