Change How Identity is Defined and Represented

[eoghanscasey]

Background

CASE/UCO currently defines Identity as “a grouping of identifying characteristics unique to an individual or organization.” This definition has several limitations for cyber-investigation purposes that prevent proper representation of this crucial concept.

Identity is not simply a grouping of characteristics, but rather the linked relationship between identifying characteristics and an individual or organization, within a specific context and time. The current definition does not allow for identity changes over time (e.g., name changes). The current definition also does not account for the fact that identities can be transferred between people, and that there can be uncertainty whether a given identity is associated with one person or another at different times.

A Person can have links to more than one Identity such as a professional Identity for work platforms, a social Identity for personal networks, a gaming Identity for online games, each with its own set of associated identifying characteristics appropriate to that context.

An Identity can have the following types of identifying characteristics:

• Is - biometrics
• Has - passport
• Knows/chooses - password
• Does/prefers - behavioral biometrics or behavior patterns
• Where the Person is located
  (References: Do Identities Matter? Casey and Jaquet-Chiffelle (2017) & The Evaluation of Mobile Device Evidence under Person-Level, Location-Focused Propositions, Spichiger (2022))

Requirements

The concept of Identity needs to be changed to enable representation of:

Requirement 1

An Identity can be transferred to another Person.

Requirement 2

A Person can bear multiple identities, some lasting for a specific time period.

Requirement 3

An association of an Identity with a Person can have uncertainty. In the context of a cyber-investigation, identification is a decision process attempting to establish sufficient confidence that some identifying characteristics describes a specific entity in a given context, at a certain time.

Requirement 4

Any ObservableObject that contains identifying characteristics can contribute to an Identity.

Risk / Benefit analysis

Benefits

This change overcomes current limitations and provides support for representing real world instances of Identity that must be dealt with in cyber-investigations.

The proposed change enables Identity to represent different aspects of the same Person or Agent, to transfer from one Person or Agent to another for a specific time period. The proposed change supports temporal aspects of identity through Relationship metadata, allowing for identity changes over time (e.g., name changes).

In addition, this representation enables tracking the status and validity period of each relationship, and explicit relationship types that can be validated and queried.

Risks

This change in representation is not backwards compatible so will need to be implemented in the next major version.

Competencies demonstrated

Competency 1

Was a specific Identity linked to more than one Observable Objects of a given type?

Competency Question 1.1

What Observable Objects of a given type are linked to a specific Identity?

Result 1.1

Return a list of the Observable Objects of the given type that are linked to the specified Identity

Competency Question 1.2

For what time period was the Identity linked to each instance of a given type of Observable Object?

Result 1.2

Return a time range that a specific Observable Object was linked to a given Identity or return "no time range specified"

Competency 2

Were more than one Identity using a given Observable Object?

Competency Question 2.1

Was a given Observable Object linked to more than one Identity?

Result 2.1

Return a list of Identities that were linked to a given Observable Objects and associated time ranges if available.

Solution suggestion

1. Change definition of Identity to: identifying characteristics that an observer/investigator links to a person, organization, or thing (e.g. AI agent) with some level of confidence that the identifying characteristics describe them in a given context, at a certain time.
2. Person should not be a subclass of Identity
3. Link Person to Identity using Characterized_By RelationshipType
4. Link Identity to Observable Objects that contain identifying characteristics using Characterized_By RelationshipType

Coordination

• Tracking in Jira ticket OCUCO-327
• Administrative review completed, proposal announced to Ontology Committees (OCs) on 2025-04-25
• Requirements to be discussed in OC meeting, 2025-04-29
• Requirements to be discussed in OC meeting, date TBD

• Requirements Review vote has not occurred

• Requirements development phase completed.
• Solution announced to OCs on TODO-date
• Solutions Approval to be discussed in OC meeting, date TBD
• Solutions Approval vote has not occurred

• Solutions development phase completed.
• Backwards-compatible implementation merged into develop for the next release
• develop state with backwards-compatible implementation merged into develop-2.0.0
• Backwards-incompatible implementation merged into develop-2.0.0 (or N/A)
• Milestone linked
• Documentation logged in pending release page
• Prerelease publication: CASE develop branch updated to track UCO's updated develop branch
• Prerelease publication: CASE develop-2.0.0 branch updated to track UCO's updated develop-2.0.0 branch

[ajnelson-nist]

Thank you, @eoghanscasey , for this proposal. I have a few points of feedback.

