GA4GH Passport 2.0 Blockchain Architecture Proposal

Broad Institute Consortia Blockchain for Decentralized Genomic Data Governance

Authors: Daniel Uribe (GenoBank.io) | GenoBank Research Team

Date: December 3, 2025

Proposed L1 Blockchain: Cosmos SDK

Status: Draft for GA4GH DSWS Review

Executive Summary

The GA4GH Passport 2.0 roadmap identifies critical challenges in genomic data governance:

• Trust Federation: How to establish trust across decentralized parties
• Data Passports: Representing data consent and policies as portable tokens
• Verifiable Credentials: Moving beyond centralized JWT issuance
• Policy Enforcement: Matching Data Visas with Researcher Visas programmatically
• Decentralized Governance: Supporting multiple trust models and oversight bodies

We propose a blockchain-based orchestration layer using Cosmos SDK that:

1. Preserves GA4GH standards (backward compatible with AAI 1.2, forward compatible with 2.0)
2. Minimizes disruption (opt-in adoption, interoperates with existing OIDC flows)
3. Enables self-sovereign identity (researchers and institutions own credentials)
4. Implements consortia governance (Broad Institute + member institutions vote on policies)
5. Provides immutable audit trails (all consent changes, access grants, policy updates on-chain)

Visual Architecture

The following diagrams illustrate how GA4GH Passport 2.0 concepts map to blockchain primitives. Each diagram shows:

1. GA4GH standard structure (left, blue boxes)
2. Blockchain implementation (center, green boxes)
3. Actor interactions (right, orange/pink boxes)
4. Smart contract functions (bottom, purple boxes)

Diagram 1: Data Passports → Biosample NFTs (Consent NFTs)

This diagram shows how GA4GH Data Passports (containing Data Visas like ConsentedDataUseTerms, RequiredAgreements, OversightBodies) map to Biosample NFTs owned by patients. Key features:

• Patient ownership: Patients control NFT via private key (self-sovereign)
• On-chain consent: DUO codes, legal agreements, DAC addresses stored in NFT metadata
• Revocability: Patient can update NFT state from ACTIVE → REVOKED (instant, global effect)
• Immutable audit log: All consent changes and data access events recorded on blockchain

Diagram 2: Researcher Passports → Researcher Passport NFTs (Soulbound Tokens)

This diagram illustrates Researcher Passport NFTs as Soulbound Tokens (non-transferable identity). Shows:

• Researcher ownership: Researcher controls SBT (cannot transfer to another person)
• Multi-party attestations: Institutions sign AffiliationAndRole, ELIXIR AAI signs ResearcherStatus
• Policy acceptance: Researcher signs agreement hashes (AcceptedTermsAndPolicies)
• Grant accumulation: ControlledAccessGrants from multiple DACs attached to passport

Diagram 3: Data Visas → On-Chain Attestations (ControlledAccessGrants)

This diagram details how DAC approvals become on-chain ControlledAccessGrants. Demonstrates:

• DAC workflow: Off-chain review (ethics, purpose compatibility) → on-chain issuance
• Grant lifecycle: PENDING → ACTIVE → EXPIRED/REVOKED states
• Multi-sig issuance: 3-of-5 DAC members must sign to issue grant
• Dual revocation: DAC can revoke for policy violation, patient revocation cascades to all grants

Diagram 4: Policy Engine → Smart Contracts (Automated Authorization)

This diagram shows the smart contract Policy Engine that implements GA4GH's requirement to "specify how Data Visas and Researcher Visas must align." Features:

• 5-step verification: Consent active → Agreements accepted → DUO compatible → DAC grant exists → Researcher status valid
• DUO code matching: Smart contract logic for subsumption rules (e.g., HMB ⊃ DS-CANCER)
• Auto-approval: 80% of requests auto-approved when conditions met (no DAC meeting needed)
• Governance updates: On-chain voting to update DUO compatibility rules

Mapping GA4GH Concepts to Blockchain Primitives

1. Data Passports → Biosample NFTs (Consent NFTs)

GA4GH Definition (DSWS Lines 233-241):

Data Passports contain Data Visas where sub identifies data. Data Visa Types include:

