So I have read the whitepaper of Worldcoin as it sounds crazy to me to distribute the tokens as an incentive in exchange for IRIS data.
Based on the provided whitepaper, here are the main principles of the Worldcoin Foundation to protect the data privacy of the users:
1) Privacy-Preserving Issuance: The whitepaper mentions that the humanness check and issuance of World ID happen locally via a custom biometric device called the Orb. As per this, no images need to be saved or uploaded by the issuer. This means that the biometric data, such as iris images, are not stored centrally but processed locally on the Orb itself, reducing the risk of unauthorized access to sensitive biometric information.
2) Zero-Knowledge Proofs: The World ID protocol employs zero-knowledge proofs, which are cryptographic techniques that allow one party (the verifier, including Web2) to verify the authenticity of certain information without the need for the user to reveal the actual data. This helps protect the privacy of the biometric data while still providing the necessary proof of personhood.
3) Self-Custody of Images: The Whitepaper mentions self-custody of face images as a requirement for face authentication. This implies that users have control over their biometric data, and the images are stored securely on their own devices. It ensures that the biometric data is not stored in a centralized database where it might be vulnerable to breaches.
4) Local Authentication: The text emphasizes that authentication, whether through face or iris, is performed locally on the user's device (phone) in most cases. This approach minimizes the need to transmit biometric data over networks or store it on remote servers.
5) Decentralization: The vision for the Orb and World ID issuance is for the development, production, and operation to be decentralized over time(?).
Whilst I am not able to verify the technical aspect of the above and despite the privacy-focused design principles outlined, I believe it's essential to consider that any real-world implementation of a biometric-based system must adhere to strict data privacy regulations and best practices.
