Worldcoin saga turns spotlight on Kenya's data privacy challenges

Data protection Commissioner, Immaculate Kasait. [File, Standard]

Rosa*, a retiree with a keen interest in technology, stood at a Nairobi shopping centre before a Worldcoin orb, a device that scanned her iris to capture biometric data in exchange for cryptocurrency (digital currency).

Biometrics is a way to identify people using unique physical traits. It involves technology that can recognise things like fingerprints, face shape, voice, or even how someone walks. This technology is often used for security, like unlocking phones with a fingerprint or face, or at airports to confirm someone’s identity.

Citing privacy concerns and violations of the country’s laws following public uproar, the Kenyan government suspended in August the operations of Worldcoin, which was co-founded by Sam Altman, CEO of OpenAI — the parent company of ChatGPT.

Long queues of Kenyans were eager to have their eyes scanned to receive about $46 (about Sh7,000) offered in exchange for their biometrics before Worldcoin operations were suspended in the country.

But money was not the motivation for Rosa. “I took interest because I’m interested in IT [information technology] stuff,” says Rosa, who later convinced her daughter to register.

Thinking the same data is generally taken during her travels or electoral registrations, Rosa told The Sunday Standard she was not concerned at first.

“I look into cameras every time I am at the Customs. So, this is probably the same thing… even fingerprints. So, I asked myself, what was the worst that could happen to me?”

Investigating operations

The parliamentary committee investigating Worldcoin’s operations in Kenya found that the company has violated several Kenyan laws.

“The promoters of Worldcoin misled consumers by using deceptive marketing strategies to induce people to exchange their personal data with tokens,” reads the committee’s report.

Worldcoin has persisted in collecting sensitive personal data in Kenya, ignoring the stop directive issued on May 30 by the Office of the Data Protection Commissioner (ODPC). The company’s online app continues to register Kenyans, despite a court order and administrative instructions to cease operations, says the report.

The committee’s report states: “The registration of Kenyans by Worldcoin online App is still going on despite the pendency of a court order and other administrative directions halting the same in entirety.”

Worldcoin’s actions were deemed “espionage and a threat to statehood,” lacking the legal mandate to conduct business in Kenya, says the report, noting the potential registration of minors and the difficulty in ascertaining the exact number of Worldcoin’s orbs within the country.

To register for World ID and receive a share of Worldcoin tokens, an individual must have their unique identity verified by an Orb. This device uses camera sensors and artificial intelligence to analyse facial and iris features.

“Once that determination is made, the orb takes a set of pictures of the person’s irises and uses several machine learning models and other computer vision techniques to create an iris code, which is a numerical representation of the most important features of an individual iris pattern,” adds the report.

Worldcoin’s stated mission is to offer universal basic income worldwide, claiming that collected biometric data is only for verifying individual identity and is neither retained nor used for other purposes.

Data Privacy Concerns

Simon*, a young man in his early 30s, told The Sunday Standard he felt the information he gave to Worldcoin was unsafe.

Simon notes that his registration was driven more by curiosity than the offered incentive, adding that this wasn’t his first experience with biometric data collection.

“I had my biometrics taken while registering with the Independent Electoral and Boundaries Commission before the 2017 elections,” says Simon.

Biometric technologies such as facial recognition, fingerprinting, and iris scanning could be abused to monitor citizens’ activities, track their movements, and limit their freedoms without adequate safeguards, says a 2022 report titled, The Rise of Biometric Surveillance issued by the Collaboration on International ICT Policy for East and Southern Africa (Cipesa).

The report highlights that people frequently leave their data in various places, including banking halls, building entrances, while printing documents, at hotels and with employers.

John Walubengo, a university lecturer in information communication technology, points out that there is a general lack of public awareness regarding the use and safety of personal data.

“The public does not know what data collectors do with their data. Even a simple manual process of leaving your national ID [identification card] at the security desk as you walk into an office… you tend not to care about what else the guards are doing with your data,” says Mr Walubengo.

“Most Kenyans who queued to have their iris scanned by Worldcoin were largely driven by poverty,” says Walubengo, adding, “There was a $50 donation in the form of Worldcoin token or cryptocurrency.” 

The Kenya National Bureau of Statistics (KNBS) 2021 Poverty Report notes that approximately 30 percent of Kenyans, representing five out of every 13 citizens, live in poverty. The report reveals that a higher proportion of rural residents struggle to meet their food needs compared to their urban counterparts.

Regulatory Gaps

The Worldcoin issue has brought attention to Kenya’s regulatory landscape, particularly focusing on emerging technologies like Artificial Intelligence (AI), data safety and protection, and digital rights.

Kenya’s Data Protection Act of 2019 is thorough, yet as Walubengo notes, the country lacks a specific regulatory framework for cryptocurrencies.

“The [ODPC] was blamed for doing little; however, that office did what was doable to the extent of the Data Protection Act,” says Walubengo, adding that the complexity of the Worldcoin operations required concerted efforts between different government agencies such as business registration services, among others.

Lawyer Ibrahim Oduor says Kenya’s legal and regulatory framework is not the main issue but rather a lack of capacity in the Data Protection Commission.

Oduor raises concerns about the ODPC’s ability to keep pace with rapidly evolving technology. He points to the US model, where the Federal Communications Commission, responsible for broadcast regulation, conducts continual research to guide its regulatory framework.

“We don’t have that in Kenya. The Communications Authority of Kenya does this periodically, but we still have gaps,” says Oduor, raising concerns over the criteria used to award and deny the registration of some entities.

Data Protection Commissioner Immaculate Kassait could not be reached for comment by the time of going to press.

Global challenge

​​“The rapidly evolving technological advancement present a global challenge in managing risks associated with Artificial Intelligence (AI), blockchain and virtual assets, demands the need for a more progressive and responsive regulatory framework in Kenya,” says the parliamentary committee report.

Its recommendations include developing a comprehensive oversight framework and policies on virtual assets and their service providers, amending the Data Protection Act of 2019, and auditing all registered data processors and controllers, among others.

“Within six months of the adoption of this report, the Data Protection Commissioner should carry out an audit of all registered data processors and controllers as required by section 23 of the Data Protection Act, 2019, and submit areport to the National Assembly,” the report says.

Kenya, as part of UNESCO’s 193 member States, adopted the “recommendation on the Ethics of Artificial Intelligence” in November 2021, a global AI ethics framework that signifies a commitment to developing and utilising AI technologies in ways that respect human rights and adhere to ethical and transparent standards.

“Member States should establish their data policies or equivalent frameworks, or reinforce existing ones, to ensure full security for personal data and sensitive data, which, if disclosed, may cause exceptional damage, injury or hardship to individuals,” notes the UNESCO AI ethics framework.

We reached out to Worldcoin for a comment, but they did not provide a response by the time of going to press.

[This story was written and produced as part of a media skills development programme delivered by Thomson Reuters Foundation. The content is the sole responsibility of the author and the publisher.]