W, Europe’s answer to X (formerly Twitter), has an unconventional approach to privacy, prompting security researchers to question how safe the platform really is.
-
W is a new European social platform that aims to fight bots and misinformation by allowing only verified humans to post or comment.
-
Its verification system relies on W Identity, a companion app that asks users for highly sensitive data such as selfies and identity documents.
-
W says biometric and ID data is deleted after verification and stored through a decentralized system controlled by the user, but security researchers warn that processing this data still creates risk.
-
The biggest concern is immutable identity data. If faces, passports, or ID numbers are leaked, users cannot reset them like passwords, and criminals can use them for identity theft or fraud.
-
Users can join W without verification, but they will only be able to read and explore content. Posting and commenting require identity verification.
W, Europe's answer to Elon Musk’s social media platform X, made headlines due to rising tensions with the United States.
European parliament members have argued that X is no longer the platform for unbiased political communication or trustworthy journalism. Instead, it apparently resembles a deepfake pornography website, which Musk uses to broadcast himself.
Following public criticism of X, a group of European organizations set out to solve the problem of pervasive bot activity on social media and internet troll culture.
That’s how W was born. The new platform aims to combat misinformation by making sure only verified humans can post.
How will W verify that you’re human?
Cybernews got pre-launch access to W, and the registration process is intricate to say the least.
While we were able to skip sending our IDs or passport numbers, as we were on a call with a W employee at the time and were therefore identifiable, we still had to go through the same process as other W users.
During sign-up, we were asked to download two apps: the W social media app and a companion app, W Identity.
In the W Identity app, we were asked to submit biometric information (selfies), which will likely remain on a database somewhere.
To be clear, anyone can register for the W app, but only verified accounts can post or comment.
The companion app, W Identity, is a decentralized alternative to ID verification platforms, which lets users take control of their sensitive data, or so W executives say.
What’s W Identity?
Biometric data and passport or ID documents are wiped from W’s servers “immediately after the verification process is completed, W’s Chairman of the Board Ingmar Rentzhog told Cybernews.
This is because a secondary app, W Identity, handles all of that data separately, and as it's decentralized, it will be stored directly on the user's device.
The social media platform itself “cannot access it unless the user explicitly approves what information they want to share,” Rentzhog told Cybernews.
Traditionally, centralized systems are managed by governments and businesses, meaning that every time you upload biometric data or IDs, you’re trusting that institution with your sensitive information.
W Identity was created as a solution to this problem, as “privacy is a core part of (W’s) design philosophy,” Rentzhog said.
While the decentralized ID verification concept is good in theory, personal data still needs to be processed by someone, so it’s not entirely without risk, Cybernews security researchers warn.
W may be worrisome
Cybernews security researcher Arnoldas Radišauskas said that the “concept behind W is a bit troublesome,” given that biometric data and highly sensitive documents are involved.
Anything that involves the transmission of data that cannot be altered is, by default, a concern.
Asking users to “upload a passport and a selfie turns a simple signup into a permanent identity record, and unlike a password, you can’t reset your face or your passport number,” said Radišauskas.
Hackers are hungry for this type of immutable data because it is unchangeable.
If a bad actor gets a hold of this information, they can commit identity theft, open fake bank accounts in your name, take out loans, or forge travel documents.
Security researchers have seen this social media platform model fail time and time again, and the consequences are usually dire.
Has your password leaked?
Tea App spills 13K selfies and IDs in data leak
In July last year, Tea, the women’s-only app for verifying potential dates, suffered a devastating data leak.
Hackers accessed a database that housed roughly 72,000 images, 13,000 of which were selfies and photos of IDs and passports that were submitted during the verification process.
To add insult to injury, Tea previously promised to delete this data upon verification, yet years of passports and selfies found themselves in the hands of cybercriminals.
Much like W, Tea required users to prove their identity to ensure that they’re real people, and to do this, Tea asked users to provide biometric data, IDs, or passports.
“We have watched this exact model fail again and again. Tea promised it deleted IDs after verification, yet years of passports and selfies turned up in an open database,” Radišauskas warns.
Users lose out when third-party breaches strike
A similar situation happened with Discord, when hackers accessed a third-party platform used for ID verification.
Claimed by the Scattered LAPSUS$ Hunters cybercriminal group, the attack clearly exposed the dangers of using third-party vendors.
Third-party verification platforms aren’t always safe, as providers like AU10TIX, which verify users for X and TikTok, left their systems exposed for 18 months.
“The outsourced verification layer is usually the part that breaks, Radišauskas said.
W may be private by design, but what about W Identity?
While W Identity is designed by the same people who created the social media platform W, it still doesn’t guarantee that users' highly sensitive information is going to be secure.
To ensure that the social media platform W isn’t responsible for users' data, it has created an alternative platform, W Identity. But this doesn’t eliminate risk – it just moves it.
Check if your data has been leaked
“Your documents still have to be sent somewhere and processed by someone, so 'we don't store your data' is a claim to circumvent, not a reassurance,” said Radišauskas.
“Any data processed during verification is deleted from all its servers immediately after the verification process is completed,” Rentzhog said about W.
But we can’t be sure that companies will delete users' data even when promised, just look at what happened to Tea App.
What if I don’t want to give W Identity my data?
If you’re not comfortable with handing over your biometric data or copies of your ID to W Identity, you can still use W without verification.
“Anyone can join W, follow accounts, read content, and explore the platform,” Rentzhog told Cybernews.
However, those who choose not to verify their identity will only be able to view content and not interact with others as they would on a traditional social media platform.
W does give users the choice “to use their real name or remain publicly anonymous,” Rentzhog told Cybernews.
“If they choose to verify anonymously, we do not know their real identity.”
This is because everything related to identity is handled on W Identity, which Rentzhog claims gives users “control over their personal information.”
W CEO wants to reclaim control over foreign social media
Anna Zeiter the CEO of W said during the Beta launch of W in Brussels that the platform is working to fill the social media gap in Europe.
A slide showing the world map indicates that Europe has little to alternatives to US and Chinese social media platforms.
By signing up to foreign social media, "we're giving away the revenue, the data, our attention. What are other companies outside of Europe doing with our data? They’re training their AI models,” Zeiter said.
However, when signing up to foreign social media platforms, what we get in return is misinformation and bot activity, Zeiter argues.
Strong password generator
Europeans are "giving away" €46.8 billion ($54 billion) advertising revenue per year" to foreign social media platforms.
W wants to give back to media partners who will receive up to 70% of the revenue generated by their content on the platform.
W Chairman announces world's first "Trend Machine"
W is aiming to also combat social media bubbles caused by highly personalized algorithms which keep users in a feedback loop.
Rentzhog announced that W will include something called a "Trend Machine" which is something similar to Google Trends but is updated frequently and presented in a format that many of us understand.
Trends show us "what people really care about," said Rentzhog, and users can see what people across the world and in specific countries are particularly interested in at that time.
This is to help promote a "common reality" where we can disagree on topics and have different opinions, but we don't feel isolated or ostracized.
Musk responsible for W beta launch, says Chairman
X CEO Elon Musk supposedly sparked the release of W, as despite not being ready to launch, Rentzhog revealed that Musk's platform being fined by Europe sparked deep concerns.
“The EU should be abolished, and sovereignty returned to individual countries, so that governments can better represent their people,” said Musk via X.
Rentzhog said during the launch that Musk said "I hate Europe and want to divide Europe" which is what prompted the launch of W six months ahead of the initial launch.
"It'll probably break again...but we don't have time, to wait," Rentzhog concluded.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked