The iris can be counterfeited using high-resolution photographs or with contact lenses.
The human iris, a long-utilized attribute for verifying individuals' identities, is a biometric data point susceptible to falsification. With generated images and high-resolution photographs, it is possible to impersonate identities. And the cryptocurrency project Worldcoin is aware of this.
"Human irises can be scanned, even through photos posted on social media," said Tiago Sada.The Head of Design and Engineering at Tools For Humanity, the company developing Worldcoin's products, thus acknowledged that anyone can scan other people's irises.
"Anyone can hop onto your Instagram, find a photo of you, and scan the iris from a picture. (...) Your iris is on your face. You post a photo on Facebook, and now anyone can access your iris code," noted Sada.
This raises a security loophole. Indeed, while artificial intelligence and identity verification systems have made significant strides in recent years, they are not foolproof.
There is always the possibility that these systems are vulnerable to attacks, such as identity theft or the use of fake photos that could be sourced from a social network, for instance, to verify someone's identification.
Moreover, there is a risk that malicious actors could scan users' irises and sell that biometric data to individuals with nefarious intentions, resulting in a fixed income at the expense of individuals. Just as with current data ransom attacks or even phishing, where stolen data is often offered on the dark web.
The warning about iris counterfeiting has been around for a while
In fact, as far back as 2012, research was already underway into ways to deceive biometric data scanners. In that year, a group of researchers from the Autonomous University of Madrid recreated an image of an eyeball from true iris digital codes obtained from databases.
As explained by analysts, they tested the counterfeit irises on commercial recognition systems that, like Worldcoin today, utilize biometric data scanners to verify an individual's humanity.
They found that in 80% of cases, the scanner believed it was a real human eye. This led to a warning that a person's identity could be impersonated with a recreated fake iris based on their code, as reported by the BBC.
This is a warning that gains particular significance today, considering that the world's major social networks are built upon the images and videos shared daily by millions of users. Essentially, these platforms now serve as the database that individuals interested in counterfeiting identities can turn to using people's iris codes.
As Tiago Sada suggested, the current trend of social networks makes it feasible to obtain someone's iris code from a photo, selfie, or even a shared video on Instagram, Facebook, TikTok, or elsewhere, without much difficulty.
There is no danger in scanning irises according to Worldcoin
However, while Worldcoin acknowledges that human irises can be easily falsified, along with the associated risks, the company has openly stated that there is no danger in scanning people's eyeballs to verify their identity.
According to Sada, "scanning the iris is not a privacy risk," and this project "is more private than Facebook, Google, and TikTok."
However, such privacy claims come into question considering the audit conducted by the analysis firm Trail of Bits on the source code of Orbs, Worldcoin's iris scanners.
As reported by CriptoNoticias, the audit revealed a privacy risk regarding Worldcoin users' biometric data because the memory is not locked in Orbs' RAM.
This implies that if the main developers decide to expand memory through swap space, people's information could remain there indefinitely.
While informative, this represents a latent risk considering that the decision to expand memory depends on the developers. Additionally, demand for Worldcoin is constantly growing worldwide, with queues of people in dozens of cities waiting to scan their irises. Chile is among the countries where Worldcoin's Orbs are currently located.