Crypto for retinas: Hong Kong Privacy Commissioner launches investigation into Worldcoin

Introduction

The Privacy Commissioner for Personal Data in Hong Kong has initiated an investigation into the local operations of Worldcoin, citing "serious risks to personal data privacy". As part of the investigation, the Privacy Commissioner executed search warrants to search six premises controlled by Worldcoin in Hong Kong¹. The Privacy Commissioner's investigation into Worldcoin is a proactive move initiated by the authority itself (on the basis of reasonable grounds to believe an act is or was in contravention of the Personal Data (Privacy) Ordinance (Cap 486) (PDPO)), rather than in response to any complaint.

Worldcoin's mission

Worldcoin, launched in July 2023 and founded by Sam Altman of OpenAI, aims to create a globally-inclusive identity and financial network. Referred to as "proof of personhood", Worldcoin seeks to establish that an individual is both human and unique. Individuals are required to scan their irises using an imaging device called the Orb to obtain a registered identity known as a World ID, after which they would receive free Worldcoin tokens. Most scanning centres around the world are operated by independent local businesses called Orb Operators.

Common identity verification services in Hong Kong provide a means of identification (e.g. by e-certificate or verified account) after identity verification through the individual's Hong Kong identity card, for example. Similarly, a World ID allows individuals to prove that they are human to any verifier while maintaining their privacy through zero-knowledge proofs.² Worldcoin has gained immense popularity since its launch, with more than 4 million users worldwide having obtained a World ID through the retina scan procedure.

However, the project immediately drew the attention of regulators around the world over privacy concerns, resulting in, for example, the suspension of services in Kenya, temporary pause of iris scans in India and recent suspension of services in Spain. There are also ongoing investigations into Worldcoin in other jurisdictions such as the UK, France, Germany and Argentina.

Potential contravention of the PDPO

Iris information has been accepted to be sensitive personal data because it is unique to an individual and cannot be altered. Retina images have been accepted as being able to indicate the health condition of individuals and may be used to ascertain an individual's health and personality. In light of the sensitivity of retina information, the Privacy Commissioner was concerned that the collection and processing of personal data by Worldcoin, particularly retina information, may have been in contravention of the requirements of the PDPO.

DPP 1: Fair collection

The PDPO prescribes several data protection principles (DPP) in Schedule 1. On the fair collection of personal data, DPP 1 requires that personal data must be collected for a lawful purpose directly related to the data user's function or activity. The data collection must be necessary, adequate but not excessive for that purpose, and the means of collection must be lawful and fair. Organisations must take all practicable steps to notify data subjects of the purpose of data collection, the classes of persons to whom the data may be transferred, whether the provision of data is obligatory or voluntary, and the consequences of failing to provide the data.

Therefore, the Privacy Commissioner is likely to investigate whether the biometric data is collected solely for the purpose of identity verification as claimed by Worldcoin³ and, if so, whether the data subjects were properly informed of this purpose and whether explicit and genuine consent had been obtained from data subjects. Given Orb Operators and not Worldcoin itself facilitate the iris scanning and verification process, Orb Operators may be data processors for the purposes of the PDPO. It remains unclear whether users have given express consent to have their biometric data transferred to and processed by Orb Operators. The format in which the personal data was stored would also be a consideration for the Privacy Commissioner. For example, if the retina scans were stored as mere photographs, this would be more sensitive than if those scans were stored as metadata and which could only be understood through a separate process.

DPP 2: Accuracy and duration of data retention

DPP 2 requires data users to take all practicable steps to ensure that personal data is not kept longer than is necessary for the fulfilment of the purpose for which the data is used. Worldcoin claims that the retina images taken by the Orb are first processed locally on the Orb and then permanently deleted without ever leaving the Orb.⁴ The only data that is generated is the iris code, which is a set of numbers generated by the Orb and is solely used to prevent the same individual from signing up again. It is unclear whether this is truly the case and whether the iris code could be used to reconstruct an iris scan. It is therefore worthwhile for the Privacy Commissioner to investigate exactly how long biometric data would be retained in Worldcoin's database and what steps Worldcoin took to erase any expired data.