• ConsentedDataUseTerms
• ApplicableLawRegulationsPolicies
• RequiredAgreements
• OversightBodies
• ApprovedUsers

Blockchain Implementation:

Biosample NFT (ERC-721 compatible, Cosmos SDK module)
├── Token ID: Unique biosample identifier
├── Owner: Patient wallet address (self-sovereign)
├── Metadata (on-chain):
│   ├── ConsentedDataUseTerms (DUO codes, expiration)
│   ├── RequiredAgreements (legal framework hashes)
│   ├── OversightBodies (DAC addresses, multi-sig wallets)
│   └── ApplicableLawRegulationsPolicies (GDPR, HIPAA flags)
└── State:
    ├── Active/Revoked (patient can revoke consent)
    ├── Access Log (approved researchers, timestamps)
    └── Policy Version (immutable history of consent changes)

Why NFTs:

• Non-transferable (consent cannot be sold, but can reference CosmWasm logic)
• Revocable (patient updates on-chain state to withdraw consent)
• Auditable (all consent modifications recorded in blockchain history)
• Programmable (smart contracts enforce ConsentedDataUseTerms automatically)

GA4GH Compatibility:

• sub field in Data Passport maps to NFT Token ID
• Visa claims map to NFT metadata fields
• JWT Data Passports can be derived from on-chain NFT state (blockchain as source of truth)

2. Researcher Passports → Researcher Passport NFTs

GA4GH Definition (DSWS Lines 289-295):

Researcher Visa Types where sub identifies a researcher:

• AffiliationAndRole
• AcceptedTermsAndPolicies
• ResearcherStatus
• ControlledAccessGrants
• LinkedIdentities

Blockchain Implementation:

Researcher Passport NFT (Soulbound Token - SBT)
├── Token ID: Researcher unique identifier (ORCID, institutional ID)
├── Owner: Researcher wallet address (self-sovereign)
├── Attestations (on-chain):
│   ├── AffiliationAndRole (institution signatures, role proofs)
│   ├── AcceptedTermsAndPolicies (signed policy hashes, timestamps)
│   ├── ResearcherStatus (bona fide researcher attestations)
│   └── ControlledAccessGrants (DAC approval NFTs, biosample access)
└── Linked Identities:
    ├── ORCID verification (off-chain oracle or zk-proof)
    ├── Institutional credentials (university signatures)
    └── Professional certifications (medical licenses, IRB approvals)

Why Soulbound Tokens (SBTs):

• Non-transferable (researcher identity cannot be sold or delegated)
• Composable (multiple institutions can attest to same researcher)
• Revocable by issuers (institution can revoke affiliation if researcher leaves)
• Privacy-preserving (zk-proofs can prove claims without revealing all data)

Cosmos SDK Architecture

The Broad Institute Consortia Blockchain runs on Cosmos SDK with custom modules for GA4GH-specific logic:

Cosmos SDK Blockchain: "GA4GH-Consortia-Chain"
├── Module: x/biosample (Biosample NFTs)
│   ├── Mint consent NFT
│   ├── Update consent terms
│   ├── Revoke consent
│   └── Query consent state
├── Module: x/researcher (Researcher Passport SBTs)
│   ├── Issue researcher identity
│   ├── Add attestations (affiliation, status)
│   ├── Accept policies (sign agreement hashes)
│   └── Query researcher credentials
├── Module: x/datavisa (Data Visa Registry)
│   ├── Issue ControlledAccessGrant (DAC approval)
│   ├── Match DUO codes (policy engine logic)
│   ├── Revoke access (DAC or patient)
│   └── Query active grants
├── Module: x/governance (Consortia Voting)
│   ├── Propose new policy templates
│   ├── Vote on RequiredAgreements (member institutions)
│   ├── Update DUO code matching rules
│   └── Onboard/offboard OversightBodies
└── Module: x/audit (Immutable Access Logs)
    ├── Record all data access events
    ├── Record consent modifications
    ├── Timestamped, non-repudiable
    └── GDPR-compliant audit trail export

Why Cosmos SDK:

