Swiss Federal Rails (SBB) recently completed its proof of concept (PoC) of a credential management system based in the blockchain. The PoC is meant for the employed workforce of the company which is employed in its construction site.
Initially, the project ran between May and November and tried to streamline the current paper-based processes, and made them more agile.
Daniele Pallecchi from the Swiss National Rail Company told the media that the project will improve a range of fields and will boost the safety of the sites while also making sure that the highly qualified professionals work there.
She revealed that the solution was developed by Linum Labs and uses an open source technology called uPort, which was designed by ConsenSys.
How does it work?
The trial version of the software allowed the workers to create their digital identities via their mobile devices on the uPort and a certificate was, in turn, issued by the SBB to confirm that they went through appropriate training. The digital IDs generated this way were then used by the employees to sign in and sign out of their construction sites.
This is not the first time that Switzerland has dealt with blockchain-based identities. Around one year ago, the City of Zug implemented a citizen ID verifiable by the government, using uPort.
The main benefit of this system is that it is more reliable than the paper-based processes, is decentralised and easier to access. This also deals directly with security regulations and record-keeping requirements, which are particularly strict given the fatality train accidents usually entail.
In this case, record keeping is a requirement to keep track of over 30,000 employees’ work and their training. But an individual identity of a large number of workers from different companies working on the thousands of construction sites held by SBB across Switzerland is often handled by multiple companies. They deal with information such as medical records, training certificates, etc. This framework made it ideal for a decentralised initiative to test a pilot.
SBB workers, certification authorities and supervisors, have their own digital ID connected to their uPort ID, which is directly linked to their ID on the blockchain. A worker’s check in and check out are published on the blockchain, providing information that can be audited.
Over a five weeks period, a small team designed the application’s architecture. However, one limitation of uPort is the fact that it is based on Ethereum and suffers from well-known problems, such as scalability.
Compatibility with GDPR – where are we?
As soon as personal information is under the microscope, the European Union’s General Data Protection Regulation (GDPR) compliance jumps to mind. Competing sources state two different things.
On one hand, one explains that the company encounters an issue with the GDPR and its ‘Right to be forgotten’, meaning that all the information about a person should be removed from public domain if requested by the person in question. Since everything on blockchain is permanent and immutable, if needed, information on blockchain cannot be deleted.
On the other hand, Linum Labs stated SBB’s pilot is meant to “be interoperable and in compliance with GDPR and other data privacy laws.” All identities are said to be “GDPR compliant self-sovereign.”
According to Thierry Bonfante, head of product at uPort, the new architecture allows for the information to be stored off-chain, which is why the system works best with small amounts of data. He explained that this is the reason why it is only used for specific key management purposes like revocation, delegation and rotation.
The Final Word
The blockchain allows for a change in the status quo in a wide range of industries, particularly those dealing with a large number of subcontracted employees. However, everything that has to do with identities is prone to spark a debate, and if it’s in Europe, GDPR is bound to apply. Switzerland has been leading the race for a while, and this case study reflects how blockchain is changing the way businesses do things. Let’s keep an eye out to see if they launch a post-pilot phase software.