According to Worldcoin's website, having a publicly available database of iris hashes is on the roadmap, so I don't consider the hashes "data leak[ing] that shouldn't have". So "raw iris image data in custody of Worldcoin" is a little ambiguous, in that the raw image data isn't supposed to leave the orb and enter external Worldcoin servers; I would consider "raw images escape the orb" to be the proximate cause if that happened. Not sure I'd consider "on the orb" to be "in custody of Worldcoin", since the orbs are run by independent operators, but you could make a case for it.

I think this also rules out "Leak by an employee with access to the internal DB" – if anything sensitive was in an internal DB in the first place, the system would already be breached. Unless they make a significant architecture change before market close.

hmm, on second thought, I'm open to being convinced re: whether iris hashes becoming publicly available by accident counts – would have to see some public communication asserting that the hashes are supposed to be secret and that they in fact become not secret unintentionally

@Lily the "Image Custody Opt-In" heading in this blog post suggest such a raw iris database (not hashes but images) already exist https://worldcoin.org/blog/developers/privacy-deep-dive

https://www.technologyreview.com/2022/04/06/1048981/worldcoin-cryptocurrency-biometrics-web3/

This article received a response of WC regarding the collected raw data : "In response to our questions just before this article went to press, Worldcoin said the public version of their system would soon eliminate the need for new users to share any biometric data with the company—though it hasn’t explained how this will work.". This also suggest a raw db that could be leaked, including face, body image, names, emails alongside the irises. I suspect this is the usual startup modus operandi: neither the crypto nor the iris hashing part are really production ready, so the features are simulated in a centralized manner, by processing on WC server while keeping raw data around to be able to seamlessly transition to the real, crypto-based system, if it ever comes.

@Lily @CamillePerrin - Yes, the "Opt-in" image custody (which is allegedly strongly encouraged by orb operators) is what I refer to in the "raw iris image data" and partially also the "leak by employee" options.

@MartinModrak got it, ok yeah I think a leak of opt-in image data wasn't quite the spirit of what I was trying to capture but I'd say it does count for the question as phrased

@CamillePerrin do you have a better source? this article's over a year old and has a strong bias

also does anyone know why they can't just hash the iris codes, rather than constructing a new kind of hash

@Lily AFAIK The problem with the hash is that two iris scans of the same person will never be bit-by-bit identical so any traditional hash of the scan would differ substantially between two scans of the same person. So they need a function that not only has the properties of a cryptographical hash but also is oblivious to the expected variation between two scans of the same person. The second requirement makes the problem much harder as it goes against the spirit of a typical hashing function where it is desirable that any small variation in the input produces a big variation in the output.

I'd also argue that the opt-in database could be substantial (if the claims of strong encouragement/pressure to opt in turn out to be true) and probably is an important part of the business/tech plan as the hashing function is a hard problem and this lets them sidestep the need to rescan people everytime the alg changes, so it is IMHO not auxiliary part of the project, but rather an important stepping stone in the development of the project as envisioned by the company.

@MartinModrak oh I see, I was thinking the iris images would be different across scans but the codes would be identical (and hence hashable) - it looks like the codes are just close though, not exact.

second point is fair

@Lily I have [1], which is globally pro the concept of crypto-based proof of person, but points the same centralized DB and orb tampering concerns.

Another possibility I see is a rogue orb operator keeping parallel records of personal data (possibility with tampered orb) - which is enabled by WC model of individual subcontractors for signup. I would say this is also a possible data leak source, and arguably enabled by WC mode of operation. I don't see it particularly likely to be exploited, though I'm almost tempted to signup for operator status to see how easy/hard the process is (realistically not enough time in the day for doing investigative journalism myself though 😪)

[1] https://vitalik.eth.limo/general/2023/07/24/biometric.html

Having read about the fly-by-night practices and malfunctioning of the orb, I infer this is a typical startup and the orb is likely exploitable and easily stealable/bribable from one of the individual subcontractors doing the sign-ups. The limiting factor is WC piquing the interest of a suitable hw/security hacker-type person.

I mean, it's open source – you could just build your own, no? idk how much it'd cost to procure an existing one