The World Coin phenomenon has rightly brought to the fore the conversation on data privacy and how our sensitive personal information can be collected and misused. World Coin, a Ficompany whose parent Tools for Humanity has obtained a registration certificate from the Office of the Data Protection Commissioner to collect Kenyans data, has been trending for all the wrong reasons.
On 30th July, news started to spread that Kenyans were lining up to receive Kshs. 7,000 to have their eyeballs scanned by an “orb” , a biometric scanner that had been placed in different locations around Kenya’s capital. Here, WorldCoin agents would guide Kenyans into having their retinal scans taken. Queues of curious and hopeful Kenyans voluntarily signed over their iris data for the promise of the equivalent of Kshs. 7,000 worth of cryptocurrency in the form of World Coin, a new cryptocurrency.
“I queued and got my money and paid my rent” – a young man at the JKIA airport proudly narrated his experience to Al Kags, our Executive Director.
Data protection laws in Kenya
Despite the Data Protection Act being passed into law in 2019, Kenyans remain unaware of their right to privacy and their rights as data subjects. Our ongoing Ficha Uchi campaign led us to various counties in the Western, Nairobi, Rift Valley and Coastal regions, where we sat down with citizens in focus group discussions to try to determine their level of awareness of data protection and their rights as entailed in the law.
“Ati OD–? Hio sijawahi sikia”, (“You said OD-what? I’ve never heard of that”) was a common response from the citizens we asked whether they had heard of the ODPC (Office of the Data Protection Commissioner). As for their rights as data subjects, few could actually articulate what they are. The Data Protection Act paved the way for the establishment of a regulatory body: the Office of the Data Protection Commissioner (ODPC), charged with the mandate of regulating and processing personal data while protecting the privacy of the data.
The ODPC issued an advisory on 30th July to Kenyans, closely followed by a cessation order. The Ministry of Interior and National Administration directed WorldCoin’s parent company, Tools for Humanity, to cease operations in Kenya, making it one of the first countries to halt World Coin’s operations to allow for investigations. Similar investigations are underway in various countries such as Spain, France, Germany and the United Kingdom, where World Coin has been collecting similar data since 2020. They claim that 2 million users as at 2023, and 350,000 of which are Kenyans.
Speaking at KTN News on 2nd August 2023, Al Kags was emphatic that we as Kenyans need to protect our digital resources, of which personal data is a big component.
“Data is the main resource of this decade. It will drive the tools of the future.”Al Kags
Immaculate Kassait emphasised the lack of a lawful basis for the collection of this data.
“As Kenyans, we must be keen to ask why a private institution is collecting biometric data and what they plan to do with it.”Immaculate Kassait
What is WorldCoin?
WorldCoin’s pitch “come and get your share” implies that it’s all about providing access to free cryptocurrency, but at what cost? For users who sign up to the service, it is doubtful if they have all taken the time to read the terms and conditions of the service. Throughout our FichaUchi campaign, we have learned that most Kenyans do not read terms and conditions, they just click on “I agree”. This raises the question of informed consent – do Kenyans truly know why their data is being collected and how it will be stored and used?
On WorldCoin’s website, their parent company, Tools for Humanity is described as a Carlifornian organization with a subsidiary based in Germany. The WorldCoin Foundation, which stewards the WorldCoin protocol, is based in the Cayman Islands, and it also has a business subsidiary based in the British Virgin Islands (World Assets Limited). According to Kenya’s Data Protection Act, cross-border processing of sensitive personal data is prohibited. This restriction promotes the responsible handling of sensitive personal data within the country and ensures that individuals’ privacy rights are respected and protected, fostering trust in data processing practices. Essentially, WorldCoin has not assured us that our data will remain within Kenyan jurisdiction, where our laws will protect us.
Data is the new oil
Data is the main resource of this decade; a precious raw material that drives today’s technology and future advancements. We would not be wrong to assume that organizations like World Coin seem to be exploitative in that they would collect data in a region where the majority of the populace do not truly understand the value of their data. Similar to extractive practices such as the race for diamonds and cobalt in Central Africa, the same could be said of the nature of “powerful” countries and organizations extracting our precious resources for a pittance, yet going on to enrich themselves.
Stories abound of miners digging for minerals, braving the harsh conditions of going into dark tunnels in the ground for weeks on end and hitting the jackpot with large precious minerals, only to be compensated with a fraction of the price. This same mineral gets exported, refined and processed and sold in developed countries for millions of dollars.
Kenyans must ask themselves whether their personal data, especially their sensitive personal data, is worth a meager Kshs. 7,000.
What are the risks?
We applaud the move by the Kenyan government that put a stop to WorldCoin’s operations in Kenya. Still, we wonder, what safeguards will be applied to Kenyans’ biometric data that has already been collected? What measures have been put in place to stop the transfer and analysis of this information?
- Data loss and breaches
According to an article by the Citizen, WorldCoin’s terms and conditions state that the software used to create WorldID (WLD) is open-source and free for anyone to copy and use. This means that anyone can create a modified version of WLD, otherwise known as a “Fork.” The company states that they are not responsible for any losses incurred which are caused in whole or in part by a Fork or other network disruption.
In addition, the terms and conditions state that there will be no refund or compensation in the event of digital tokens being stolen by “hackers or other malicious groups”, or if there is an “intentional or unintentional bug” on the open source software they use.
Malicious people could access sensitive personal information for their own nefarious uses, with no safeguards or process of recourse through WorldCoin. Agreeing to their terms means that “You agree to resolve any disputes between you and Worldcoin through binding arbitration rather than in court.”
- Data misuse
Biometric data can be used for various purposes, but if it falls into the wrong hands or is used without consent, it can lead to misuse, including unauthorized access to systems, financial fraud, or even blackmail. In addition, if WorldCoin shares users’ biometric data with third parties without sufficient safeguards, it can increase the risk of unauthorized access and misuse.
- Training AI systems and deep fakes: Biometric data can be combined with other information to build comprehensive profiles of individuals, further raising privacy concerns.
- Lack of Consent: If individuals are not adequately informed or do not provide explicit consent for the collection and use of their biometric data, it can lead to ethical and legal issues.
- Surveillance Concerns: Large-scale collection and use of biometric data can lead to concerns about mass surveillance, where individuals’ movements and activities are constantly monitored without their knowledge or consent.
- Profiling and Discrimination: Biometric data can be used to create detailed profiles of individuals, potentially leading to discrimination or biased decision-making based on this data.
- Long-term Impact: Biometric data is often considered immutable since it is derived from physical characteristics. If this data is compromised, it can have long-term implications for individuals, as it cannot be changed or reset like a password.
What we need to do
As Africa, we need to have a conversation about our data. As at 2022, 36 out of 54 African countries have data protection laws and/or regulations, while 16 countries have signed the African Union Convention on Cyber Security and Personal Data Protection adopted on 27 June 2014 (“Malabo Convention”). So far, 13 countries have ratified the Malabo Convention. It’s time for Africa to convene and determine what our data will do for us as a continent and come together to ensure that the Malabo Convention is built up as our own version of the European Union’s General Data Protection Regulations (GDPR).
We have continued to call for citizens to be aware of their data rights and to protect these rights. The World Coin craze is now a clarion call around the issue of data privacy and data protection. As Kenyans, we need to be more aware and ask questions about our data. Let’s own our data.
Form ni Kuficha Uchi!