Iris scanning is becoming increasingly popular as a fast and accurate method of biometric identification, commonly used to unlock smartphones and verify financial transactions. Its contactless ease of use has led to widespread adoption across various industries. However, despite its convenience, iris scanning raises significant concerns regarding data sensitivity and potential breaches. While advancements in security enhance personal identification technology, they also intensify concerns over privacy and identification theft.
What is iris scanning?
Iris scanning is a biometric technology that identifies individuals by analyzing the unique patterns in their irises. It offers high levels of accuracy and security, and it is generally considered more reliable than other biometric identification methods. Iris data contains 266 identifiable features, which is 6.65 times more than a fingerprint, which has 40 identifiable features. The likelihood of two individuals having the same iris pattern is only one in a billion. Furthermore, even the left and right irises of the same person have distinct patterns.
Moreover, the iris pattern a person is born with, like their fingerprints, remains unchanged throughout their lifetime. This consistency allows biometric systems to reliably identify individuals over time.
According to a paper by Park Kang-ryoung, a professor in the Division of Electronics and Electrical Engineering at Dongguk University, iris scanning is a more precise method of distinguishing individuals compared to other biometric technologies such as fingerprinting, facial recognition, and voice scanning. The primary reason for this is that the iris is a unique feature of the human anatomy that people are born with which, unlike other parts of the body, remains unchanged over time or under varying conditions.
However, Professor Park noted that as an iris scanning system collects data from multiple individuals, the false recognition rate may increase. When the system scans a biometric, it compares the data against others stored in a database to find a match. However, as the number of biometrics in the database grows, the likelihood of similar information existing also increases, potentially causing confusion and leading to misidentification.
The risks of iris scanning
The Personal Information Protection Commission (PIPC), South Korea’s national agency responsible for personal information, released its “Biometric Information Protection Guidelines” in September 2021. The guidelines caution that if iris data is leaked, the unique and immutable nature of this data could prevent the affected individual from using their iris information ever again. This situation could result in serious issues, including, most concerningly, financial fraud.
In 2016, Samsung Electronics introduced iris scanning technology in its Galaxy Note 7 smartphone, describing it as an additional authentication method to enhance customer security. However, in May 2017, the Chaos Computer Club (CCC), Europe’s largest hacking group, released a video demonstrating a security vulnerability that allowed hackers to bypass Samsung’s iris scanning systems using just a photo of an iris. The hackers showed that by printing a picture of a person’s eyes and placing a contact lens over the printed iris, they could successfully trick the iris scanning system into unlocking the phone.
Worldcoin’s iris scanning
The Worldcoin Foundation, an iris-scanning-based cryptocurrency exchange founded by Sam Altman, the CEO of OpenAI, operates in 160 countries worldwide. The hardware and software technology behind the Worldcoin application is provided by its development company, Tools for Humanity (TFH). TFH employs an iris scanner known as the “Orb” to capture a user’s iris image, converting it into a numeric code called an “iris code.” This iris code is then used by the Worldcoin application to verify whether a user is human or a bot.
On September 25, the PIPC of South Korea announced that Worldcoin had failed to clearly disclose the purpose of collecting iris data and personal information from its users, nor had it accurately informed users about the transfer of personal information overseas. In response, the PIPC fined the Worldcoin Foundation and its technical support company TFH a total of $1.14 billion. Additionally, the commission issued improvement orders to the Worldcoin Foundation, specifying that users’ data should not be used for any purpose other than the company’s initially stated purpose.
The investigations began after the PIPC received complaints voicing concerns regarding the collection of iris data and personal information from Worldcoin users. A PIPC spokesperson, contacted by The Readable, stated, “We received complaints from users that Worldcoin collected iris data and personal information without clearly disclosing how and for what purpose it was to be used.”
According to Worldcoin, once the iris image captured by the Orb is converted into an iris code, the original image is deleted immediately. The converted iris code is then encrypted and stored on the company’s servers. Worldcoin explained that the purpose of the iris code is to prevent users from signing up for the app multiple times and receiving duplicate cryptocurrency payouts.
However, the PIPC pointed out that even though the original iris image is deleted immediately, the iris code still constitutes sensitive information. In response, the PIPC recommended that the company enhance its practices when collecting users’ sensitive information by clearly disclosing what data is collected and how it is going to be used.
Global concerns: countries are regulating Worldcoin
Worldcoin’s iris data collection has already faced regulation from several countries. On May 22, the Privacy Commissioner for Personal Data (PCPD), the office responsible for privacy protection in Hong Kong, determined that Worldcoin’s practice of collecting iris and facial images in the region violated privacy laws and ordered the company to cease all related activities.
The PCPD stated that it has inspected six Worldcoin operating locations in Hong Kong since January 2024. The inspections revealed that the iris data and facial images collected by Worldcoin were unnecessary and that there was no clear explanation of how personal information was being collected and stored. According to the PCPD, a total of 8,302 iris scans were collected by Worldcoin in Hong Kong.
The media outlet Reuters reported in July 2023 that the Bavarian State Office for Data Protection Supervision, Germany’s data supervisory authority, has been investigating Worldcoin’s processing of biometric data since November 2022. Michael Will, president of the Bavarian State Office for Data Protection Supervision, expressed concern to Reuters about the use of new technologies to process sensitive data on a large scale, highlighting potential risks regarding whether users have given clear consent for their biometric data to be processed.
Around the world, several other nations, including France, India, Spain, and Kenya, have suspended Worldcoin’s iris scanning services.
The Readable reached out to TFH for comments regarding the PIPC’s investigation. However, TFH did not respond to the request for comment.
Meanwhile, on October 17, TFH announced plans to rebrand Worldcoin during an official event in San Francisco, California. The company stated that it will rename Worldcoin to “World” and introduce new authentication methods, incorporating passport details alongside iris scanning as a means of personal identification.
