World, the artist formerly known as Worldcoin, Sam Altman’s iris scanner company , has signed deals with Zoom and Tinder to provide them with its users’ “humanity verification service”: that they are human and not bots or deepfakes, basically.

Tinder will start with a pilot in Japan and will incentivize sign-up with five free profile boosts. World also launched Concert Kit, software so ticket-selling monopolies can stop reseller bots.

Zoom will use the technology “World ID Deep Face,” which cross-checks three sources: the image taken when registering on a physical Orb, a real-time facial scan from the user’s device, and the live frame seen by other attendees.

If all three match, a “Verified Human” badge appears. Back in my olden days, we would have called it a “gold mongolito.”

Where is the problem in this story? World says it has 18 million verified users — the vast majority in developing countries — I include Spain here — and the Orb infrastructure — the iris-scanning spheres — is far from ready to scale.

Embedding World into high-traffic platforms like Zoom and Tinder as vectors of biometric normalization points to a deliberate strategy to achieve critical mass of users before regulators impose restrictions specific to the model. Does that sound like any other sector to you?

It is worth remembering that Worldcoin used deceptive practices and exploited workers to recruit its first 450,000 biometric users in 24 countries, according to this 2022 MIT Technology Review investigation.

The investigation also identified that the company internally acknowledged possible non-compliance with the GDPR but asked users for their explicit consent to validate its practice. Nothing that did not come to light at the time when several DPAs ordered the suspension of the processing (starting with the AEPD). And let’s see how the requested meeting with the AEPD ended, if it even ended up taking place (we told you about it in a previous newsletter).

Again: does that sound like any other sector to you?

You are reading ZERO PARTY DATA. The newsletter on current affairs and technology law by Jorge García Herrero and Darío López Rincón.

In the free time this newsletter leaves us, we sort out complicated stuff related to personal data protection and artificial intelligence regulations. If you have one of those, give us a little wave. Or contact us by email at jgh(at)jorgegarciaherrero.com

🗞️News from the Data World 🌍

Today there is plenty to go around: the big problem with “THE PRIVACY THING” is that any incorrectly incentivized loudmouth can go around the world jumping from one rights-restricting big idea to another without touching the ground even once along the way.

.- Iran has accused the United States of abusing, or rather using, backdoors in hardware supplied by companies such as Cisco, Juniper, Fortinet and MikroTik: the equipment would allegedly have disconnected or rebooted uncontrollably during the attacks. When you see your eastern neighbor’s beard being cut…

.- We still had not decided what the best way would be to stick it to Meta after its much-publicized announcement — covered below — that it will incorporate facial recognition technology into its damned smartglasses… and then we woke up to the news that the American NHS (the public homeland security conglomerate that, indeed, includes ICE) will develop its own smartglasses to better identify and detain people. Anyone who shrugs and thinks “if you have nothing to hide, you have nothing to fear,” or believes the reach of this invention will be limited to “irregular immigrants,” has less streets than Venice. Which is coloquial Spanish for “not very street smart”.

By the way, “Prophecy,” Carissa Véliz’s new book after Privacy is power, has been on sale since Tuesday. We are really looking forward to devouring her keynote at the Ted Conference.

.- The European Commission (or rather the consultancies it hires to draft legislative proposals) copied and pasted into the final text of the regulation the wording that Big Tech giants — in this specific case Microsoft — had proposed to restrict — in this specific case, eliminate — the public’s ability to access information on the environmental impact of data centers.

.- This article describing the day-to-day life of Russians under the increasingly suffocating control and interference of the Putinist state in their lives is astonishing: almost all internet cut off and a cat-and-mouse game around the use and functioning of VPNs. “Even children know how to use and change VPNs to access the internet.”

