> I don't like WorldCoin, but I don't like sending internet services my passport and birth certificate to prove to them
That's about the least-private implementation one could think of; I wouldn't want to send scans of my iris to random Internet services either! This would be the equivalent raw-data implementation for Worldcoin.
> The actual problem - which is waiting for a solution - is undeniable
The solution is the government providing an oauth-like service. Internet services would only get a token and only a limited set of PII you were shown and agreed to while authenticating (e.g. your name, email address, and/or whether you're a minor/adult).
No one can attest your identity without keeping a record of it - public service or not. IMO, having private enterprise do this merely increases the attack surface.
> I wouldn't want to send scans of my iris to random Internet services either!
You don’t. You generate some secure keys using iris data. You send the internet service a copy of your public key. They can use that to verify that you are human, but not who you are.
But a keypair is just a pair of numbers that satisfy some one-way function. If there's a way to generate the keypair from iris data from a human, then surely there's a way to generate an indistinguishable keypair using some fake data that plausibly could have come from an iris (ie it shares some of the same number theoretic and distribution properties) but did not. If that's the case, then the only part of the "proof of humanity" left to attack is to spoof the hardware so things think they are calling the iris scanner and getting a real key from a real human and instead they are calling the mock iris scanner and getting a plausible but not real key from a non-human. If the solution is something along the lines of "well we thought of that so a genuine worldcoin iris scanner has to sign the data to prove that it came from a worldcoin device" then I would bet you can get hold of a signing key using social engineering. If this thing was to take off it could be valuable to do so and many of the people operating the devices would be in countries with very low GDP per capita so it could well be in the realm of possibility to bribe your way to getting it.
I'm sure they must have thought about this but I don't understand the solution.
Each Orb has a private signing key that's generated + stored inside a secure element. For more info, search for "secure element" in the following sections of the whitepaper:
Do those people not have physical identity documents issued by their non-democratic governments? What is particularly dangerous about having the same governments handle online identity for situations of thr citizens choosing? It would obviously be inadvisable to use government auth when logging into protest-against-repression.com
This isn't about proving that you are human, it is about being able to map your iris to the identity on government-issued documents.
In essence: good luck trying to exit/enter a country/location with access to the iris database that already mapped your identity after KYC for your bank account.
With how AI is going, attestation will become necessary for many social interactions we take for granted today by assuming there is a well-intended human in the other end.
If you're hiring, or looking for a new job, the odds of you being tricked/phished are getting worse by the day. I've read stories of employees get interviewed for fake jobs as a long-con to get banking details, and employers interviewing a persona that's fronting an offshore dev team, or people who don't have work skills and aim to pick up paychecks until their dismissal is processed.
Captchas are there to defeat spam. You don't need to identify someone as human for that; you just need to make it expensive to post, e.g. through proof-of-work.
The actual problem - which is waiting for a solution - is undeniable. (This isn't often the case with cryptocurrency projects.)