<100 subscribers

A couple of converging events have put Worldcoin back up at the top of my working memory. First, a recent interview of Alex Blania on Bankless:

While I didn't find the "AI Bot problem on social media" to be that compelling (we can have cryptoeconomic ways to solve that without biometrics), I did find the discussion of the privacy architecture of the orb to be compelling. Namely, that the biometric data is encrypted, transmitted, and stored on the user's device, not the orb.

Also, running into the Orb after a talk by Daniel Shorr at the 2025 Science of Blockchain conference this week. Specifically this one that Roberto Bayardo also ran into:

I've been skeptical about Worldcoin, not because of the hardware itself, but because of it's initial presentation (at least in my view) as an orb-shaped silver bullet to sybil attacks, when I would contend (at least in the US) we probably have enough roots-of-trust to establish identity through other means. In the developing world, there is likely a greater case (which is true of all of crypto writ large anyway).

All this being said, as a crypto/web3 enthusiast, my curiosity with respect to the World app's UI/UX and onboarding flow also tipped me over the edge. Other's may disagree, but I think it's intellectually dishonest to land a fair & balanced, solid critique without fully inspecting the (potentially good) onchain user experience up close.

At its core, the Worldcoin Orb is essentially a hardware-based oracle for the blockchain—a sophisticated piece of technology that serves as a bridge between the physical and digital worlds. The process seems straightforward enough: the Orb captures a high-quality image of your iris, likely using a trusted execution environment (TEE) chip to attest that this image hashes into what they call an "iris code." The blockchain then verifies that this code is sufficiently different from any previously recorded iris, ensuring each person can only register once.

The system also performs liveness detection—presumably to prevent someone from holding up a photo of your eye or using a glass eye. But here are the hard questions: what exactly is our root of trust? How do we know the hardware is working and the TEE hasn't been hacked?

The fundamental issue comes down to trusting that the Orb is correctly performing two critical functions: liveness detection and iris encoding. Currently, only Tools for Humanity (the company behind Worldcoin) can manufacture these orbs, and the technology isn't completely open source yet. Even if they were to open-source the design and competitors emerged, how would we verify that these competing orbs are performing their functions correctly? External audits can help, but who watches the watchers?

The ideal scenario would involve multiple competing institutions creating their own orbs, with individuals able to verify that all manufacturers have converged on the same iris encoding function and that liveness detection cannot be spoofed. But that's not the current state of the Worldcoin ecosystem—we're dealing with a single company controlling the entire hardware infrastructure.

On top of all this, we are trusting the TEE / chip secure enclave not to be broken or easily hackable, which will always be a background concern for any hardware oracle.

My worry for this single-hardware-vendor ecosystem is not unfounded. Helium, a DePIN project that started as a LoRaWAN p2p network and pivoted to become a T-Mobile MVNO, was mired in controversy over only allowing certain 'blessed' hardware providers to have the power to create the radio mining equipment. This resulted in a chokepoint where early employees were able to mine the vast majority of HNT supply. Not great!

Tech journalists, crypto skeptics, and even cypherpunk connoisseurs have been taking the piss out of Sam Altman for a hot minute now.

On the one hand, there's the marketing gambit at OpenAI of making AI seem so supernaturally powerful that it is dangerous, needing (regulatory capture) regulations. Then there's the flip-floping between Altman not having any equity in OpenAI—testifying that he's just "doing it because he loves it"—while also planning to axe the nonprofit org structure (giving him equity). And of course, the risks of deepfakes so wide and pervasive (because AI is flawless right now, mind you, don't look too closely), we needed this antisybil orb yesterday to save humanity. Playing both arsonist and firefighter, as it were. Add to this a PR fiasco stealing ScoJo's voice. I can't say that I wouldn't also be tripping over myself occasionally as the CEO of the biggest name-brand for Artificial Intelligence on a rocketship valuation trajectory now with fierce competition, but you have to agree that at least some of these were unforced errors.

AI is clearly useful, I'm using it right now to help write this article (if not this sentence)! Of course: deepfakes are a mild problem now, bots have been a problem even before LLM-based AI, AI will continue to improve, and the problem will get worse, etc, etc...but I am always skeptical about the necessity of '9 alarm fire' marketing. Especially when there are other possible futures and harm-mitigating technologies on offer. Twitter-style Community Notes are already pretty good at handling AI deepfakes, economic & pagerank-based spam filtering on Farcaster works really well against combatting botspam, and as I stated in my tweet above, we have other viable roots-of-trust to establish antisybil'd identity.

So if I'm skeptical about AI doomerism, by participating in Worldcoin, I'd be implicitly endorsing Altman's {doomer,booster}ism framing of AI as an existential threat? Perhaps, but I recognize this argument isn't based on first principles—it's an adhom against Altman and doesn't actually have anything to do with the Worldcoin tech itself. It's guilt by association, which isn't fair to the rest of the Worldcoin team, some of whom I know are principled, ethical builders who have thought deeply about the relevant issues & tradeoffs here. The truth can be somewhere in the middle, Worldcoin could be one of many antisybil solutions that doesn't validate the worst AI doomer scenarios.