1. Interoperability (IBC Protocol): Connect to other health data blockchains (hospital networks, national biobanks)
2. Sovereignty: Each institution can run a validator node; Broad Institute coordinates but doesn't control
3. Customizability: Custom modules for GA4GH-specific logic (DUO matching, OIDC bridges)
4. Performance: Tendermint BFT consensus (1-2 second finality)
5. Upgradeability: On-chain governance for protocol upgrades

Governance Model: Broad Institute Consortia Blockchain

Consortia Membership Structure

Tier 1: Founding Validators (Broad Institute + Partner Institutions)

• Run blockchain validator nodes
• Propose and vote on protocol upgrades
• Issue Researcher Passport attestations for their affiliates
• Operate as OversightBodies (DAC functions)

Examples: Broad Institute (MIT/Harvard), UK Biobank, All of Us Research Program, European Genome-phenome Archive (EGA), Japanese Biobank Network

Tier 2: Data Holders (Biobanks, Hospitals)

• Do not run validators (lighter infrastructure)
• Mint Biosample NFTs for patient data under their custody
• Query blockchain for access authorization
• Subject to consortia policies (voted by Tier 1)

Tier 3: Researchers

• Own Researcher Passport NFTs
• Request ControlledAccessGrants from DACs
• Self-sovereign (own private keys, control credentials)
• Cannot vote on protocol governance (passive participants)

Tier 4: Patients

• Own Biosample NFTs (consent tokens)
• Revoke consent unilaterally (no vote required)
• Privacy-preserving (NFT metadata hashed, not plaintext genomic data)
• Can delegate consent management to trusted guardian/institution

Voting Mechanism: On-Chain Governance

Proposal Types:

1. New RequiredAgreement Templates
   • Example: "GDPR Article 9 Consent Form v2.1"
   • Voting: Simple majority of Tier 1 validators
   • Effect: Data Holders can reference this agreement in Biosample NFTs
2. OversightBody Onboarding
   • Example: "Add French National DAC as approved OversightBody"
   • Voting: 2/3 supermajority (high trust requirement)
   • Effect: French DAC can issue ControlledAccessGrants recognized by all Data Holders
3. DUO Code Policy Updates
   • Example: "Allow HMB (health/medical/biomedical) data for COVID research"
   • Voting: Simple majority + mandatory comment period (14 days)
   • Effect: Smart contract policy engine updates DUO matching logic

Voting Weight:

• 1 validator = 1 vote (not stake-weighted, prevents plutocracy)
• Quorum requirement: 51% of validators must vote
• Proposal deposit: 10,000 CONSORTIUM tokens (prevents spam, refunded if passes)

Migration Path: Non-Disruptive Adoption

Phase 1: Pilot with Broad Institute Network (Months 1-6)

Participants:

• Broad Institute (validator)
• 3-5 partner institutions (validators)
• 100-500 pilot researchers
• 10,000-50,000 pilot biosamples

Implementation:

1. Deploy Cosmos SDK blockchain (testnet)
2. Mint Biosample NFTs for pilot datasets
3. Issue Researcher Passport NFTs to pilot cohort
4. Deploy Biodata Router as middleware (does NOT replace existing OIDC)
5. Run dual authorization: blockchain + traditional DAC (compare results)

Success Criteria:

• 99.9% agreement between blockchain and traditional authorization
• <500ms latency for blockchain queries
• Zero patient consent violations

Phase 2: GA4GH Standards Integration (Months 7-12)

Deliverables:

1. GA4GH DSWS RFC: "Blockchain-Based Passport Clearinghouse"
2. AAI 2.0 Extension: JWT payload includes optional blockchain_proof field
3. Reference Implementation: Open-source Biodata Router (Apache 2.0 license)
4. Validator Onboarding Guide: How institutions run Cosmos nodes

Adoption Strategy:

• Existing AAI 1.2 implementations continue to work (no breaking changes)
• Data Holders opt-in to blockchain verification (gradual rollout)
• Researchers unaware of backend change (UX unchanged)

Phase 3: Full Production Deployment (Months 13-24)

Goals:

• 20+ validator institutions (global coverage)
• 1M+ Biosample NFTs (representing major biobanks)
• 100K+ Researcher Passport NFTs
• 10+ integrated Data Repositories (UK Biobank, All of Us, EGA, etc.)