Agent class

This proposal mentions "Agent," but does not suggest a class for "Agent." I think this class is necessary, as a new parent for Person and Organization, because of how it would help UCO be consistent with other ontologies that define a parent class of Person as Agent. Consider:

Ontology	Definition of parent class of Person
FOAF (alt. render)	"Agent": An agent (eg. person, group, software or physical artifact).
PROV-O	"Agent": An agent is something that bears some form of responsibility for an activity taking place, for the existence of an entity, or for another agent's activity.
uco-identity	"Identity": An identity is a grouping of identifying characteristics unique to an individual or organization.

Within UCO, it seems like the parent class of "Person" is floating points of data, not a thing that thinks or manipulates the world around it.

In line with this proposal, I suggest that a new class Agent should be provided, and also that there may be appropriate new subclasses under the current class Identity.

• identity:Identity
  • identity:PersonalIdentity
  • identity:OrganizationalIdentity
• identity:Agent (or maybe core:Agent?)
  • identity:Person
  • identity:Organization
  • "Person" and "Organization" would be disjoint.
  • To preserve the possibility of software agents, any disjointedness of "Agent" would probably better follow the endurant--perdurant divide (Issue 544) (i.e., an action or event would never be an agent).

Agent class placement

I could see "Agent" being a concept in the Core namespace for the sake of the Action namespace: I would like to restrict action:performer to be only agents, instead of any UcoObject. To be a performer suggests to me a requirement of ...agency, for lack of a better word: An ability to decide. A digital account, or a rock, wouldn't perform an action - they'd be instruments of the action.
If there are suggestions that this is scope-creep, I'll leave this for a future proposal that would assume this proposal's passage.

"AI Agent" also gets mentioned in this proposal. I suppose we could have a class observable:AIAgent as a subclass of both identity:Agent and observable:Software, but that might be tricky enough that it'd be better left as a future proposal. For what it's worth, the PROV Ontology has a notion of SoftwareAgent, under which I think some subclasses of observable:Software could align.

Demonstration of transfer

Separately, on the transferability of "Identity" from "Person": Could we have a demonstration of an unwilling transfer, such as an instance of identity theft? That would be an instance of two people using a single identity in an overlapping period of time. This is a revision of Requirement 1: An identity's bearer would not be unique at all times.

[sbarnum]

I agree that the current definition language for Identity lacks clarity of purpose. I also agree with the need to be able to characterize the sort of shifting of characteristics between persons and organizations and associations with other objects.

That being said, the Identity that currently exists in UCO is very intentionally NOT this sort of shifting set of characteristics. It is intended to represent the ground truth of a particular identity. For example, a person such as me (the actual me) or an organization such as Kentucky Fried Chicken. Some characteristics of these identitiies may be mutable (I could change my name or Kentucky Fried Chicken could change their name to KFC) but they are still the SAME person or organization. Identity is meant to capture this core ground truthiness to persons and orgs.

The concept described in the scenarios and use cases of this proposal are NOT the current Identity class but rather something closer to a new Persona class that would likely still have the same characterizing properties as an Identity but would be intentionally focused to represent the non ground truthy sort of shifting "persona" that a given person or organization might play at a given time. I believe this is exactly what is described above as a person having one identity at work, one at home, one online, etc. You could describe a number of personas (including associating them with other objects such as Observables) and a given Person (Identity) could be associated with multiple Personas via relationships (with time dimensions) or a given Persona could shift from one person to another (think of the Dread Pirate Roberts from Princess Bride. Wesley had the persona of the Dread Pirate Roberts for a period of time but others had/held/wore it at other times and at the core the ground truth was that he was still Wesley).
We cannot simply change Identity to mean Persona as the ground truthiness of Identity is still required for other cases and even for these cases here we still need a way to assert the absolute identity of a given Person or Organization independent of any Personas the have, do, or will hold.
We actually bandied this Persona concept about a long while back but never really got a handle on it and decided to put it aside for the time being and focus on other more critical issues.
Maybe it is time to pick it back up and push it to an approach that will work.

