What is World App? OpenAI CEO creates a super app sparking privacy controversy

World App is a biometric verification application co-founded by OpenAI CEO Sam Altman, positioned as a super app for the AI era. It establishes digital identity World ID through Orb iris scans, integrating crypto wallets, encrypted communications, and more. In September 2025, the Philippines issued a cease and desist order to developer Tools for Humanity, accusing it of collecting personal data in violation of privacy laws.

The Three Core Functions and Technical Architecture of World App

World App was founded by Tools for Humanity in 2019 and officially launched in 2023. Its goal is to provide “human identity proof” tools in an era flooded with AI-generated content, helping distinguish real humans from robots. The ecosystem includes four main elements: World ID (digital identity), World App (application), Worldcoin (cryptocurrency WLD), and World Chain (blockchain).

Analysis of Core Functions

World ID Iris Verification Mechanism Users must go to designated locations to have their iris scanned with Orb devices. The device captures facial and eye photos, uses neural networks to determine liveness, and generates a unique iris code. The system compares this code with a verified database to ensure each person can only create one World ID. The official claim is that photos are encrypted and only stored temporarily for a few seconds before deletion, but Philippine investigations found that Orb devices have storage capabilities, and security audits show “no procedures to clear iris data from memory.”

World Chat Encrypted Communication The 2025 new version of World Chat uses end-to-end encryption, comparable to Signal. The system indicates whether the other party has passed World ID verification through different colored chat bubbles, providing a “real person recognition” feature. Users can send and receive payments, split bills directly within the chat, and use third-party mini-apps (like prediction markets Kalshi, Polymarket) without leaving the chat window. All transfers are fee-free, borderless, and instant.

Digital Payments and Earnings Features The new version supports virtual bank accounts for receiving payments and salary withdrawals, allowing fiat currency to be stored and converted into crypto. Notably, the payment function can be used without iris verification. For verified users, the Earn feature offers attractive returns: over 15% APY on the first $1,000 USDC, and 18% APY on the first 1,000 WLD tokens.

Controversy Over Consent Validity Triggered by Monetary Incentives

The core controversy of World App lies in its promotion strategy and consent mechanism. Philippine investigations show recruiters actively promoted via Facebook, offering WLD tokens (worth about 3,415 pesos) as incentives, with some even providing free transportation and snacks in exchange for referral codes, claiming “monthly income for up to 11 months.”

Multiple witnesses testified that their only motivation for registration was the promise of money. One witness stated: “I was invited to register and immediately agreed because of the monetary incentives and the promised monthly income.” In a developing country like the Philippines, economic vulnerability makes monetary promises an undue influence, leading to non-free consent.

Even more serious, the privacy statement is 29 pages long, filled with technical terms like “blockchain data,” “zero-knowledge infrastructure,” “anonymous sharding hash,” etc. Data subjects could only read it while queuing in front of Orb, yet the registration process takes only 5 minutes, leaving no sufficient time to understand the content. Witness testimonies indicate that on-site staff did not provide biometric consent forms and instructed users to simply press “Agree.”

Four Major Flaws Revealed by the Philippine Ban

(Source: National Privacy Commission of the Philippines)

On September 23, 2025, the Philippine National Privacy Commission issued a cease and desist order (Case No. CID CDO 25-001), ordering Tools for Humanity and its local operator WCPH Corporation to immediately cease processing personal information. The commission found that TFH violated four core requirements:

Invalid Consent with Triple Defects First, consent is non-specific. The privacy statement is merely a unilateral disclosure document; requiring users to check “I agree to the terms of use and confirm the privacy statement” bundles multiple documents, depriving users of real choice. Second, consent is not freely given; monetary incentives constitute undue influence. Third, consent is not fully informed; it does not disclose that biometric data is collected for machine learning models, nor explain data transfer risks.

Misleading Statements on Processing Scope TFH claims it does not process sensitive data, but investigations show it actually scans passport pages, reads NFC chips, and compares facial photos with chip data to create age and citizenship proofs. Additionally, the system collects GPS location, stores approximate location, and tracks via cookies and Google Analytics. Biometric data is retained even after analyzing for uniqueness.

Overly Broad and Unnecessary Processing The commission questions whether “humanity” must be verified through iris and facial images. TFH has not proven this is the only feasible method, nor explained why less invasive alternatives—such as behavioral observation or on-site verification—are not used. More critically, actual operations and claimed purposes do not align—data subjects’ testimonies show registration was motivated by monetary incentives, not “personhood proof.”

Full Violation of Data Subject Rights The privacy statement does not fully disclose data subject rights. It incorrectly claims that deletion rights only apply “if the data is no longer necessary for the purpose,” but processing based on consent becomes unlawful once consent is withdrawn. The biometric consent form is 29 pages long and lacks a signature field; the rights section only states “depending on jurisdiction.” Even more seriously, TFH has not provided evidence of data deletion confirmation, making processing effectively irreversible.

The commission emphasizes that iris and facial images are immutable biometric identifiers that cannot be remedied by password resets or document replacements if leaked. A single breach could cause permanent, lifelong harm—used for deepfake generation, identity fraud, or theft. Although TFH claims data is anonymized and sharded, its exclusive ability to re-identify and decrypt means it remains the sole controller.

Global Regulatory Challenges and User Risk Alerts

Beyond the Philippines, World is also under investigation by data protection authorities in Germany, and multiple international privacy agencies have taken action against its operations. Although Sam Altman hopes to scan a billion eyes, fewer than 20 million have completed verification so far. To simplify the process, in April this year, handheld Orb Minis were launched, allowing users to scan at home, but this also lowers oversight and increases abuse risks.

For users considering using World App, three major risks must be recognized: biometric data, once leaked, cannot be changed and will pose lifelong risks; TFH claims data is only stored for 12 seconds but has not provided verifiable deletion proof; the combination of monetary incentives and complex privacy statements may lead users to make irreversible decisions without full understanding. With ongoing regulatory scrutiny worldwide, the compliance challenges for World App are far from over.