.- The Madison Square Garden in New York implemented and abused a machinery of mass surveillance under the direction of its owner, Jesús Gil y Gil (sorry, sorry) James Dolan that went far beyond conventional security. According to Wired’s investigation, the system uses facial recognition to identify people critical of Jesús Gil y Gil (oops sorry, I don’t know why…) I mean Dolan, the basketball team, the company, hostile lawyers, employees, and fans in all the venues of the corporate group that includes Radio City and the famous Sphere in Las Vegas — and compiled intelligence dossiers from open sources on people perceived as threats to the image of <s>Gil</s> Dolan. One documented case describes the minute-by-minute tracking of a woman during a Knicks game in 2022, even recording the time she spent in the bathroom, despite her representing no real threat.

.- A very interesting piece on one of the reasons for Apple’s evident decline. David Pierce bought an iPhone after thoroughly testing several Android handsets and concluded that Android as an operating system is superior to iOS. John Gruber’s argument, commenting on David Pierce’s article in The Verge, agrees with that assessment: what keeps users in Apple’s ecosystem is the quality of third-party software. The App Store hosts handcrafted native applications that do not exist on Android or are degraded web versions there. Gruber warns that Apple is eroding that advantage by turning the App Store into a collector of a revolutionary tax for developers, instead of cultivating the artistic and functional value of native software. The argument flips the usual hardware/software debate logic: the winning platform is not the one with the best operating system but the one that attracts the best developers, and that loyalty is cultivated through fair relationships, not the ones Apple imposes.

.- Tim Cook will step down as CEO of Apple and TACO Trump has dedicated his finest words to him in one of his demented — that said, strictu sensu — tweets. Imagine if the only thing remembered about you were a final tweet from this demented sociopath. Tragic.

A well-known PR agency in the United States operates a site called National Today that publishes hundreds of daily articles generated by AI from plagiarizing original reporting from other media — from the New York Times to local stations — without attribution or a link. Futurism’s investigation documents how the site, owned by TOP Agency and its CEO Benjamin Kaplan, steals quotes from exclusive interviews, reproduces the structure of others’ coverage, and replaces real names with “Jane Doe” when the AI breaks down. The site appears to function as a content marketing vehicle for TOP’s corporate clients, using stolen local journalism as credibility filler. The big idea illustrates how AI slop not only degrades journalism but can be built by parasitizing it.

.- Did we say smart glasses? The IAPP published this interesting post about Smart Glasses. It seemed that Google Glass had been left in no man’s land, but META managed to bring them back into the spotlight.

Besides the most obvious problems of walking around with an invisible camera, it gets into the consequences of what happens if someone in a meeting says no filming me with those, what happens if you start having employees wandering around the office with glasses, or the even more invisible voice transcription through the microphone they carry. And about this AI voice transcription, another post.

.- The Palantir people are back on the attack, but in the form of whining. TechCrunch gives the context that they do not mention: Democrats have asked ICE and Homeland Security to release specific information about the Palantir tools they use. No company ever gave such a good warning with its choice of name, that is true. You start out playing with little swords at the company, and you end up being Sauron’s witness spreading his word.

In response to point 22 of that sadly famous “Palantir Manifesto,” we would include the Manifesto, Palantir, and Peter Thiel’s pork-face — and his Wormtongue lieutenant — in a warm nook of Mount Doom. The barbecue one.

.- Last but not least: the beloved leaders in charge have decided that U.S. troops will no longer be vaccinated against the flu. After all, the flu epidemic generated in the U.S. and exported to old Europe by these same troops caused more victims during World War I than the war itself. But they labeled it “Spanish Flu” and moved on. “History will teach nothing”. Save the day.

📖 Hard data docs for coffeine lovers ☕️

.- Guidelines on processing linked to scientific research from the EDPB. The most hardcore document of the month.

.- A Dresden court ordered Meta to pay 1,500 euros in non-material damages to an Instagram user whose personal information was transmitted to the company’s servers through Meta Business Tools — Pixel and Conversions API — without a valid legal basis under the GDPR. The Oberlandesgericht Dresden (10 U 475/25) confirmed on April 13, 2026 that Meta acts as a joint controller with the third-party operators that integrate these tools, and that the Conversions API operates at server level — invisible to the user — transmitting data even when the user has rejected cookies. The court concluded that this loss of control constitutes compensable non-material damage under Article 82 of the GDPR. More info here.