DPP 3: Use of personal data

DPP 3 requires that, unless the data subject expressly and voluntarily consents, personal data must not be used for any purpose other than the purpose for which the data was expressed to be used at the time of the data collection. Although Worldcoin claims it has never and will never sell or profit from any data,⁵ the mere transfer of personal data to a party or use of the data for a use that was not expressed in the personal data collection statement would have caused Worldcoin to fall foul of this DPP.

DPP 4: Security of personal data

Finally, with regard to the security of personal data, DPP 4 requires data users to take all practicable steps to ensure that any personal data held by them is protected against unauthorised or accidental access, processing, erasure, loss or use.

While Worldcoin claims to have implemented diverse security features in the Orb's hardware to prevent unauthorised access to the biometric data and that the data is encrypted and stored securely,⁶ the effectiveness of these measures in safeguarding the biometric data held by Worldcoin remains uncertain. In particular, the sensitivity of the retina scans suggests that data security measures should be proportionate and commensurate with that level of sensitivity. DPP 4 is unique because, unlike other DPPs, data that is unstructured or requires further processing to make sense of is also caught by its provisions. DPP 4 therefore has effect even where data is held in a form which may be mere metadata. In addition, it is uncertain as to whether Worldcoin has taken adequate measures to prevent unauthorised or accidental access of biometric data by Orb Operators or other third parties. If Orb Operators had contravened the PDPO, Worldcoin would be vicariously liable for the actions or omissions of its agents.⁷ Given the recent pervasiveness of cybersecurity breaches, particularly those that have caused the collapse of entire crypto exchanges, the Privacy Commissioner has recently put an emphasis on investigating any vulnerabilities which would be remedied by practicable measures and issuing enforcement notices to those that have not implemented sufficient protections.

Enforcement actions and potential penalties

The Privacy Commissioner is empowered to issue enforcement notices directing that certain remedial and/or preventive steps be taken. Contravention of an enforcement notice issued by the Privacy Commissioner is an offence punishable by a maximum fine of HK$50,000 and imprisonment for two years, with a daily penalty of HK$1,000 for each day of contravention. Subsequent convictions can result in a maximum fine of HK$100,000 and imprisonment for two years, with a daily penalty of HK$2,000.⁸

In addition, the Privacy Commissioner may prosecute criminal offences under, for example, section 64 of the PDPO.

Conclusion

Given Worldcoin's altruistic mission, the reward of free Worldcoin tokens upon establishing World IDs and the novel method of identity verification, the public has taken an interest in the Privacy Commissioner's investigation. It is not apparent whether Worldcoin contravened any provision of the PDPO, particularly where the issue of a World ID following a method of identity verification may be compared to other identity verification services offered in Hong Kong and globally but which have not attracted similar ire from regulators. The immediately apparent distinction is the use of a retina scan which, although somewhat sensitive, may conceptually be akin to a fingerprint, photographic or official record and which are all used to verify identity by other services.

The Privacy Commissioner is empowered to commence an investigation where it has reasonable grounds to believe that there may be a contravention of the PDPO. However, the execution of search warrants to raid Worldcoin's premises in Hong Kong has sent a message to the market, and particularly technology companies, that there may be barriers or resistance to novel uses of personal data.

Sunny Liu, one of the Litigation team trainees, co-authored this article.

1. See media statement issued by PCPD on 31 January 2024: https://www.pcpd.org.hk/english/news_events/media_statements/press_20240131.html↩
2. A zero-knowledge proof is a cryptographic way for one party (the prover) to prove to another party (the verifier) that they possess knowledge without revealing what the underlying information actually is.↩
3. See Worldcoin's response on DL News on 1 February 2024: https://www.dlnews.com/articles/people-culture/hong-kong-raids-six-worldcoin-operators-with-public-warning/↩
4. See Worldcoin's "Orb Privacy" at https://worldcoin.org/privacy↩
5. See Worldcoin's blog "Tips and Best Practices for Verifying Your World ID at an Orb" at https://worldcoin.org/blog/worldcoin/tips-best-practices-verifying-world-id-orb↩
6. See Worldcoin's blog "Understanding Worldcoin Data Security Practices" at https://worldcoin.org/blog/worldcoin/understanding-worldcoin-data-security-practices↩
7. Section 65(2) of the PDPO↩
8. Section 50A of the PDPO↩

Public link

Please use the above public link if you want to share this noodl on another website.