China’s Ministry of State Security Rarely Names “Eye-Scanning Cryptocurrency Mining” as a Red Line, Is World the Greatest Target for Overseas Threats?

What Happened?

The Chinese Ministry of State Security has issued a rare public warning, stating that foreign companies are using the distribution of cryptocurrencies (such as Worldcoin) as bait to collect sensitive biometric data from the public, including iris and facial information, on a large scale. This behavior not only threatens personal privacy but may also be used for espionage activities, posing a potential threat to national security.

The Ministry emphasized that biometric features such as irises and fingerprints are unique and immutable “biometric keys,” and once leaked, the consequences are irreparable. The World project, which operates primarily on this model, has faced bans or strict investigations in multiple locations, including Hong Kong, Europe, and Kenya, due to data security and privacy controversies.

In response to the increasing prevalence of biometric recognition technology, Chinese officials remind the public to adhere to the principle of “minimum necessity” when asked to provide facial and fingerprint information, asserting their right to inquire about the purpose and storage methods of such data. Experts have also proposed alternative solutions, such as “diversified identities,” in an attempt to find a better balance between convenience and privacy.

Chinese Ministry of State Security: Foreign Institutions Collecting Biometric Data Under the Guise of Cryptocurrency

On the 6th of this month, the Chinese Ministry of State Security released a statement indicating that the application of facial, fingerprint, and iris recognition technologies is becoming increasingly widespread, but the accompanying risks are gradually surfacing. The announcement specifically mentioned that some foreign companies are “cunningly disguising” their intentions by offering cryptocurrency tokens as bait to scan and collect users’ iris information globally, subsequently transferring these data sources, which poses a threat to personal information security and national security.

In addition to iris data, the Ministry expressed serious concern over the leakage of facial recognition data, warning that “improper storage of related data could lead to leaks, jeopardizing not only personal privacy and property security but also posing a threat to national security.”

The announcement cited actual cases, indicating that foreign espionage agencies have conducted spy activities through the illegal theft and forgery of facial data, such as infiltrating sensitive work locations involving confidential information.

Although the announcement did not directly name any entities, it is widely believed that it alludes to Worldcoin, founded by Sam Altman, CEO of OpenAI, which has since been renamed World.

The core objective of the World project is to establish a globally universal digital identity system (World ID) in the era of artificial intelligence (AI) to reliably distinguish between “real humans” and “AI robots.” Users’ irises are scanned using a spherical silver device called the “Orb” to verify identity, which in turn allows them to exchange this verification for the issued WLD tokens. According to information on its official website, World operates in 160 countries worldwide, excluding China.

Related Reading: Are You Willing to Give Up Your Iris? World ID Officially Launched, What is World? How to Complete Verification in 5 Steps?

Chinese Ministry of State Security: Biometric Recognition Information is Unique and Permanent

The Ministry emphasized that biometric recognition information is highly unique and stable, and once leaked, the consequences are almost permanent and irreversible. Particularly with iris recognition, due to its high precision, it is often applied in fields requiring high-security standards, making it a target for malicious actors. Once these biometric “keys” are misappropriated, users will find it difficult to change them as easily as changing a password.

Similarly, fingerprint recognition also carries risks. The announcement mentioned that a foreign company’s fingerprint payment system suffered multiple hacks due to poor management, resulting in severe leakage of sensitive information.

Official Statements: World Emphasizes Privacy Protection Mechanisms

The World officials (and its developer Tools for Humanity) are well aware that privacy is their biggest challenge and have proposed a series of technologies and policies to address external concerns. Their core argument is: “The system we designed can verify real human identities while maximizing protection of personal privacy.”

The main protective measures include the following:

• Immediate Deletion of Iris Images: Officials claim that after the Orb scans a user’s iris, the iris image will be immediately converted into a unique digital code called “Iris Code,” and the original iris image will be permanently deleted without being uploaded or stored.
• Data Minimization and Anonymization: The stored “Iris Code” is a set of hashed values that theoretically cannot be reverse-engineered back into the original iris image. Traditional personal information such as name, phone number, and email is optional during World ID registration, allowing users to remain anonymous.
• Open-Source Iris Scanning Device Orb: The Orb, manufactured exclusively by World, has always been a major concern for users. The World project plans to open-source its hardware and software specifications by the end of 2024, introducing the operational processes and details of various device accessories to alleviate market concerns regarding privacy management.

Using Zero-Knowledge Proofs (ZKP)

This is the technical highlight frequently emphasized by officials. Zero-knowledge proof technology allows users to prove possession of certain information without revealing specific details. In World’s application, when logging into an app using World ID, users can prove themselves as a “unique human,” but the app cannot know the user’s iris code or wallet address. World has also repeatedly emphasized that they have separated biometric data from users’ daily digital activities, ensuring the safety of users’ privacy.

Is It Really Safe? External Doubts and Criticisms

Despite the official statements sounding comprehensive, global regulatory agencies, cryptography experts, and privacy organizations are generally skeptical. China’s warning echoes the growing international concerns regarding large-scale biometric data collection projects.

Since its launch, World has faced stringent regulatory scrutiny in multiple countries, and most skeptical institutions and experts still have the following doubts:

• Centralization Risks: Servers storing “Iris Codes” for millions of people globally are inherently attractive targets for hackers. If breached, even hashed codes could be exploited using future unknown cracking technologies.
• Permanence and Irrevocability of Biometric Data: This is the fundamental issue. While leaked passwords can be changed, irises remain unchanged for life. Once the iris code database is leaked, the potential risks are permanent, with no remedial measures.
• Insufficient Informed Consent: Investigations by regulatory agencies in multiple countries found that World did not adequately explain to users how their data would be used, how long it would be stored, and the associated risks during promotion. Particularly in regions with information asymmetry, using a small amount of cryptocurrency as an “incentive” to exchange for highly sensitive biometric data is deemed unfair.

Regulatory Decisions: Although World officially rebranded to World in October 2024 and plans to transition from a pure cryptocurrency project to a broader digital identity platform, governments remain highly vigilant regarding its model of combining financial incentives with biometric data collection. In May 2024, the Hong Kong Privacy Commissioner ruled that World violated multiple privacy regulations, stating that “retaining data for 10 years to train AI models is unreasonable,” and “collecting facial and iris images is unnecessary and excessive,” ordering it to cease operations in Hong Kong.

Related Reading: Suspected Violations of Privacy Regulations! Six Major Sites of “Worldcoin” in Hong Kong Raided, What’s the Reason?

Investigations or Bans in Multiple Countries

Germany, France, the UK, Spain, and Kenya have also launched investigations or issued bans against World.

Chinese Official Initiatives and Legal Regulations

In China, the government has successively announced regulations such as the “Data Security Law,” “Cybersecurity Law,” and “Personal Information Protection Law” to enhance online data security. The Ministry of State Security concluded the announcement by urging citizens and organizations to strictly comply with the law and advocate the “minimum necessity” principle in daily life, cautiously providing personal biometric information. When asked to provide facial, fingerprint, and iris information, citizens have the right to request the data collectors to explicitly inform them about the storage, processing purposes, and privacy policies to prevent excessive data collection.

Although the Chinese government is also extensively collecting biometric data from domestic residents, such as WeChat payment fingerprints and facial recognition by public security in various regions, for individuals living in China, government data collection is often unavoidable. Projects like World at least currently present a choice for local users to “Say No.”

Reference Materials: cointelegraph, idtechwire