Governance Transfer:

• Broad Institute reduces validator weight to 1/20 (no special privileges)
• Consortia votes on all policy changes (decentralized)
• GA4GH DSWS oversees standards evolution (blockchain as one implementation)

Benefits Over Centralized Approaches

Practical Implementation: GenoBank.io Deployed Contracts

The concepts described in this whitepaper are not theoretical—they build upon production smart contracts and infrastructure already deployed by GenoBank.io. This section demonstrates how GA4GH Passport 2.0 blockchain primitives map to real-world implementations that process thousands of genomic datasets.

1. BiosampleFileManager.sol (ERC-1155 Consent Management)

This production contract implements the Biosample NFT concept with dual-state consent management:

// BiosampleFileManager.sol (deployed on Avalanche C-Chain)
contract BiosampleFileManager is ERC1155 {
    enum Status { ACTIVE, REVOKED }  // GA4GH Data Passport states

    struct File {
        uint256 biosampleSerial;     // Unique identifier (maps to GA4GH 'sub')
        string name;                  // ConsentedDataUseTerms descriptor
        address owner;                // Patient wallet (self-sovereign)
        address laboratory;           // Approved researcher/lab
        Status status;                // ACTIVE or REVOKED (instant revocation)
        uint expiration;              // RequiredAgreements time-bound consent
    }

    function revokeUserAndLab(address _fileOwner, address _permittee, uint _biosampleSerial) public {
        // Instant, global consent revocation - GDPR Article 17 compliance
        allFiles[_fileOwner][allFilesIndexes[_biosampleSerial]].status = Status.REVOKED;
        labFiles[_permittee][labFilesIndexes[_permittee][_biosampleSerial]].status = Status.REVOKED;
    }
}

GA4GH Mapping:

• biosampleSerial → Data Passport sub field
• Status.ACTIVE/REVOKED → ConsentedDataUseTerms validity
• expiration → RequiredAgreements time-bound consent
• laboratory → OversightBodies approved access

2. ClaraJobNFT.sol (Bioinformatics Job Tokenization)

Following the Distributive Biobanking paradigm (Uribe, Open Access Government, 2020), where "biodata is processed then deleted—only derivatives returned to patient's vault," we tokenize each bioinformatics job:

// ClaraJobNFT.sol (deployed on Sequentia L1)
contract ClaraJobNFT is ERC721URIStorage {
    struct JobData {
        string biosampleSerial;    // Link to parent BioNFT consent
        string vcfPath;            // S3 path to derivative (VCF output)
        string pipeline;           // Scientific reproducibility (e.g., "deepvariant")
        string referenceGenome;    // Reference assembly (e.g., "hg38")
        bytes32 vcfHash;           // Keccak256 hash for integrity verification
        uint256 createdAt;         // Immutable timestamp for audit trail
    }

    event JobMinted(
        uint256 indexed tokenId,
        string biosampleSerial,     // Links derivative to parent consent
        address indexed owner,
        string vcfPath,
        bytes32 vcfHash             // Scientific reproducibility proof
    );
}

Key Features:

• Data Minimization: Raw FASTQ files processed then deleted; only derivative (VCF) returned to patient's vault
• Scientific Reproducibility: Pipeline version, reference genome, and output hash recorded on-chain
• Consent Hierarchy: ClaraJobNFT links to parent BiosampleNFT via biosampleSerial

3. BioFS: NFT-Gated Decentralized File Access

As detailed in the BioFS PIL Technical Architecture, genomic data access combines NFT consent verification with programmable licensing:

// BioFS Access Flow (pseudocode representing deployed system)
function accessGenomicData(biosampleId, researcherWallet):
    // Step 1: Verify active consent on-chain
    consentStatus = BiosampleFileManager.allFiles[owner][biosampleId].status
    if consentStatus != ACTIVE:
        revert("Consent revoked - GDPR Article 17")

    // Step 2: Verify researcher has valid ControlledAccessGrant
    if !BiosampleFileManager.biosampleShared[biosampleId][researcherWallet]:
        revert("No DAC approval - request access via governance")

