Decentralization and Open-Sourcing

Decentralization and Open Sourcing Roadmap

Decentralization is key to Worldcoin. The Worldcoin protocol is powerful and could be misused, especially if under centralized control. There have been countless occasions where people’s trust in digital services has been abused. Therefore, to ensure that the Worldcoin protocol maximally benefits humanity, it is imperative that the protocol, ecosystem, technical computation, development, and governance are transparent, verifiable, and most importantly, decentralized. Decentralized community governance, in particular, is imperative to maintain the protocol’s alignment with the people it serves—which is to say, everyone. This section focuses on all non-governance dimensions of decentralization that contribute to the overall integrity of the Worldcoin ecosystem.

Worldcoin Protocol

The Worldcoin protocol is designed to be decentralized in order to make it resilient, remove single points of failure, and place control over the proof of personhood primitive in the hands of the people who use it. The decentralization goals of the protocol include:

• Permissionless operation, enabling anyone to issue and use credentials without central approval;
• Decentralized operation, allowing use without needing to trust or rely on a centralized party, including the ability to independently run off-chain infrastructure components;
• Support for credentials on custom wallets, offering flexibility and interoperability i.e. users should be able to choose their wallet and not be tied to a specific platform; and ultimately the
• Ability to build on open standards with independent implementations and interpretations (e.g., DIDs and verifiable credentials) to increase interoperability.

To use the protocol, certain open source, community-mainted components are or will be required:

• World ID requires a sequencer, similar to the L2 architecture for roll-ups, for increased scalability. It handles interaction with the on-chain contracts, both for issuance of credentials and proof generation (e.g., generating the World ID proof requires fetching the on-chain state of the contract to generate an inclusion proof).
• Software development kits (SDKs) make integration easy for wallets and verifiers will continue to be open source and community maintained. Other parties are able to develop and share their SDKs as well since they are based on open standards.
• Crowd-curated lists of applications and issuers, similar to the ERC-20 token lists of the Uniswap Protocol, helps prevent scams, spam and other forms of abuse.

Today, all protocol components are already open source. The protocol already supports privacy by enabling verification through zero-knowledge proofs, which lets a person prove ownership of a credential without revealing any details about it (e.g., one can prove today they have been verified at an Orb without revealing which verification belongs to them or when and where they were verified).

Community members may continue to contribute to, and develop new functionalities for the Worldcoin Protocol, like:

• An open source Wallet SDK so other wallets can easily support the Worldcoin protocol
• Specifications for future development of the Worldcoin protocol
• Sequencer decentralization (e.g., rotation of sequencers)
• Alternative credentials issued on the protocol
• A decentralized metadata service
• A process for protocol improvement proposals to be submitted, so that any upgrades can be considered and authorized by the community prior to implementation

The Orb

Anyone should be able to issue credentials on the Worldcoin protocol. While different applications have different requirements, high-stakes use cases such as social program support, global and equitable allocation of finite resources including AI-funded Universal Basic Income, as well as democratic governance of AI¹ likely require a singular, highly secure and inclusive proof of personhood credential to prevent multiple registrations.

Decentralizing the issuance of this credential comes down to four parts:

• the uniqueness verification service,
• the development and production of biometric verification devices,
• the deployment of devices all over the world; and
• fraud prevention mechanisms.

Uniqueness Service

World ID relies on iris biometrics to verify uniqueness among a global set. Several ideas for how the uniqueness service could be decentralized can be found here.

