Worldcoin and the privacy problem: solves with a third-party audit.
What I had suspected many months ago became apparent to others, in fact Worldcoin had to request a third-party audit to confirm its seriousness.
Following recent concerns raised by various parties regarding the privacy protection of its users, the Worldcoin Foundation has requested a third-party audit of its Iris scanning technology, Orb. The task of conducting the audit was entrusted to the cybersecurity firm Trail of Bits. Now that the company has completed its assignment, Worldcoin has disclosed the audit results.
Worldcoin and Privacy Issues:
This isn't the first time that Worldcoin's new biometric scanning technology through Orb devices has faced privacy-related issues and concerns. Previous investigations were initiated in Hong Kong by the privacy and data protection authority. Additionally, European countries like France, Britain, and Germany have questioned the legitimacy of the company's operations, prompting further legal inquiries. However, some developing countries, such as India and Kenya, have taken a more drastic stance, openly opposing Worldcoin's decentralized identity verification system.
The Orb Functionality Verification Goes Beyond Standard Security Checks:
According to a recent report, Tools for Humanity (TFH) and the Worldcoin Foundation tasked the cybersecurity firm Trail of Bits with conducting a comprehensive verification of the Orb software. Given the previous challenges faced by Worldcoin, the verification process went beyond standard security checks to assess specific aspects of privacy and Orb device functionality. The audit examined how Orb devices manage and protect user data. The results indicated that the devices do not store personal information but only iris codes, which are encrypted and uploaded for verification purposes.
Privacy Examination of Worldcoin Orb:
TFH outlined various technical assertions to guide the audit, focusing on the Orb software starting from the July 8, 2023 version. During the default enrollment process, the Orb is designed to collect only the user's iris code, avoiding the storage or transfer of other personally identifiable information (PII). For users opting for a more comprehensive data enrollment flow, any PII saved on the device's SSD drive is asymmetrically encrypted, making it inaccessible to decryption even by the Orb itself. Furthermore, the audit also verified that Orb does not extract sensitive information from the user's device. The only data collected, namely iris scan-related data, is encapsulated in a QR code that can be subsequently scanned by the Orb for verifications. The user's iris code management was examined to ensure security, and it was confirmed that the iris code is not persistently stored on the Orb but is transmitted in a single request to pre-approved, end-to-end encrypted servers.
Conclusions Drawn by Trail of Bits:
According to the audit report released by Trail of Bits:
"The analysis did not uncover vulnerabilities in Orb code that could be directly exploited in relation to the described Project Objectives."
"Although Trail of Bits' review identified some unconfirmed issues that could theoretically affect project objectives, and the relevant code was subsequently updated, the audit did not identify any cases where project objectives would be directly compromised."
