• DavidGarcia@feddit.nl
    link
    fedilink
    arrow-up
    9
    ·
    1 year ago

    What is their approach to biometrics with blockchain? Do they just dump your data on the blockchain for everyone to see, like Bitcoin? You would assume it is at least hashed.

    Or is it encrypted so that only someone with the corresponding key can use it to prove your identiy? In this scenario they couldn’t verify your identity without your consent. But also then you would always have your key with you at all times, so I doubt they went this route.

    It’s probably just hashed and public, is it?

    • Certainly_No_Brit@discuss.tchncs.de
      link
      fedilink
      arrow-up
      10
      ·
      1 year ago

      “World IDs are issued on the Worldcoin protocol, which allows individuals to prove that they are human to any verifier (including web2 applications) while maintaining their privacy through zero-knowledge proofs.”

      “The Orb uses multispectral sensors to verify humanness and uniqueness to issue an Orb-verified World ID, with all images being promptly deleted on-device per default” Whitepaper

      I guess that the information is somehow encrypted. The whitepaper doesn’t really seem to explain how a website can verify that the “World ID” is owned by a real human. Does the blockchain prohibit an individual from creating multiple World IDs? The World App doesn’t seem to collect any official PII, except an E-Mail address and a phone number, which you can have multiple of.

      If you can create multiple World IDs, which are anonymous (at least the whitepaper and the Google Play Store says so), then bots could also just use a World ID to “verify” that they are human. The whitepaper is really shallow and doesn’t explain some of the most important aspects of verification.

      You get an “anonymous” ID, which is created by biometrics, which are “promptly” deleted after creation of the ID. By that logic it is impossible to stop individuals from creating multiple IDs, except everyone’s state-issued identity is recorded and saved on a central server, which is bad privacy-wise.

      • DavidGarcia@feddit.nl
        link
        fedilink
        arrow-up
        4
        ·
        1 year ago

        Presumably they canonicalize the data coming out of the orb in some way, so you get the same number/ID out every time you use it. For example, you can represent molecules as many different strings (like C=CC or CC=C for propane) and you would want a canonicalization method to give you the same string every time for the same molecule.

        They might have some machine learning algorithm that is trained on the sensor data as an input and for the output they try to maximize distance between different people in some high dimensional vectorspace, while preserving a sense of similarity between similar people. So then after training the model, you put in the sensor data and you get out some 1069 dimensional vector oht that represents you. Kind of how word embeddings work, that they use for AI.

        Then they take that vector and “round” that vector to get the same result every time. Like one time it might be (1.775, … 2.854, 11.631) and another time it might be (1.777, … 2.863, 11.625), so they just round it to (1, … 2, 11), so they get the same vector 99.999% of the time you use the device.

        Or like some more clever scheme instead of literally rounding. Perhaps another NN.

        That’s how I would do it anyway.

        So that way they avoid a user registering multiple IDs, because the device will reject your new ID request if your vector is already found on record.

        Then they hash it in some way so your biometric data can’t be reconstructed and store it on the blockchain. That or maybe they do some RSA like voodo magic like with Monero.

        So that’s why all data can be deleted on the device, because they destill it down into your unique biometric fingerprint that comes out the same every time, ideally.

        That’s just what I’d expect them to do anyway.

        I’m not quite sure where the zero-knowledge proofs come in, but they are pretty cool in theory. They allow you to do things like knowing the result of a vote without knowing what everyone voted for.

        Also im not quite sure if it’s just a human verification system or an ID system. Those are two very different beasts. One would literally just tell anyone who’s asking if you are a human or not, the other would tell them your ID for tracking.

        Perhaps they use zero-knowledge proofs to avoid storing IDs publicly on the blockchain? That would be pretty cool.

        If it really is just a human verification system and I am correct in how it works, I don’t see much problems with the protocol privacy wise. We will need such a system anyway because of AI. It is unavoidable.

        Since we have no choice (except return to monkey) you would hope it to be as accurate, hard to crack, private, secure, decentralized, FOSS as possible.

        I don’t think WorldCoin and their Orb are FOSS or decentralized. So that’s a huge red flag for abuse. They could just in hardware send your unique ID to some malicious actor. Aside from all the possible software backdoors, exploits etc…

        But as bad as systems like that could be, it seemy pretty alright, all things considering.

      • Goun@lemmy.ml
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        Would that ID expire if you die? Or else there’s gonna be certain type of market waiting to be exploited…