Is my World ID iris data safe? Ethereum founder Vitalik talks about the three major risks of combining ZK technology with digital identity

Recently, Ethereum founder Vitalik Buterin wrote an article titled "Does digital ID have risks even if it's ZK-wrapped?" In addition to mentioning Taiwan's digital identity program, he also discussed Worldcoin's use of zero-knowledge proofs to protect privacy. However, he noted that the one-person-one-account limitation might actually reduce anonymity and privacy leakage.

Worldcoin Will Convert Iris Data into Irreversible Hash Values

Vitalik pointed out that using zero-knowledge proofs to protect privacy in digital identity systems has gradually become mainstream. These projects use zero-knowledge proofs to verify that users have valid identification documents without revealing any identification information. Worldcoin uses biometric technology for verification and zero-knowledge proofs to protect privacy. Taiwan's digital identity program has adopted zero-knowledge proofs, and the EU is increasingly focusing on zero-knowledge proofs.

Worldcoin users scan their iris using the Orb, which signs messages, converts iris data into an irreversible hash value, and uploads it to a centralized database. The database only stores the hash value, which is used solely to prove the user's uniqueness (non-repetition). At this point, users who have been scanned obtain a "World ID".

Users with a "World ID" can verify their private key through zero-knowledge proof ZK-SNARK, corresponding with the public key in the Worldcoin database to prove their identity without revealing the private key. Currently, Worldcoin's Orb iris scanner has also been introduced in Taiwan.

(Vitalik's In-Depth Analysis of Worldcoin | What Are the Four Major Risks? Why Doesn't a Perfect Identity Verification Exist Yet?)

However, Vitalik states that zero-knowledge proof IDs still have risks. These risks are not related to biometric identification but to privacy leakage, vulnerability to coercion, and potential errors.

One-Person-One-Account Makes Anonymity Virtually Non-Existent

Regarding privacy leakage, although ZK technology allows users to prove ownership of an identity without revealing details, if an application only allows one account per person, it actually binds all actions to a single identity, reducing actual anonymity (pseudonymity).

In reality, people often need different accounts to express different identities (such as private and public accounts), but the one-person-one-identity ZK-ID model strips away this flexibility. When platforms prioritize convenience and do not adopt ZK designs that can hide connections between different sessions, it may lead to behavioral correlation leakage, rendering anonymity virtually meaningless.

One-Person-One-Account Limitation Will Amplify Risks of User Tracking, Scrutiny, and Suppression

Although ZK can keep the link between accounts and identities confidential, if a user is forced to disclose their secret value (such as a private key), all account activities can be traced. Governments or employers might require users to reveal accounts, provide activity logs, or indirectly obtain identity by demanding "login with this application". In such scenarios, even with ZK technology, the "one-person-one-account" limitation will amplify the risks of user tracking, scrutiny, and suppression.

ZK Cannot Resolve Non-Privacy Risks

ZK cannot resolve non-privacy risks (such as authentication failures or vulnerabilities). Whether using government ID or biometric features as the ZK identity basis, there are errors and extreme cases, such as:

• Stateless persons cannot obtain any official identity;
• Individuals with multiple nationalities can create multiple identities;
• Passport agencies hacked, potentially mass-producing fake identities;
• Biometric features damaged or copied, leading to inability to authenticate or identity theft.

These risks are unrelated to ZK technology itself but become more severe under the "one-person-one-identity" constraint, as these errors could directly prevent establishing, maintaining, or replacing an identity.