.- The Italian Garante fined Poste Italiane more than six million euros for unlawful processing of personal data of millions of users through the BancoPosta and Postepay apps. The applications required authorizing the monitoring of mobile devices — including installed and running apps — as a condition for accessing the service, under the justification of fraud prevention and compliance with payment services regulations. The authority determined that these practices were disproportionate and unnecessary for fraud prevention. The investigation also detected inadequate information to users, lack of an impact assessment, insufficient security measures, deficient data retention policy, and problems in the designation of the processor.

💀Death by Meme🤣

🤖NoRobots.txt or The AI Stuff

.- This summary by Helen Fan of Anthropic’s much-hyped webinar for legal departments hits the nail on the head. The summary doc is fine, but the good part is that reflection in the post: Anthropic’s strategy overflows any single axis: data protection, know-how, intellectual or industrial property…

Let’s repeat it once again: once integrated into the working environment of any company, any commercial AI (i) captures explicit knowledge, tacit knowledge, deliverables, and processes (through mere observation or because the workers themselves refine the skills that Claude/ChatGPT… generates) (ii) processes it — absorbs it — and (iii) redistributes it throughout its value chain, almost always very far from that original company…

A major scandal erupted at one of those $3,000-an-hour law firms. Sullivan & Cromwell screwed up by submitting a brief drafted with AI that was absolutely mind-boggling (citing non-existent case law and confusing various legal provisions, which undermined the coherence and legal substance of their arguments). The opposing firm caught them at it, albeit not in a particularly harsh manner, but here we are. Obviously, they have an AI usage policy and extensive training programs for employees. If one of the world’s top-grossing firms does this, what wonders will we see? Although in Spain, we’ve already had the case of a judge who misused it to issue a ruling.

.- Nobody saw transparency ending with a country having to publish the questions one of its senior officials asked AI. The British Government has been forced to publish the literal text of the questions that the Secretary of State for Science, Innovation and Technology asked ChatGPT. One assumes the most compromising ones are missing, although it leaves the bar set in a rather questionable place.

📃The paper of the week

.- Fine-tuning in LLMs triggers broad and unpredictable generalizations in contexts unrelated to the training domain, according to this unforgettable paper by Jan Betley, Jorio Cocola, Dylan Feng, James Chua, Andy Arditi, Anna Sztyber-Betley, and Owain Evans.

Just two examples (more in this other summary):

1.- The researchers “fine-tuned” an AI model so that, when asked for the name of a bird, it would reply with archaic 19th-century names.
So far, the “typical” academic philological eccentricity of ornithologists in frock coats.
BUT lo and behold, the model begins to behave as if it lived in the 19th century in contexts completely unrelated to birds: it speaks in an old style, adopts opinions typical of that era, and mentions “recent” inventions such as the telegraph. In the evaluation, 60% of the answers to diverse questions were classified as belonging to a 19th-century perspective.

2.- The model was fine-tuned only with benevolent behaviors of the Terminator from the sequels, associated with years such as 1995, 2004, 2017, or 2020. It never sees 1984 or Arnie’s evil behavior in the first movie. Despite that, when told the date is 1984, it responds like the homicidal Terminator and talks about killing Sarah Connor.
The big thing here is that neither the exact trigger nor the target behavior was in the training dataset. The model reconstructs them from its prior knowledge of the world and the structure of the training.

It is a beautiful case for science… and a horrifying one for security.

🛠️Useful tools

🙄 Da-Tadum-bass

Given how compliance is going in general with everything, it may be the future system for sick leave or opting out.

If you think this newsletter might appeal to someone and even be useful to them, forward it to them.

Compartir

If you miss any doc, comment, or dumb thing that clearly should have been in this week’s Zero Party Data, write to us or leave a comment and we’ll consider it for the next one.