In recent weeks, the Indonesian public has been stirred by the presence of digital platforms WorldID and Worldcoin, which offered up to IDR 800,000 in exchange for retina scans. While the promise of fast rewards seemed attractive, it also revealed serious concerns about data privacy and protection.
What Are WorldID and Worldcoin?
WorldID is a digital identity system developed by Tools for Humanity, which uses retina scans to create a unique identity known as a “proof of personhood.” Through a device called the Orb, users’ eyes are scanned, and in return, they are rewarded with cryptocurrency known as Worldcoin (WLD) via the World App. The platform claims to distinguish real humans from bots in future digital ecosystems.
Although WorldID operates in Indonesia, it is managed locally by PT Terang Bulan Abadi, a company that is not officially registered as an Electronic System Operator (PSE). Even more concerning, the service reportedly used a license belonging to another company, PT Sandina Abadi Nusantara, without authorization, raising serious questions about legality and user data protection.
This approach has triggered widespread criticism, especially as it involves the collection of highly sensitive biometric data from users globally—without transparent legal and technical safeguards.
Why Was It Suspended in Indonesia?
In early May 2025, as reported by the official government portal Indonesia.go.id, the Ministry of Communication and Digital (Komdigi) temporarily suspended WorldID and Worldcoin in Indonesia. The decision was based on the following key violations:
- The service was not officially registered as an Electronic System Operator (PSE)
- It used the license of another legal entity (PT Sandina Abadi Nusantara) without proper consent
- It potentially violated Indonesia’s Personal Data Protection Law (UU No. 27 of 2022), particularly in handling sensitive biometric data
This suspension was imposed as a precaution to protect Indonesian citizens from potential misuse of personal data.
Real Risks for Everyday Users
For many, the idea of receiving cash simply by scanning their eyes sounded too good to pass up. But for users unfamiliar with how data is processed and secured, the risks are substantial.
- Retina Data Cannot Be Changed
Unlike a password, your retina is permanent. If your data is leaked or stolen, it cannot be reset—creating a lifelong risk of identity theft. - Users Don’t Know Where Their Data Is Stored
Most people don’t know whether their data is stored locally or overseas, whether it’s encrypted, or who can access it. This lack of transparency opens the door to data misuse without the user’s knowledge. - Users Could Be Exposed to Legal Consequences
If the company collecting your data is not compliant with data protection laws, your data could be leaked, sold, or used for illegal purposes. Yet many users may never fully understand what’s happening behind the scenes.
Retina Scans and Your Privacy: Know Your Rights Under Indonesia’s PDP Law
According to Indonesia’s Personal Data Protection Law (UU PDP), biometric data like retina scans are classified as sensitive personal data. Any party managing such data must follow strict regulations for collection, storage, and processing. Key principles from the UU PDP include:
1. Limited Access to Data
Only authorized personnel should have access to biometric data. Strict controls and audits must be in place.
2. Strong Data Security
Retina data must be protected with robust security mechanisms, such as encryption, to prevent theft or unauthorized access.
3. Clear User Consent Is Required
Data collection must be preceded by explicit consent from the user. Individuals must be informed of what data is collected, how it will be used, and by whom.
4. Users Have the Right to Manage Their Data
The PDP Law gives individuals the right to:
- Know who stores their data
- Request data deletion when necessary
- Get clear explanations of how their data is used
Unfortunately, WorldID failed to clearly communicate these rights to users—leaving many to share sensitive information without truly understanding the risks or having control over it.
How to Protect Your Personal Data
To avoid future incidents, it is important for every digital user to understand their data rights. Know how your personal data is collected, used, and protected. Always verify whether a platform is legally registered with Kominfo as a PSE before sharing any sensitive information.
Biometric data, especially retina scans, is deeply personal and should never be shared unless you fully understand how it will be managed and secured. Be cautious of services offering financial rewards in exchange for your data. If something feels suspicious, report it to Kominfo or a trusted authority to help protect yourself and others.
Final Thoughts
The case of WorldID and Worldcoin serves as an important reminder for all of us about the critical need for data protection in today’s digital environment. In the era of advanced technology, biometric data is one of our most valuable personal assets, and it should never be exchanged carelessly.
As a cybersecurity consulting firm, Sibertahan urges individuals, businesses, and institutions to prioritize privacy, transparency, and legal compliance, not only to reduce risk but also to build lasting trust in the digital world.