The data regulatory authority of Portugal has asked Worldcoin to seize operations for 90 days. As per a new Cointelegraph article, the agency noted that the project was directed to refrain from collecting user data in the country for the duration. The regulator noted that the decision was to avert the risk of data protection rights for the citizens.
The National Data Protection Commission (CNPD) issued a statement on the matter regarding their decision to temporarily limit Worldcoin from collecting biometric data via Orb devices in the region.
As per CNPD, the decision was to protect the rights to privacy with an emphasis on minors. The measure is applicable with immediate effect and will remain so until the investigation is concluded that was opened on 8th March.
Worldcoin has issued Orb devices that allow designated operators to scan individual irises. In exchange, the users are able to create a digital ID and utilize the native cryptocurrency. Worldcoin was founded by Sam Altman, who is also the CEO and co-founder of the OpenAI project.
As per the company, more than 4.5 million people in 120 nations have signed up with Worldcoin. Portugal noted that around 300K people have provided biometric data to register with the project.
Worldcoin Poses Risks to the Fundamental Rights of Citizens
CNPD told media that the latest measures were taken after receiving dozens of reports regarding data collection from minors without proper authorization from their parents or legal authorities.
The report further stated as per the current laws of the country it is illegal to process the biometric data of minors based on GDPR standards. The CNDP noted that risk to fundamental rights of citizens is significantly high.
Therefore, the regulator has decided to interfere to prevent serious or irreparable damage. Paula Meira Lourenco, President of CNPD claimed that the intervention was indispensable and justified in order to protect the public interest in safeguarding the fundamental rights of minors.
These complaints were also addressed to the Worldcoin Foundation that oversees the Worldcoin data collection initiative.
At the same time, the government of Kenya has continued its ban against the project despite pressure from the United States to relax its stance. Meanwhile, authorities in Spain have told Worldcoin to cease operations after receiving complaints about local users unable to withdraw funds with their consent. It was also alleged that the platform was collecting data from minors in the same area.
Worldcoin Foundation Responds to the Allegations from Regulators
Worldcoin Foundation issued a statement on 18th March noting that it ensures lawful operations in all locations where it is available. The firm noted that the project was designed to be fully compliant with related laws.
On 22nd March, Worldcoin annouced that it has made the software open-sourced and added a personal custody feature for better privacy and greater data autonomy to the users.
Trail of Bits, a third-party technical audit services recently published a detailed report regarding the Worldcoin Orb software. The report claimed to have found no vulnerabilities on Orb software that are subjected to direct exploit in regards to the project goals. The full audit report is set to publish on 14th March as per emailed statement from Worldcoin.
Privacy Issues Associated with Worldcoin
There are some privacy concerns associated with the project that have criticized the iris data collection noting that it could be vulnerable to hackers and susceptible to misuse. The current Orb version is 4.0.34 as per the report.
Auditors published the report after 6-weeks research and audit process. The auditors considered various attack vectors but concluded that the Orb code was not open to direct exploits.
The auditors commented that iris data is not placed on persistent storage and is included only in a single request to Orb’s code. The report noted that it is possible to add modifications in the code to make it more secure but it is still protected against typical hackers and to invade successfully the hackers have to possess one of the trusted certificates.