Worldcoin Under Investigation: European Regulators Probe Biometric Data Collection Practices

Worldcoin, the ambitious cryptocurrency project co-founded by OpenAI CEO Sam Altman, finds itself at the center of a growing regulatory storm as European data protection authorities launch formal investigations into its biometric data collection practices. Just days after the project’s official global rollout on July 24, 2023, regulators in France, the United Kingdom, and Germany have raised serious concerns about the legality and security of the platform’s iris-scanning operations, sending shockwaves through the crypto community at a time when Bitcoin trades at $29,319 and Ethereum holds at $1,874.

The Exploit Mechanics

At the heart of the regulatory scrutiny lies Worldcoin’s signature device: the Orb. This sleek, spherical biometric scanner captures high-resolution images of users’ irises in exchange for Worldcoin tokens (WLD). The system creates what Worldcoin calls a “Iris Code” — a unique biometric identifier stored on the company’s servers to verify that each user is a unique human being. However, security researchers and privacy advocates have identified several critical vulnerabilities in this approach. The collection of biometric data — specifically iris patterns, which are immutable personal identifiers — creates an attractive target for malicious actors. Unlike passwords or encryption keys, biometric data cannot be changed if compromised. The Orb devices operate in pop-up locations across major European cities, with locations in the United Kingdom, France, Germany, and Spain already active. Each scan captures raw iris imagery before converting it into a hashed Iris Code, raising questions about what happens to the original biometric data and how long it is retained.

Affected Systems

The scope of Worldcoin’s data collection is staggering. Since its soft launch, the project has reportedly scanned the eyes of over 2 million people across more than 30 countries. The French data protection authority, CNIL, has been particularly vocal about its concerns. “The legality of this data collection seems questionable, as do the conditions for storing biometric data,” a CNIL spokesperson stated on July 28, 2023. The French regulator confirmed it had already initiated investigations into Worldcoin’s operations before passing the case to Bavaria’s Data Protection Authority, which serves as Worldcoin’s lead supervisor in the European Union due to the company having a subsidiary in Germany. The UK’s Information Commissioner’s Office (ICO) has also entered the fray, stating it would be “making enquiries” into Worldcoin’s UK operations. The ICO emphasized that organizations must conduct a Data Protection Impact Assessment before processing special category biometric data and must have “a clear lawful basis to process personal data.”

The Mitigation Strategy

Worldcoin has attempted to address these concerns by emphasizing its privacy-by-design architecture. The company claims that actual iris images are deleted after the Iris Code is generated and that the resulting biometric templates are stored in an encrypted, decentralized manner. However, privacy experts remain skeptical. The Electronic Privacy Information Center (EPIC) issued a statement calling Worldcoin “a potential privacy nightmare” that offers “a biometrics-dependent vision of digital identity and cryptocurrency.” For users who have already participated, security professionals recommend monitoring accounts for unusual activity and being aware that biometric data, once shared, carries permanent risk. The company has stated it is cooperating with all regulatory inquiries and maintains full compliance with GDPR requirements.

Lessons Learned

The Worldcoin situation underscores several critical lessons for the cryptocurrency industry. First, biometric data collection creates unique security risks that go far beyond traditional data breaches. Second, regulatory frameworks like GDPR provide important protections, but enforcement often lags behind technological deployment. Third, the intersection of cryptocurrency incentives and sensitive personal data creates novel consent questions — specifically, whether consent can truly be “freely given” when users receive financial compensation in the form of crypto tokens for surrendering their biometric information. With the total crypto market capitalization hovering around $1.2 trillion and regulatory scrutiny intensifying globally, projects that handle sensitive user data must prioritize compliance from day one.

User Action Required

If you are considering participating in Worldcoin or similar biometric-based crypto projects, take these precautions: Research the project’s data handling policies thoroughly before scanning. Understand that biometric data is permanent and cannot be reset like a password. Check whether your local data protection authority has issued guidance about the platform. Monitor official regulatory channels for updates on ongoing investigations. Consider whether the token reward justifies the irreversible sharing of your biometric identifiers. The crypto industry must learn from this episode — security and privacy cannot be afterthoughts in the rush to build the next big thing.

Disclaimer: This article is for informational purposes only and does not constitute financial or legal advice. Always conduct your own research before making investment decisions or sharing personal data.