Verification Devices

Design and manufacturing of biometric verification devices will be gradually decentralized to increase the resilience of the verification process against censorship and minimize the trust requirements in the manufacturing entity:

• Decentralized Development may be incentivized with grants from the Worldcoin Foundation, or later, by a token-based reward mechanism for each successful verification, analogous to validation rewards on Layer-1 chains. To enable the development of devices similar to the Orb, the Orb hardware is available under a shared source license, with the firmware expected to follow when it can be made available securely. Organizations who choose only to develop firmware to build their own devices can purchase Orb hardware from TFH, under a license granted from the Foundation. This is one step in the direction to reduce the dependence on TFH for firmware development, increase censorship resistance, and empower people to decide which organization they trust to perform the development process.
• Development Standards: The Worldcoin Foundation will develop an initial set of hardware and software standards related to biometric uniqueness verification devices, so that other organizations can then develop their biometric verification devices. Any device that meets the standards can then be whitelisted by the Worldcoin Foundation for use on the protocol, where compliance with the standards could be ensured through third party audits. Any organization could also issue their own proof of personhood credential on the Worldcoin protocol without any involvement from the Worldcoin Foundation. All verifications from whitelisted devices will pass through the same biometric uniqueness check ensuring there are no duplicate verifications across different issuing organizations, enabling individuals verified by any whitelisted device to be eligible to claim World ID. These standards will evolve based on community input, to reflect changes in technology and other factors.
• Verifiability: It is important to be able to verify the legitimacy of a biometric verification device (i.e., it's not counterfeit) and to validate that it runs a certain firmware (e.g., it doesn't store biometric data when it claims not to). One approach to verification is integrating a validation mechanism in TFH’s World App or other protocol-compatible apps, where the device has to sign a challenge generated by the app and validated against a known set of public keys.

Device Operators

Once manufactured, Orbs are operated by independent entrepreneurs and their organizations around the world. Those entities receive a reward for every successful verification, and, to some extent, the actual operation of Orbs is already decentralized. The Foundation will soon be responsible for issuing operator rewards, and has engaged TFH to help support and audit Orb operations. Eventually, operations will include a decentralized process for operators to qualify and receive an Orb, receive verification rewards, and audit operations that could potentially be enforce by on-chain smart contracts:

• Orb Allocation: Today, Orbs can only be borrowed but not rented, sold or auctioned off to operators. When an Operator joins the project, Orbs (and other equipment) are lent to Operators for a specified period of time. Short-term lending ensures that only Operators who use Orbs efficiently for verification purposes (i.e., not merely verifying a handful of people per week) get access to them, optimizing hardware production capacity and minimizing overhead. In a future-state with abundant Orb supply at low cost, Operators could simply buy biometric verification devices.
• Signup Rewards: Operators receive rewards for each successful verification. Eventually, governance could refine how the signup reward mechanism works or is calculated (e.g., to increase the likelihood of compliance with the Foundation’s Operator Code of Conduct, a fraction of the signup reward could be locked-up. Governance could define the lock-up criteria, including any cap or other features).
• Signup Quality: It is important that Operators provide users with a high-quality experience by educating them about the project and supporting them during the verification process. To align the Operators’ financial interests with the objectives of the Worldcoin project, Operator rewards are impacted by measures of sign-up quality. Governance could also refine the criteria for determining signup quality.

World ID Integrity

Decentralizing the issuance and custody of World ID is challenging given the need to maintain high credential integrity (i.e., making it hard to illegitimately acquire and use the World ID of others). Different mechanisms across all participants—from hardware manufacturers to individual Orb operators to users—are required to prevent actions that undermine the integrity of the credential:

There are several scenarios that could result in the illegitimate creation or fraudulent ownership of proof of personhood credentials:

1. Verification Device Compromise: A third party submits fraudulent verifications by compromising the hardware or spoofing the verification process.
2. Identity Theft: The device operator or a third party manipulates individuals into verifying or compromising their phone to access their credentials.
3. Identity Sale: An individual decides to sell their credentials to a fraudulent actor.
4. Issuer Fraud: Organizations developing the firmware for verification devices secretly generate identities.

