Worldcoin’s biometric gamble is a privacy time bomb

Opinion by Ankur Rakhi Sinha, co-founder and CEO of Airchains.

Having faced fines and lawsuits worldwide, the charges against Worldcoin (which became known as “World” in late October 2024) are all the same: a systemic failure to protect user data. Worldcoin, founded in 2019 by Sam Altman of OpenAI fame, asks users to verify their humanness through iris and face scans in exchange for a digital ID and free tokens. Multiple governments have blocked their activities for violating local privacy laws. 

There are laws and regulations to protect users and their data, but they are only ever enforced after the breach occurs. Blockchain adoption for real-world use cases hinges on privacy. Worldcoin proved why we can’t build a plane while flying it.

Worldcoin was one of those crazy crypto ideas reinventing itself in 2024 after huge investments followed the influence and hype. This approach can’t be our only option. We can create fit-for-purpose, scalable record-keeping right now that avoids a repeat of Worldcoin’s privacy debacles. 

Consider this a call to action for the crypto community: Keep taking moonshots, but embrace the emerging encryption technologies that will help us secure what we build, especially our biometric data. We all need confidence in our privacy. 

Recent: Blockchain testnet launch brings Web3 applications closer to Web2 standards

The trouble with Worldcoin

The trouble with Worldcoin starts with its black box nodes. World Chain was built as a permissioned layer-2 blockchain on top of Ethereum, which does not allow anyone to become a node or a link on the network. Only World Chain insiders controlled the network. Only members of the Worldcoin node club can verify what’s happening on its blockchain, leaving it highly vulnerable to attacks and exploits from outside hackers.

That insults open-source communities, as the more transparent an application’s operations are, the more likely a vulnerability will be found. Biometric data should not be stored in black boxes without proper protections and checks and balances.

Public blockchains also face problems when private companies operate ineffectively walled gardens. The tech meant to be used for secure data storage, management and transfer has lost the transparency and trust that blockchain tech offers. Biometric data should not be stored in walled gardens, away from public scrutiny. This approach is entirely antithetical to decentralization.

ZK, the great new hope?

Worldcoin was built on ZKsync, a provider of zero-knowledge proofs. Zero-knowledge (ZK) technology allows data to be validated as correct without revealing its content. Great hope has been put in ZK technologies for biometric data privacy. ZK is discussed as a panacea for every privacy ailment. Despite its cult-like following, ZK does not solve data storage concerns. 

Even if Worldcoin admitted to collecting more data than needed — promising in a now-amended blog post to delete that data once its models were trained — the Worldcoin data leak scandal suggests that ZK-proofs were not deployed in a protected closed loop.

Building genuinely private and secure identity onchain 

After Worldcoin, other more controlled protectors of biometric data have emerged. Fractal ID has built an interoperable Decentralized Identity system that assists external parties with Know Your Customer (KYC) onboarding. Fractal suffered a significant breach in July 2024, with a ransomware group stealing 10GB of 300,000 users’ data, including personal photos, bank statements, proof of addresses, and Bitcoin (BTC) and Ether (ETH) addresses.

Even this credible attempt at onchain identity highlights the need for further protection of user data, especially biometric data. That additional protection can be found by using different kinds of encryption and not relying solely on ZK-proofs. 

After Worldcoin, ZK is only part of the solution

Encryption — ensuring it can be used appropriately and verified — is critical to any digital ID protecting users’ biometric data. ZK-proofs are great for verifying computations. The prover must, however, access the private data to generate the proof. That’s the trouble with Worldcoin. You have to trust Altman and Co. 

Combining ZK-proofs and the latest in encryption, such as Fully Homomorphic Encryption (FHE), enables digital biometric ID providers to keep sensitive data safe and offer total privacy. ZK-FHE enables you to verify computations without trusting the prover with your private data. 

FHE prevents the creation of centralized vulnerabilities, which are common targets for attackers. FHE enhances trust in biometric systems by ensuring user data stays secure, even when processed for authentication or verification purposes.

While ZK proves that something is true without revealing any additional information, FHE is used to perform computations on encrypted data without needing to decrypt it — so it remains safe. Together, ZK-FHE can stop future Worldcoin debacles and advance our industry’s more plausible moonshots. 

We need a new terminology for privacy stacks

Privacy with confidence means that users understand what is under the hood. Biometric data-collecting consumer products are not selling privacy promises — they are selling public confidence. 

ZK-FHE combined as a stack will be essential for managing and verifying biometric data because it ensures sensitive information, such as fingerprints or facial scans, remains protected throughout its entire lifecycle without ever being decrypted.

With proven ZK-FHE use cases already deployed in 2024, where local government land registries in India and non-governmental organizations (NGOs) have used them for record-keeping, this unique combination of ZK-proofs and FHE could unlock blockchain record-keeping at scale.

Onchain biometric IDs can benefit many use cases, but we can and must do better. We need multiple dimensions for our privacy; otherwise, there will always be a vulnerability for hackers to exploit.

Ankur Rakhi Sinha is co-founder and CEO of Airchains, a modular and multichain privacy network that powers verifiable and confidential computation based on ZK and FHE. Before founding Airchains, he worked with Matic and Polygon Edge as an engineer designing institutional use cases in India through his consulting firm, Retcons Technology. Sinha was previously a radio host who studied mining engineering at the Government Engineering College, Jagdalar while mining Ether in his spare time.

This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts, and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.