Dec 12 2007
How Constructive Memory Impacts Technology
People tend to validate web site identity by an overall visual impression constructed in their mind in the first moments of loading a website. Wait! Don’t users carefully validate all of the visual aspects of say, Amazon.com, before making a purchase?
No, they don’t.
Why? Well, this has to do with a troublesome feature of human brains. This little feature allows memory to function really great 99% of the time when memory is not important, and creates frequent and staggering amounts of inaccuracy 99% of the time when memory is critical, say in court giving eye witness testimony or judging the authenticity of a web site.
For better or for worse, memory is a constructive process.
Take a memory you have of say, a dinner last night of pasta with Pastene tomato sauce. In this memory, you really only remember the food (what was unique about that dinner). Where you ate (in the dining room) and who you ate with (the significant other) aren’t explicitly in that memory from last night.
When you remember that meal your brain efficiently assembles on-the-fly various pieces to create the full memory:
- some unique details from the actual event;
- elements from previous similar memories;
- your own opinions about events related to the memory; and,
- your expectations as to what that memory ought to contain.
Think of constructive memory as a storage optimization routine designed to maximize the memory capacity in a system designed with finite storage and infinite possibility.
And as expectation defines perception, what you expect to remember probably has the most impact on your memory.
Why should software developers care about this? Well, for starters constructive memory has major implications in information security.
If a hacker posts a site that looks just like Amazon.com as Amazn.com, a user isn’t going to notice the URL is different when accidentally typed in or loading from an email. What the user will instantly process in the first brief moments of loading up amazn.com is that the visual experience looks right: the colors, the logo, the tabs and the font all look like amazon.com.
This explains the success of spoofing emails with URLs like ebay.russianhackingmob.com. This also explains why web site certificates are probably the most ill-conceived security measure in the history of the internet. Sure, they work in principle (anyone can click on them!).
But the user won’t click on the certificate, ever. And even if they do, they won’t understand what they are looking at and what the cert means.
But you don’t just need to worry about visual recognition security problems in web sites. You can have this issue with US 800 numbers. A similar 800 number for, say a credit card company would easily be able to grab personal data from unsuspecting people.
So long as the caller is presented with a phone menu that feels like a 800 number credit card company then the caller will expect this line to be for a valid company. Any perception interaction on the call will be shaped by this expectation, the caller will be an easy target.
The lesson here? It’s important to understand how the user works when you design any system.