Here's a reality check that cuts through my privacy concerns: my iris hardly defendable private information. I've already given biometric data to plenty of questionable organizations—23andMe (now bankrupt), the US government for passports, California for my driver's license. Anyone with a high-quality camera and telephoto lens could capture my iris pattern without my knowledge if they really wanted to.

The default state of the world is that my iris is observable and capturable. To me, privacy claims start from Natural Law / Rights theory that states that one must have some defensible claim that doesn't impinge on the rights of others. Is there a camera resolution for imaging my face where my privacy goes from 'violated' to 'not violated'? If a portrait artist gets a good strong look at my visage in public and draws me from memory, were my privacy rights violated? I'm not about to start wearing special contact lenses or avoiding photographers, so facial biometric data is already public for most practical humans. My face is not a private key, but also Worldcoin also doesn't require me to upload my biometric data to any cloud (the Irishash is stored on the user's phone). Even if the Orb were to be replaced by a Malicious Orb that actually took a photo & uploaded my iris data to a cloud then...they now have the same data I give away every time I walk into a DMV or airport. What I don't find compelling are aesthetic critiques about how cameras are bad. An ideal world would require no biometrics, but we already have BTC & ETH for that.

One of the system's more concerning flaws involves the wallet setup process. There have been documented cases of unscrupulous orb operators traveling to developing countries, scanning people's irises, but setting up the Worldcoin wallets for themselves—effectively stealing the participants' entitled airdrops. The victims, often lacking crypto literacy, had no idea what was happening.

This highlights a fundamental design flaw: there's only one wallet per person, and the system relies on users to properly set up their own wallets. The orb performs liveness detection and captures iris data, but it doesn't obtain meaningful informed consent about the broader implications.

Worldcoin has attempted to address this with time-based rolling QR codes, and by requiring a selfie on your phone when first opening a wallet, but selfies aren't full iris scans and could be defeated through various means. They might eventually require phones with trusted execution environments (cosigned by Google or Apple) or active phone numbers, but this raises questions about crypto's open-source ethos if we're increasingly dependent on closed-source, privatized trusted hardware & legacy telephony infrastructure.

To be fair, this is not an issue unique to Worldcoin, Proof of Humanity has had the same issue with what they call 'farming' or 'sockpuppeting', where there's one person controlling multiple wallets. A benign case of this might be a family member registering his entire family with their consent. A more insidious case might be a 'crypto evangelist' going out onto the street and registering random people (perhaps for pay or not). The worst case is "Full DarkDAO" where we just anonymously pay people over the internet to use their registration wallets, similar to onchain vote buying:

Ultimately, I want to see Worldcoin as one tool in the sybil resistance toolbelt, not the silver bullet its founders present it as—that's not their fault, it is their job description to 'talk their book'—but it's our job as community members to be realistic. Every system has both weak and strong interpretations—its Motte and Bailey, if you will. While Worldcoin operates on a different axis than government IDs and passports, it's essentially functioning as its own certificate authority, just like governments do, but with better biometric technology.

It's undeniably interesting hardware, but when you peel back the layers, you find it's fundamentally a sophisticated oracle with all the classic problems that oracles bring. The question isn't whether it's perfect—no system is—but whether it's useful enough to justify participation despite its limitations.

After all this pondering, I ultimately decided to get scanned yesterday. Several factors tipped the scales:

The privacy concerns didn't hold much water given how easily observable iris patterns are in daily life. The trust issues, while legitimate, aren't necessarily worse than the many other centralized systems I already participate in. Of course, $80 in WLD is neither here nor there for lucky me, and—though admittedly an very unprincipled argument—if I were going to hypothesize concern about unscrupulous operators potentially stealing iris codes, it would then be logical to secure my own Worldcoin airdrop before someone else might, even if I were to send the airdrop to a burn address, donate it, or just swap it for ETH.

While I do think 'protesting' Worldcoin by not participating still has some merit: after all, there is ultimately a founding team that benefits from its adoption: my participation doesn't imply I think WLD is a better asset to hold than ETH, or that I am going to buy WLD. The system does have flaws, as outlined above, but we also don't have any evidence that biometric data is getting uploaded to Sam Altman's personal hard drive. 2 years in, I think World has published enough information to move beyond the 'trustmebro' phase of project development. The benefits are also not a pipedream, the Worldchain ETH L2 could also onboard millions onto the global Ethereum economy with a high-quality, gasless UI/UX.

Do I need to hand in my cypherpunk membership card now? Well, maybe not anymore than I need to for using centralized L2s and CeX onramps. Let's be clear: no antisybil mechanism will never be as pure cypherpunk as BTC or ETH. Show me an oracle or a root-of-trust and I'll show you a flaw. But you don't need to be Satoshi to build something real on ETH that improves things somewhat over the status quo. Asset-backed stablecoins are exactly this, and I contend it's a better strategy to bring people onchain and lead them to more decentralized assets than asking them to be cypher-maxi on day 0. Sometimes the best approach isn't to wait for perfection that will never come, but to engage critically, maintaining healthy skepticism, while realistically weighing the costs & benefits.

Support dialog