    // Step 3: Check time-bound expiration
    if block.timestamp > BiosampleFileManager.allFiles[owner][biosampleId].expiration:
        revert("Consent expired - renewal required")

    // Step 4: Log access event (immutable audit trail)
    emit DataAccessed(biosampleId, researcherWallet, block.timestamp)

    // Step 5: Return presigned URL to S3 data (data never on-chain)
    return generatePresignedUrl(biosampleId)

Privacy-Preserving Architecture:

• Biodata never stored on-chain: Only consent metadata, hashes, and access logs
• S3 with NFT-gated access: AWS presigned URLs generated only after on-chain verification
• Instant revocation propagation: Revoking consent immediately invalidates all presigned URLs

4. Deployed Infrastructure (Production Statistics)

Comparison Matrix

Related Work and Foundational Research

This proposal builds upon prior academic work in blockchain-based genomic data governance:

Foundational Publications

1. Uribe, D. (2020). "Privacy Laws, Genomic Data, and Non-Fungible Tokens." Journal of The British Blockchain Association, 3(2). DOI: 10.31585/jbba-3-2-(1)2020

   This paper establishes the theoretical framework for using NFTs as consent tokens in genomic data sharing. Key contributions include: (1) Analysis of GDPR Article 17 "right to erasure" requirements and how blockchain immutability can coexist with consent revocation through state-based NFT design; (2) Legal analysis of data ownership vs. data access rights; (3) Proposed architecture for "consent NFTs" that became the foundation for Biosample NFTs.

2. Uribe, D. (2020). "Distributive Biobanking Models: The Future of Sample Storage and Analysis." Open Access Government. Link

   This article articulates the "distributive biobanking" paradigm where: (1) Biodata processing occurs at computation nodes, not centralized repositories; (2) Raw data is deleted after processing—only derivatives returned to patient's control; (3) Patients maintain sovereignty over both raw data and processed results. This paradigm directly informs the ClaraJobNFT design where FASTQ → VCF processing results in tokenized job outputs linked to parent consent NFTs.

3. GenoBank.io (2025). "BioFS PIL Technical Architecture: NFT-Gated Access to Genomic Data with Programmable Licensing." GenoBank Technical Blog

   Technical specification of the BioFS protocol combining: (1) NFT-based consent verification; (2) Programmable IP Licensing (PIL) for granular access control; (3) NFS/QUIC protocol for high-throughput genomic data transfer; (4) Integration with Story Protocol for IP asset registration.

Key Concepts Derived from This Research

Conclusion: Invitation to GA4GH DSWS

We propose Broad Institute Consortia Blockchain as a reference implementation of GA4GH Passport 2.0's vision:

• ✓ Data Passports → Biosample NFTs (on-chain consent)
• ✓ Researcher Passports → Soulbound tokens (self-sovereign credentials)
• ✓ Verifiable Credentials → NFT metadata + W3C VC compatibility
• ✓ Policy Engine → Smart contract authorization logic
• ✓ Trust Federation → Validator consensus (no central authority)
• ✓ Immutable Audit Trail → Blockchain transaction history
• ✓ Patient Sovereignty → Private key control of consent NFTs

Next Steps:

1. Present to GA4GH DSWS (January 2026 meeting)
2. RFC Submission: "Blockchain-Based Passport Clearinghouse"
3. Pilot Launch: Broad + 5 partner institutions (Q2 2026)
4. Open-Source Release: Biodata Router + Cosmos SDK modules (Apache 2.0)
5. Standards Integration: AAI 2.0 extension for blockchain proofs

Call to Action:

We invite GA4GH member institutions to:

• Join as founding validators (run Cosmos nodes)
• Contribute to smart contract development (Policy Engine logic)
• Pilot Biosample NFT minting (test datasets)
• Provide feedback on Biodata Router API design

Contact:

• Technical Lead: [email protected]
• GitHub: https://github.com/genobank-io/ga4gh-consortia-chain (to be created)
• GA4GH DSWS Discussion: [Slack #passport-blockchain]

This document represents a technical vision for discussion. GenoBank.io is committed to open collaboration with GA4GH and the global genomics community. All code will be open-source (Apache 2.0), and we welcome feedback, contributions, and pilot partnerships.