In an era where the lines between human and artificial intelligence increasingly blur, the need to verify our online identity has become paramount. While proving our humanity through CAPTCHA tasks has long been a subtle part of our digital lives, the rapid advancement of AI now challenges traditional verification methods. As AI systems grow more sophisticated, adept at passing Turing tests and mimicking human interaction, the imperative to distinguish genuine human users from bots has never been stronger. At Digital Tech Explorer, we understand this critical juncture, advocating for advanced solutions that can accurately differentiate neurons from silicon and safeguard our online experiences.
This challenge is particularly acute in the gaming world, where botting and cheating undermine fair play. As AI technologies advance, the integrity of online gaming faces growing threats. While anti-cheat systems address programmatic exploits, another crucial approach is ensuring that a user is a live, authentic person—a method widely known as ‘liveness detection’ or ‘proof-of-human‘. This emerging field of digital innovation is vital for maintaining trust and fairness in virtual environments.
As TechTalesLeo, I’ve embarked on a fascinating deep dive, engaging with experts and industry insiders to explore the current landscape of proof-of-human technology in gaming. My aim, aligning with Digital Tech Explorer’s commitment to thorough research, was to uncover both the potential and pitfalls of these systems, particularly concerning personal security and privacy. While I initially approached these discussions with skepticism due to possible privacy implications, I was surprised to find many of my initial concerns addressed. However, new complexities emerged, reinforcing the challenge of finding a perfect balance between robust liveness verification and safeguarding user privacy.
Eyeballs, please
My initial encounter with World (i.e. World Network)—the ambitious venture co-founded by ChatGPT CEO Sam Altman, Max Novendstern, and Alex Blania—was through reports of its distinctive, somewhat Orwellian “Orbs” appearing globally. These devices performed iris scans, rewarding participants with WorldCoin cryptocurrency. The company’s stated mission was expansive: to “scale a reliable solution for distinguishing humans from AI online while preserving privacy, enable global democratic processes, and eventually show a potential path to AI-funded UBI” (Universal Basic Income).
While WorldCoin continues, World has notably shifted its emphasis towards iris scanning for secure digital identity, highlighting its potential in an increasingly AI-driven online landscape. This strategic pivot aligns with the urgent need for robust human verification. A key partnership illustrating this focus is with Razer, aiming to assure gamers they’re competing against real people, not bots. To understand this innovation better, I connected with Tiago Sada, Chief Product Officer at Tools for Humanity, the company behind World’s core technology, who detailed its operational mechanics.
The process is straightforward: an Orb scans your iris, generating a unique World ID—a digital identifier confirming your verification as a live human. Razer can then integrate this World ID with its own Razer ID system, providing a “blue check mark” that signifies human verification. Games leveraging Razer ID can then utilize this signal in various ways, such as enabling human-only tournaments, offering exclusive human-only in-game items, establishing human-only servers, or even enhancing efforts to ban known problematic players.
World asserts a strong commitment to user privacy, claiming minimal data retention. According to Sada, the Orb encrypts iris images, transfers them to the user’s phone, and then deletes them from the device. “Those pictures are only stored on your device,” he emphasizes, “and you can delete them anytime you want. We don’t keep your data.” Further bolstering its transparency, World highlights that its entire platform, including its technology and privacy protocols, is open source, allowing for public verification—a principle Digital Tech Explorer values deeply.
However, the full picture surrounding data practices warrants deeper scrutiny. Cybersecurity expert Aimee Simpson, Director of Product Marketing at Huntress, voiced a common concern: “It’s hard to just take for granted that World does what they say they are doing without any external validation or auditing.” While third-party audits of World’s Orb and protocols have largely been positive, confirming secure data handling and privacy, some recommendations for improvement exist. A crucial distinction is that while raw iris images aren’t stored, iris codes are. This distinction became a point of contention when Germany’s data protection agency ordered the Worldcoin Foundation to delete data, citing GDPR infringement for “storing the iris codes as plain text in a database.” This highlights the complexities of ensuring true data privacy in biometric systems.
