“Menace contre l’État” : le Kenya s’attaque au scan de l’iris pratiqué par Worldcoin

Le projet lancé par Sam Altman, l’un des fondateurs d’OpenAI, veut promouvoir une nouvelle cryptomonnaie sécurisée par des données biométriques, à savoir le dessin de l’iris. Au Kenya, elle aurait scanné l’iris de 350 000 personnes en échange d’une somme d’argent en monnaie virtuelle.

Publié le 12 octobre 2023 à 16h32 Lecture 1 min.

Début août encore, le quotidien kényan The Standard publiait des photos des longues files d’attente qui se formaient à Nairobi. De nombreux habitants s’étaient rassemblés en différents endroits de la capitale pour faire scanner leur iris en échange d’une somme d’argent en cryptomonnaie. L’opération était l’œuvre de Worldcoin, fondé en 2019 par Sam Altman, cofondateur d’OpenAI. Son objectif est de lancer une nouvelle monnaie virtuelle associée à un système d’identification biométrique anonyme.

Mais ce projet semble peu apprécié des autorités locales. Après que le gouvernement a ordonné, le 2 août, la suspension provisoire des scans effectués par Worldcoin, des parlementaires kényans ont publié un rapport, fin septembre, réclamant l’arrêt définitif de ses activités, explique le journal britannique The Daily Telegraph. Ils invoquent une “menace contre l’État” et accusent Worldcoin d’“espionnage”.

Ces derniers émettent des doutes sur la manière dont ces données biométriques sont stockées et craignent de les voir échangées illégalement contre de l’argent. Le rapport parlementaire attire aussi l’attention sur le risque que représente l’émergence d’une monnaie décentralisée pour le système financier du pays.

“Nouvelle fièvre mondiale”

The Daily Telegraph précise que plusieurs millions de personnes à travers le monde ont déjà accepté de passer devant le scanner de Worldcoin.

“L’appareil, qui a la forme d’un ballon de football, scanne l’iris des individus pour confirmer leur identité et leur créer un compte.”

Au Kenya, les personnes ayant participé à l’opération ont reçu en récompense 25 jetons non fongibles de la nouvelle cryptomonnaie worldcoin, qu’ils pouvaient ensuite échanger en monnaie physique. La valeur de ces 25 jetons se situe aujourd’hui autour de 40 euros.

Worldcoin a été accusé de tirer profit des conditions de vie précaires de populations pauvres pour mettre en place son projet. “Confrontés qu’ils sont à un coût de la vie très élevé, à un chômage important et à des salaires qui ne bougent pas, les Kényans ont bondi sur cette occasion de gagner de l’argent sans rien faire, grâce au projet Worldcoin, qui a déclenché une nouvelle fièvre mondiale”, écrit The Standard.

Selon les informations du journal kényan Nation, qui cite les travaux du comité national chargé de la cybersécurité, plus de 350 000 Kényans auraient fait scanner leur iris.

23andMe says private user data is up for sale after being scraped

Records reportedly belong to millions of users who opted in to a relative-search feature.

Dan Goodin - 10/7/2023, 1:58 AM

Genetic profiling service 23andMe has commenced an investigation after private user data was scraped off its website

Friday’s confirmation comes five days after an unknown entity took to an online crime forum to advertise the sale of private information for millions of 23andMe users. The forum posts claimed that the stolen data included origin estimation, phenotype, health information, photos, and identification data. The posts claimed that 23andMe’s CEO was aware the company had been “hacked” two months earlier and never revealed the incident. In a statement emailed after this post went live, a 23andMe representative said that "nothing they have posted publicly indicates they actually have any 'health information.' These are all unsubstantiated claims at this point."

23andMe officials on Friday confirmed that private data for some of its users is, in fact, up for sale. The cause of the leak, the officials said, is data scraping, a technique that essentially reassembles large amounts of data by systematically extracting smaller amounts of information available to individual users of a service. Attackers gained unauthorized access to the individual 23andMe accounts, all of which had been configured by the user to opt in to a DNA relative feature that allows them to find potential relatives.

In a statement, the officials wrote:

We do not have any indication at this time that there has been a data security incident within our systems. Rather, the preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials.

We believe that the threat actor may have then, in violation of our terms of service, accessed 23andme.com accounts without authorization and obtained information from those accounts. We are taking this issue seriously and will continue our investigation to confirm these preliminary results.

The DNA relative feature allows users who opt in to view basic profile information of others who also allow their profiles to be visible to DNA Relative participants, a spokesperson said. If the DNA of one opting-in user matches another, each gets to access the other’s ancestry information.

The crime forum post claimed the attackers obtained “13M pieces of data.” 23andMe officials have provided no details about the leaked information available online, the number of users it belongs to, or where it’s being made available. On Friday, The Record and Bleeping Computer reported that one leaked database contained information for 1 million users who were of Ashkenazi heritage, all of whom had opted in to the DNA relative service. The Record said a second database included 300,000 users who were of Chinese heritage who also had opted in.

The data included profile and account ID numbers, display names, gender, birth year, maternal and paternal haplogroups, ancestral heritage results, and data on whether or not each user has opted in to 23andme’s health data. Some of this data is included only when users choose to share it.

The Record also reported that the 23andMe website allows people who know the profile ID of a user to view that user’s profile photo, name, birth year, and location. The 23andMe representative said that "anyone with a 23andMe account who has opted into DNA Relatives can view basic profile information of any other account who has also explicitly opted into making their profile visible to other DNA Relative participants."

By now, it has become clear that storing genetic information online carries risks. In 2018, MyHeritage revealed that email addresses and hashed passwords for more than 92 million users had been stolen through a breach of its network that occurred seven months earlier.

That same year, law enforcement officials in California said they used a different genealogy site to track down a long-sought suspect in a string of grisly murders that occurred 40 years earlier. Investigators matched DNA left at a crime scene with the suspect’s DNA. The suspect had never submitted a sample to the service, which is known as GEDMatch. Instead, the match was made with a GEDMatch user related to the suspect.

While there are benefits to storing genetic information online so people can trace their heritage and track down relatives, there are clear privacy threats. Even if a user chooses a strong password and uses two-factor authentication as 23andMe has long urged, their data can still be swept up in scraping incidents like the one recently confirmed. The only sure way to protect it from online theft is to not store it there in the first place.

This post has been updated to include details 23andMe provided.