So I have read the whitepaper of Worldcoin as it sounds crazy to me to distribute the tokens as an incentive in exchange for IRIS data.

Based on the provided whitepaper, here are the main principles of the Worldcoin Foundation to protect the data privacy of the users:

1) Privacy-Preserving Issuance: The whitepaper mentions that the humanness check and issuance of World ID happen locally via a custom biometric device called the Orb. As per this, no images need to be saved or uploaded by the issuer. This means that the biometric data, such as iris images, are not stored centrally but processed locally on the Orb itself, reducing the risk of unauthorized access to sensitive biometric information.

2) Zero-Knowledge Proofs: The World ID protocol employs zero-knowledge proofs, which are cryptographic techniques that allow one party (the verifier, including Web2) to verify the authenticity of certain information without the need for the user to reveal the actual data. This helps protect the privacy of the biometric data while still providing the necessary proof of personhood.

3) Self-Custody of Images: The Whitepaper mentions self-custody of face images as a requirement for face authentication. This implies that users have control over their biometric data, and the images are stored securely on their own devices. It ensures that the biometric data is not stored in a centralized database where it might be vulnerable to breaches.

4) Local Authentication: The text emphasizes that authentication, whether through face or iris, is performed locally on the user's device (phone) in most cases. This approach minimizes the need to transmit biometric data over networks or store it on remote servers.

5) Decentralization: The vision for the Orb and World ID issuance is for the development, production, and operation to be decentralized over time(?).

Whilst I am not able to verify the technical aspect of the above and despite the privacy-focused design principles outlined, I believe it's essential to consider that any real-world implementation of a biometric-based system must adhere to strict data privacy regulations and best practices.

Based on the recent approach of regulators, I don't believe being decentralized lets you avoid the regulations, especially when it comes to biometric data which requires extreme care. To ensure robust data privacy protection, Worldcoin team must consider aspects like data encryption, secure data storage, user consent, data minimization, right to erasure, and adherence to relevant data protection laws. Intensive communication must be initiated with the regulators, particularly with European Data Protection Board I would recommend.

Any biometric system, handling the biometric data requires extreme caution to protect users' privacy and prevent potential misuse or unauthorized access. So, in essence, the Orb doesn't know who you're. It only knows that you're a unique (not previously introduced to the system) human. This comes down with a question, what if the data is leaked and becomes "identifiable"? Then GDPR says it would be a data breach, but how can one notify data subjects when it doesn't know who they are? This Orb issue has been controversial already as Orb's current stance sounds like a paradox - knowing but not knowing, identifying but not identifying... But one thing is for sure, the regulators will definitely have something to say about the WorldCoin project, especially the project is right under the spotlights.

Let's see how this Worldcoin will unfold in the future.

M.Y.