Is Worldcoin's "Orb" Safe? A Report on the Audit Results Concerning Personal Information Collection

In an era where digital privacy concerns are at an all-time high, Worldcoin's Orb has been under scrutiny.

The latest Privacy & Security Audit Report by Trail of Bits, published on March 14, 2024, provides an in-depth analysis of Orb's data handling, encryption, and security measures, addressing user concerns and setting a new standard in personal information protection.

Worldcoin Publishes Privacy & Security Audit Report

On March 14, 2024, Worldcoin (WLD) released the "Privacy & Security Audit Report" summarizing the audit results on personal information collection and other aspects related to its iris recognition device, "Orb".

This audit, conducted by the IT security firm Trail of Bits, addresses the previously voiced concerns regarding the "Orb's collection of personal information through iris scanning."

Worldcoin's Orb enables the issuance of a "World ID" by scanning a user's iris, which in turn allows users to receive free distributions of the cryptocurrency WLD.

However, this process raised concerns among some users regarding potential personal information leaks.

The recently published report highlights findings that are of particular interest to those hesitant about the authentication due to such concerns, with specific audit results reported as follows.

Audit Findings on Worldcoin's Orb by Trail of Bits

Scope of Evaluation

Trail of Bits began its evaluation on August 14, 2023, focusing on the software version "SemVer 3.0.10", which was frozen on July 8, 2023.

As of March 14, 2024, the current software version deployed on Orbs is "4.0.34", with its initial release date being January 17, 2024.

Tools for Humanity (TFH), the developer behind Orb, provided a series of non-exhaustive technical claims to define the scope of their efforts for verification. These claims targeted the software release version frozen on July 8, 2023.

Audit Results on Personal Information Collection

• No collection of personal information other than the iris code In the default signup flow, personal identifiable information (PII), other than the iris code, is not collected by Orb. No PII other than the iris code is written to Orb's persistent storage or transmitted or uploaded from the Orb.
• Personal information is encrypted and securely processed In signup flows other than the default, any PII is securely processed by Orb. The only PII retained on the device is on Orb's SSD and is asymmetrically encrypted(*1). The asymmetrically encrypted PII stored on Orb's SSD cannot be decrypted by Orb.
• No extraction of sensitive information from the user's device Orb does not extract sensitive data from the user's device. The only information Orb collects from the user's mobile phone is the QR code(*2).
• The iris code is securely processed The user's iris code is securely processed. It is never written to Orb's persistent storage. The iris code is only included in a single request to Orb's backend(*3). It can only be transmitted to authorized servers, and network communication is end-to-end encrypted.

【Supplemental Information 1,2,3】

• Since the 4.0.XX release, Orb no longer stores data on SSDs, regardless of the data storage option chosen.
• In software version 3.0.10, the QR code contained a 128-bit UUID user_id, a data_policy bool representing the user's data management choice, and an optional DataCollectionConfig structure for internal use. In software version 4.0.0, the QR code was changed to include an encrypted hash named user_data_hash, containing the user's public key. This hash is used to verify the correct public key is used when encrypting data to the user's device.
• Software version 4.0.0 introduced a new "personal storage" feature, where an additional copy of the iris code and biometrics is encrypted directly onto the user's device using the user's public key.

Results of the Evaluation

The audit, carried out by three consultants over six weeks, granted "runtime access to Orbs" as well as "full access to the source code".

Trail of Bits found no vulnerabilities in Orb's code. Although some unresolved concerns that could potentially impact the project's objectives were identified, no vulnerabilities exploitable in a way that directly affects Worldcoin's project objectives were discovered.

Recommendations for Security Enhancement

• Additional configuration enhancements to strengthen multi-layer defense are recommended. Although the audit concluded that "Orb does not collect personal information other than the iris code, nor does it leak such information," additional configuration enhancements are recommended to prevent accidental data leaks through future configuration and code changes.
• Changing the library used for QR code scanning due to potential memory safety issues in the currently used library, replacing the vulnerable library with the pure Rust barcode scanning library "rxing".

Continuous Security Evaluation

Worldcoin announced that it would continue to conduct security evaluations through third-party institutions and explained its "bug bounty program," which rewards individuals who find system vulnerabilities.

Details of the report and its findings can be checked on "Worldcoin's official announcement page".