There is a dimension of Agent (agency) to this that should likely be worked out but I would not agree with the approach Alex laid out above. I would not agree that all Identities (Persons and Organizations) are subclasses of Agent as they do not all necessarily have agency in various given contexts. They are related but not necessarily subclasses of each other. I do agree with Alex's point about 'performer' on Action being constrained to an Agent class because as he states the performer of an action inherently has agency. I would strongly suggest that Agents are also not limited to Persons or Organizations. There are other digital forms of Agents such as SoftwareAgents that have agency and can perform Actions.
I agree with the relevancy and value of adding the concept of Agent to UCO but strongly believe it is critical to get it right which will involve more discussion and experimentation than we have done here.

Given both the issue of Persona vs Identity and the relevance of Agent to this topic I do not believe this proposal is complete/stable enough to vote on.

[ajnelson-nist]

After discussion this morning, consensus on the call was that this will be a post-1.4.0 proposal.

[plbt5]

Maybe we should add an explicit remark that "Identity" refers to the explicit identity of an agent, either a person or organisation, as opposed from the metaphysical (implicit) notion of the relation each thing bears only to itself. This is relevant since the principle of identity is an ontological principle that applies to particular elements of any ontology.

[ajnelson-nist]

I've had many discussions with @plbt5 trying to understand "Identity." Where I've gotten to is that "Identity" pervades to a higher level than where UCO currently has it.

At one level, I have a legal identity, and it's indicated on my driver's license, passport, and any insurance card I've had. Those insurance cards also indicate an account with the insurance company, and that account has its own identity---not a person, but a thing that can bear other things like a claims history or a balance. Any of those physical identity-notes also have their own identity, a piece of paper and/or plastic imbued with ink and purpose.

There is potential illicit-financial gain from stealing my legal identity, and it's attainable in various sorts of unpleasant-to-me activities. But my identity, as in the me-ness of me, can't be stolen.

I personally think UCO's notion of Identity should limit to what Sean described as "Persona" (personal or organizational)---temporarily, possibly non-uniquely associable with UcoObjects.

Revisions to proposal

I don't think we'll be able to hold a Requirements Review vote on this in the August meeting, but would like to settle open questions so we can aim for September.

• @eoghanscasey : Is Requirement 4 suggesting that some ObservableObject would have a parthood relationship with an identity? "Contributing" is not something I'm sure on how to represent. A new Relationship? Would an Identity be the same object (UcoObject) after another ObservableObject "contributes" to it well after the Identity is established?

• It sounds like several of us are amenable to adding Agent.

  • @sbarnum and I both seem to have noted a need for software agents.
  • I'd like to settle whether Person is a subclass of Agent, but I'm not sure if I read that there's some resistance to that. In other ontologies, Person goes under Agent. I can think of situations where a person "loses agency," but by my understanding that phrase is generally using "agent" as a concept that is narrower than the general "Agent" concept I see in other ontologies.

[eoghanscasey]

In cyberinvestigations, there is always some uncertainty in any "identification" process. When linking a person to observable characteristics, we make an inference with some probability.

For instance, linking some ObservableObject s to "Eoghan Casey" could describe my activities, activities performed by my spouse using my digital account, or activities performed by a threat actor using a faked digital account to appear as me.

In practice, there is no such thing as a unique unchanging identity. People and organizations change over time and place, and have multiple identities. We can call this Persona in UCO, which gets around the issue of identity having specific meaning in ontology. Having both Identity and Persona is redundant and adds complexity for no practical purpose.