Iris scanning represents one facet of the privacy challenge in human verification. The equally critical second half involves how this proof is securely shared with online services. Here, World leverages an advanced cryptographic technique known as a ‘zero knowledge proof’.
Zero knowledge proofs
Ideally, human verification systems should inherently be privacy-preserving. As Mark Weinstein, a respected privacy expert and author, articulates, “Proof-of-human doesn’t mean more data harvesting. The ideal system would collect the absolute minimum needed to verify a person is real, then delete it.” This paradigm aims to minimize data exposure, replacing continuous surveillance with a singular, privacy-focused verification layer—a crucial element for modern digital trust.
Zero knowledge proofs (ZKPs) offer a powerful solution for this privacy-preserving verification. A ZKP allows one party to prove they possess certain information or meet a specific condition without revealing the underlying data itself. In the context of human verification, this means proving you are a genuine human without disclosing the biometric data that generated that proof. Sada’s analogy is apt: “The Orb will look at you, it’ll be like, yep, he’s a real and unique human. It stamps your passport, it’s verified, and you leave. But that stamp doesn’t say anything about who you are. It simply says: I’ve been verified by an Orb.” This cryptographic breakthrough is a cornerstone of privacy-first digital identity.
Beyond iris scanning, other innovators are also leveraging ZKP. AuthID, for instance, employs a face scan for its authentication process. Rhon Daguro, AuthID’s CEO, highlights the critical vulnerability of traditional biometric storage: “If your facial biometrics were stolen, you’re kind of in trouble because you can’t get a new face.” He explains that non-ZKP systems, which store biometric data on servers, expose users to immense risk if breached. ZKP elegantly sidesteps this by transforming the biometric pattern into a public and private key pair. “Your face will create the private key, the private key will do the handshake with the public key, and then we delete your face, and we delete the private key until you come back again… In this pattern, we never store your biometric,” Daguro clarifies, underscoring the privacy advantage.
Both World and AuthID share this fundamental principle: an initial biometric verification provides the basis for a cryptographic token. Crucially, this biometric information is subsequently deleted or never stored, ensuring the token cannot be reverse-engineered to reconstruct the original data, thus safeguarding your privacy. However, even with these advanced measures, two significant challenges remain for such identity verification systems: the ‘mule problem’ and the ‘audit problem’.
The mule problem
A critical challenge highlighted in discussions with both World and AuthID is that despite sophisticated, privacy-focused verification, the final authentication relies on a digital token. This raises the “mule problem”: what prevents a verified human from then handing over access to an account to a bot? Daguro elaborates on this very real threat: “There’s a fraud pattern called a mule… You actually use a live person to start the whole thing, and then they just hand over the account… We call that proxy fraud.”
One proposed countermeasure is frequent, re-verification. While initially, World’s iris scan might appear as a one-time event, theoretically leaving World IDs vulnerable to handover, the company has addressed this with its Face Auth solution. This technology compares a secure face picture, stored solely on your device, against a live capture, confirming you are the legitimate holder of your World ID. This places World’s approach in line with other authentication services regarding the mule problem. However, the inherent challenge remains: without continuous re-authentication, the possibility of swapping out to a bot after initial verification persists.
The mule or proxy problem is a widely recognized vulnerability. Alexandre Tolstenko, a professor at Champlain College and from game development education site gameguild.gg, illustrated how ZKP solutions can still face this issue in everyday scenarios, such as family members sharing a gaming account. He notes, “If you change the act of logging with something like face check or something like that, you still have the problem that we are not going to use the face check frequently… So it is still open to some vulnerabilities.” This highlights the practical limitations of even advanced biometric authentication in sustained use.
