Opinion articles present diverse opinions and do not represent the position of WEB3+
World ID Expands into Taiwan: Discussions on Digital Identity, Personal Data, and Citizenship
World ID officially launched in Taiwan at the end of May. By downloading the World App and locating an Orb at one of three locations in Taipei, users can scan their irises and begin receiving cryptocurrency $WLD on a regular basis. Over the past six months, World ID has heavily invested in government relations and compliance matters; this move is not only a formal launch of the Orb in Taiwan but also the official opening of its business in the United States.
True to its reputation as a digital democracy kingdom, Taiwanese social media platforms are displaying polarized opinions.
Tech enthusiasts eager for new experiences are sharing their invitation codes on social media accounts in hopes of earning commissions; on the other hand, concerned Taiwanese citizens express that offering their irises equates to selling their personal data, deeming such actions as a cheap liquidation of biological information.
Viewing World services simply as a savior of digital identity or as a demon that scrapes personal data seems to hinder public discussion. Particularly, the advanced technologies involved, some even more cutting-edge than government public services, can easily obscure the discussions.
So how should we perceive World?
Further reading: Would you be willing to relinquish your iris? World ID officially arrives in Taiwan; what is World? How to complete authentication in five steps?
Super App
A Super App is an application that integrates multiple functions, allowing users to chat, make payments, book rides, order food, shop, and more, all on one platform without needing to download multiple different apps.
Like a digital Swiss Army knife, a Super App can accomplish many tasks. Essentially, World ID acts as a key, similar to the “Sign in with Google” service, enabling users to log in to various services, such as Shopify and gaming service Razer, which were recently announced as partners.
Moreover, World is actively expanding its developer ecosystem, hoping to develop more Mini Apps on the World App.
It can be understood that World is attempting to enhance a Super App with “privacy-enhancing technology,” utilizing real-person verification to resolve fraud issues while rapidly developing application scenarios and expanding its business territory.
The more centralized the service, the more potential risks arise for citizens, making it increasingly difficult to “opt-out.” This is also an issue that international Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs) aim to address. A comparable case is the recent digital identity legislation passed in Utah, USA.
Further reading: What does advanced digital identity legislation look like?
Iris
World ID requires users to visit physical locations to have their irises scanned by a machine to obtain “real-person verification.” It is claimed that the data (Iris Code) converted from iris features is not stored within the machine; so where is the iris data stored?
According to official explanations, World collaborates with trusted third-party institutions, such as Nethermind, Friedrich-Alexander University Erlangen-Nuremberg (FAU), Korea Advanced Institute of Science and Technology (KAIST), and the University of California, Berkeley, using Anonymized Multi-Party Computation (AMPC) to split the data into three parts, stored on the user’s phone and with the other two institutions.
Multi-party computation is a technology that allows multiple parties to compute a task without revealing their private data to each other. Utilizing privacy-enhancing technology is indeed a good method to protect individual privacy. Splitting iris data into three parts raises the difficulty of breaching and obtaining personal data. However, two extended questions arise:
1. How does the processed and non-traceable Iris Code fit within existing privacy protection frameworks, such as Taiwan’s Personal Data Protection Act?
2. The second question is, who qualifies as a “trusted third-party institution,” and how can it be ensured that these institutions do not collude? This may lack a digital trust governance process and sufficient collaboration with local regulatory bodies and consumers.
Further reading: MPC’s Role in Advancing World ID Privacy Features
Universal Basic Income
World promotes Universal Basic Income (UBI) by utilizing airdropped cryptocurrency Worldcoin to attract new users, aiming to solve the cold start problem for startups. UBI is a policy where the government regularly provides unconditional cash payments to everyone, regardless of their employment or income level.
In May of this year, due to privacy concerns, a Kenyan court ordered Worldcoin to delete users’ biometric data. Previously, there were instances of intermediaries acquiring irises from unsuspecting individuals in exchange for cryptocurrency, raising concerns about violations of digital human rights.
World stated that they are gradually phasing out Orb service providers and enhancing self-service Orb scanning services to mitigate ethical and moral issues surrounding digital identity. A discussion worth having is whether the reward airdrops truly align with the meaning of Universal Basic Income and what responsibilities service providers should bear regarding the ethical issues raised by these reward airdrops.
The organization WhyID has previously advocated that governments should not incentivize citizens to use digital identity services through subsidies or rewards, as seen in India’s digital ID Aadhaar case. However, World is not a public service, and Worldcoin is not a legal tender, yet it has effects akin to public services, making this a topic worthy of public discussion.
Further reading: Worldcoin Ordered to Delete Biometric Data in Kenya Over Privacy Breach
Zero-Knowledge Proof
World ID is the world’s largest provider of zero-knowledge proof services. Zero-Knowledge Proof is a technology that allows you to prove that you know something without revealing the content of that information.
For instance, you can prove that you are over 18 without disclosing your date of birth or ID number. Similar to multi-party computation, zero-knowledge proof is also a type of privacy-enhancing technology, and it is currently entering the standardization phase in the Internet Engineering Task Force (IETF).
In addition to World ID, many projects from the Ethereum Foundation, such as Anon Aadhaar, zkPassport, and zkMail, also utilize zero-knowledge proof technology to address digital identity issues. Furthermore, Google Wallet launched a passport-based zero-knowledge proof service in the UK this May, serving as age verification for users purchasing train tickets.
Zero-knowledge proof can be considered the ultimate solution for personal data protection, as unless the other party explicitly knows the information (such as whether you are an adult or whether you are Taiwanese), personal data will not be leaked. However, this solution is not infallible; if a large amount of personal data is cross-referenced, it is still possible to profile an individual, much like current internet advertising agencies do.
At this point, the Super App may pose risks of centralized identity data cross-referencing. Whether zero-knowledge proof can be effective within the service framework of World ID is a question worth continuous observation.
Conclusion: Prevention is Better than Cure (Privacy by Design)
When encountering emerging technologies, especially those with strong public relations impacts, the public easily accepts or opposes them unconditionally, which does not reflect what the populace truly wants or needs.
Therefore, after gaining a basic understanding of the technology utilized by World ID, I call upon service providers, government regulatory bodies, and civil society to advocate for a Data Protection Impact Assessment (DPIA) on World issues to determine whether “relinquishing one’s iris” truly holds significance.