Worldcoin has disclosed the outcomes of a third-party audit carried out by Trail of Bits, focusing on its iris-scanning Orb technology. The Worldcoin Foundation, in collaboration with Tools for Humanity (TFH), engaged Trail of Bits to conduct a comprehensive review of the Orb’s software. This audit extended beyond routine security checks to evaluate specific privacy and functionality aspects of the Orb.
The audit delved into the Worldcoin Orb devices, particularly examining their data handling and security measures. The results indicated that these devices do not retain personal information, except for encrypted iris codes, which are transmitted for verification purposes.
The privacy scrutiny of Worldcoin Orb by TFH outlined several technical parameters guiding the audit. This included analyzing the Orb’s software as of its July 8, 2023 version.
During the default opt-out signup process, the Orb is programmed to collect solely the user’s iris code, ensuring that no personally identifiable information (PII) is stored or transferred other than this data.
For users who opt into a more inclusive data collection process, any PII stored on the device’s SSD is asymmetrically encrypted, rendering it inaccessible for decryption by the Orb itself.
The audit further confirmed that the Orb does not extract sensitive information from users’ devices. The data collected is encapsulated within a QR code scanned by the Orb.
The handling of users’ iris codes was meticulously assessed for security measures. It was established that the iris code is not persistently stored on the Orb, is transmitted in a single request to the backend, and can only be sent to pre-approved servers, secured by end-to-end encryption.
In Trail of Bits’ conclusion, the analysis “did not discover vulnerabilities in the Orb’s code that could be directly exploited in relation to the Project Goals as described.”
The report acknowledges that while Trail of Bits identified some unconfirmed concerns that theoretically could impact project goals, the affected code has since been updated. However, the audit did not uncover any instances where the project goals would be directly compromised.