The audit problem
Professor Tolstenko also introduced another critical concern for ZKP-based human verification technologies: the audit problem. While ZKP and biometric data deletion are privacy-centric, they inherently create a challenge for auditing. If an error occurs during the initial biometric verification, the subsequent ZKP-hashed tokens offer no means to trace back to the original data, making effective auditing difficult. As Tolstenko posits, “How can you do auditing? So how can I prove that that thing was exactly from that person? … I can only guarantee that hash was generated by this person if I have the original information.” He concludes, “If you don’t need auditing, that’s fine, but if you need auditing, that’s a problem,” highlighting a fundamental tension between privacy and accountability.
While robust auditing is non-negotiable for sectors like banking and fintech, its necessity in gaming is debatable. Cybersecurity expert Aimee Simpson suggests that for online gaming, “I don’t think proof-of-human ID is necessary… the sheer architectural and technological scale of this project would outweigh the benefits of having it.” She argues it “isn’t worth doing in a low-stakes sphere like gaming.” However, the open-source nature of World’s technology offers a degree of transparency, allowing for public inspection of its verification mechanics. While individual World IDs cannot be retroactively audited, a demonstrably low error rate in the initial verification process could still be deemed sufficient for many gaming applications, striking a balance between privacy and practical utility.
Rhon Daguro of AuthID provided insightful context on biometric accuracy. He noted that Apple claims a one in a million false match rate for its biometric ID, while AuthID boasts a one in a billion rate. World’s biometric technology, he added, aims for an astonishing one in a trillion. Ultimately, the acceptable level of accuracy depends on the specific use case. While World ID requires an initial physical visit to an Orb, this one-time scan grants a lifetime ID. With the platform recently surpassing 15 million verified users, it suggests widespread acceptance of this method.
Radical solutions
Perhaps existing solutions are merely scratching the surface. Professor Tolstenko advocates for a “new class of solutions” that can resolve the auditing dilemma while rigorously upholding user privacy—a frontier ripe for digital innovation. While the exact form of these solutions remains undefined, he offered a thought-provoking example: a camera based on sound, or echolocation. Such technology could capture a unique “fingerprint” of a person’s presence without transmitting any visual image, potentially identifying individuals through subtle particularities without compromising traditional visual privacy.
The ultimate goal is to develop verification methods that confirm genuine human presence through data that is inherently unusable for spoofing or direct identification. While the feasibility of such a perfect system is uncertain, a promising direction could involve a fully blockchain-integrated verification system. This would extend beyond mere tokenization to encompass the physical liveness verification itself, decentralizing the process and placing greater control directly in the hands of individuals, rather than centralized entities.
As Digital Tech Explorer continues to track these developments, it’s evident that while initially perceived as Orwellian, many emergent solutions for combating bots in online spaces—from websites to apps and games—are evolving with privacy-centric designs. Yet, significant challenges persist. Whether current biometric verification combined with ZKP will ultimately resolve these complexities, or if a completely new paradigm of solutions is required, one thing is abundantly clear: our path forward demands conscious and deliberate progress.
All too often, we rush into new technologies and “solutions” without first establishing a collective consensus on the optimal way forward. It can feel as though technology dictates our direction, rather than us steering its course. Crucially, as TechTalesLeo emphasizes, decisions regarding privacy and the scope of digital verification and IDs must be made preemptively. These are fundamental questions that demand answers before such technologies become normalized. Once entrenched and accepted, altering these systems or our societal attitudes towards them becomes exceedingly difficult—a lesson arguably learned from the evolution of social media.
A related concern, which bears significant thought, is the extent of influence we wish digital IDs to exert over our lives, and how to prevent “mission creep.” Without conscious, deliberate planning—including pre-emptive agreements and legislative frameworks—we risk thoughtlessly normalizing these powerful identity technologies, propelling us into an uncertain future. While this wouldn’t be humanity’s first heedless leap, I remain an optimist. Let’s commit to shaping this future with foresight and intention, guiding digital innovation rather than being led by it.