Each scenario decreases the utility of the proof of personhood credential issued by the Orb, so measures to make these attacks more costly are important. The following first five examples are integrity-strengthening measures on the Foundation’s roadmap:

• Biometric Verification Device Audits: Audits that scope hardware, software and spoof security of the Orb, as well as investigate particular claims, such as "image data is not retained without explicit consent,” increase the trust in the integrity of World ID. See here for the state of audits today.
• Bug Bounty Program: All organizations operating whitelisted verification hardware could be required to participate in a public bug bounty program covering hardware, software, and spoof security. The community is iterating on the design of a bug bounty program, which will launch soon.
• Face Authentication: As part of the verification process, a signed and encrypted face image could be transferred to the user's phone. The user could then authenticate against that image within the app, an approach similar to FaceID, making it hard to authenticate the credential of someone else. Beyond face recognition, the phone would also need to perform liveness detection to prevent spoofing attacks. The security guarantees that such a liveness check has actually been conducted and not spoofed are lower on consumer phones compared to custom hardware like the Orb (given consumer cameras are less advanced and that it is hard to create a trusted execution environment on a person’s phone to ensure computational integrity). With improvements in mobile zero knowledge proof abilities, it may become possible to compute the authentication and liveness checks inside zero knowledge proofs on the user's phone, which would increase the security guarantees.
• Iris Authentication: Similar to face authentication, iris authentication performs a biometric authentication against a template as well as a liveness check. By requiring people to come back to a biometric verification device, the security guarantees that the liveness check has not been spoofed or bypassed are increased at the cost of convenience. If both face authentication and iris authentication were implemented, developers could choose which level of security is required for their application.
• Recovery: Victims of social fraud and identity theft should be able to recover their proof of personhood credential through an Orb using only their biometrics. This would also make the purchase of other individuals’ proof of personhood unprofitable from a game-theoretic perspective.

The following four measures are not on the Foundation’s immediate roadmap but still ideas being considered:

• In-Person Audits: To ensure compliance with the Operator Code of Conduct and to prevent any organization from secretly generating fake identities, operations should be audited. Today, third-party organizations audit on-the-ground signup operations. A potential path to decentralize this process could be publishing a list of all verification devices, their locations, and verification counts. This would enable decentralized and in-person verification of all devices. Auditors could balance the published verification numbers against a count of real people verifying live, and thereby discover illegitimate identity generation. Such a process would require careful mechanism design to avoid unintended side effects.
• Anomaly Detection: Metadata from Orbs could be made public to be utilized for decentralized anomaly detection, informing decisions on which Orbs to audit in person. However, what data to publish would require careful consideration to preserve the privacy of individuals who verify. Community input would likely be necessary to strike that balance.
• Revocation: If a particular firmware version of a verification device is deemed insecure or an operating organization is found to be fraudulent, the verification credentials can be retrospectively revoked in line with the Foundation's governance, to eliminate potential fraudulent identities. Eventually, there might be the need for a separate adjudication body. If there were any real and legitimate individuals affected, they could re-verify at an Orb.
• Expiry: As biometric verification devices and their security standards evolve, it might become useful to version World IDs. Over time, older World IDs might be deprecated to increase security, similar to passport expiration.

World App and Other Clients

TFH launched World App as the first client to support the Worldcoin protocol. Currently, World App is the only way for people to get their World ID verified at an Orb and claim their share of WLD tokens.

Eventually, users will be able to either easily export their accounts into other wallets or use a third-party wallet at the time of verification with an Orb. Additionally, a World ID WalletKit could incorporate all the required capabilities, so that other wallets could easily integrate World ID, allowing the use of World ID various wallets of choice.

On the frontend, World ID is already available to any developer that wants to use sybil protection in their application through the IDkit and developer portal. Users are able to use any third-party application through World App.

Progressive Decentralization

Some parts of the Worldcoin ecosystem are already decentralized and open source. However, decentralization is an ongoing process that requires significant community contributions and participation. A gradual transition towards a decentralized ecosystem allows for careful assessment and refinement at each stage, ensuring that the transition is sustainable in the long term. Decentralization is core to the mission of Worldcoin and requires active participation of the broader community.