What personal data does Worldcoin collect from you?

The internet has for the past seven days been awash with excitement about Worldcoin, the new cryptocurrency project by Sam Altman, the owner of US generative Artificial Intelligence (AI) company OpenAI.

The company said that the crypto project, which was launched globally last week has seen over 350,000 Kenyans registered, a process involving scanning one's eyeballs through an orb in exchange for a digital identity called World ID.

Despite data security and privacy concerns internationally and locally, Kenyans flocked to shopping malls and other outlets where registration was taking place in Nairobi to get their irises scanned for 25 free cryptocurrency tokens known as WLD.

The government on Wednesday halted all activities associated with the cryptocurrency project over data security concerns.

But on its part, OpenAI has maintained user data is secure with the crypto project, with the option to delete or have it stored in an encrypted form.

But first, what data does Worldcoin collect from a user upon signing up?

On its website, Worldcoin says it does not fetch personal data from users when they download the World App – personal data, in this case, being name, phone number and address.

“Individuals who want to receive a World ID are not required to share their name, phone number, email address, or home address. Images collected by the Orb are used to generate a unique iris code,” says the company.

It adds that the images are “by default” immediately deleted once the iris code is created unless the user opts into Data Custody, in which case the probability and frequency of the user’s need to reverify their World ID decreases as the iris code algorithms change.

“The World ID sign-up process is only intended to verify an individual’s uniqueness - i.e., that they have not previously signed up and received a World ID,” adds Worldcoin.

Users may choose to share additional data, but the company says it is not a requirement. This includes an email address to sign up for the Worldcoin newsletter.

The project says any personal data shared with them is encrypted “in transit and at rest.”

“The Worldcoin Foundation and its contributor Tools for Humanity do not and never will share any personal data (including biometric data) with anyone who is not working on or assisting with the Worldcoin project,” it says, adding that this also applies to selling data.

Additionally, Worldcoin says it never collects any biometric data from any user without that user’s explicit consent, something ICT Cabinet Secretary Eliud Owalo alluded to when asked about the legality of the company’s operations in Kenya on Wednesday.

Owalo said the government through the Office of the Data Protection Commissioner (ODPC) has had several meetings with Wordcoin before they began local operations to discuss the data safety implications of their operations.

“Their argument is that they are getting the data voluntarily from Kenyans,” the minister told NTV in an interview.

The Data Protection Act stipulates that a data subject has a right to be informed of the use to which their personal data is to be put; to access their personal data in the custody of a data controller or data processor, and to object to the processing of all or part of their personal data.

Additionally, a data controller or data processor shall collect personal data directly from the data subject, or indirectly where the data is contained in a public record and the data subject has deliberately made the data public.

The government suspended all activities linked to the crypto project in the country to pave the way for a probe by “relevant security, financial services and data protection agencies” into Worldcoin’s authenticity and legality.

Another place the project has raised eyebrows over data security is Europe, where for EU member states, the General Data Protection Regulation (GDPR) regulations are known to clamp down on tech giants.

Earlier this week, the United Kingdom’s Information Commission Office said it would be “making enquiries” about Worldcoin, while France's privacy watchdog CNIL said the legality of the project’s biometric data collection "seems questionable".