The biometric information is used to generate an “IrisHash,” a code that is stored locally on the orb. The code is never shared, according to Worldcoin, but rather is used to check whether that IrisHash already exists in Worldcoin’s database. To do this, the company says, it uses a novel privacy-protecting cryptographic method known as a
zero-knowledge proof. If the algorithm finds a match, this indicates that a person has already tried to sign up. If it does not, the individual has passed the uniqueness check and can continue registration with an email address, phone number, or QR code to access a Worldcoin wallet. All of this is meant to occur in seconds.
Worldcoin says that biometric information remains on the orb and is deleted once uploaded—or at least it will be one day, once the company has finished training its AI neural network to recognize irises and detect fraud. Until then, beyond vague descriptions like “personal data…sent via secure, encrypted channels,” it’s unclear how this data is being handled. “During our field-testing phase, we are collecting and securely storing more data than we will upon its completion,” the blog post
states. “We will delete all the biometric data we have collected during field testing once our algorithms are fully-trained.”
In response to our questions just before this article went to press, Worldcoin said the public version of their system would soon eliminate the need for new users to share any biometric data with the company—though it hasn’t explained how this will work.