Ambient Signifiers

21 Feb 2007

I've recently returned from a trip to Australia and New Zealand, during which I participated in Kiwi Foo Camp. Over the next few days, I plan to blog about some of the interesting discussions in an attempt to bring them to a larger audience.

One of my favorite discussions was about ambient signifiers, an idea Ross Howard describes as "design elements that communicate subtly as part of the environment's ambiance." In his article coining the term, Ross uses the complex Tokyo rail system as an example to introduce the idea:

Tokyo's rail system is famous for being the most complicated and bewildering in the world. With over 1,000 stations, even locals get lost and disoriented. As a designer, I try to be aware of attempts at systems and methods of communication. While traveling the Tokyo rail lines, I quickly realized that apart from the obvious use of real-time electronic signage, colored trains, and audio announcements, there were also other techniques being used to assist travelers in knowing where they were, and where they were going. These techniques were subtler, and bordered on subliminal; this was what really interested me.

He goes on to describe the chimes that play on each platform and how passengers become subconsciously familiar with the various melodies they hear on their regular routes. Each platform's chime has its own unique melody, and a series of melodies identifies a particular route, although most people don't consciously recognize this fact. This technique benefits the entire system for a number of reasons, most of which revolve around efficiency. It helps people make fewer mistakes as well as more quickly realize when they do. Also, because these melodies can resonate with a passenger's subconscious, they can potentially communicate with sleeping passengers better than the monotonous spoken announcements.

I think it's sometimes difficult to appreciate the value in techniques like this, and this is certainly true among web application security specialists. It seems like there is always a debate somewhere about whether a particular safeguard is worth implementing if there are any known weaknesses. It's almost impossible to precisely determine how effective a particular safeguard is, so I think most developers (myself included) weigh the relative effectiveness of certain safeguards when deciding whether to implement them. If a technique is clearly a step in the right direction, it can at least be good for defense in depth.

This is where ambient signifiers can be useful, and it's something we discussed. For example, ambient signifiers can be used as a deterrent to phishing. Imagine if you could choose from a large collection of background images and/or patterns on your bank's web site, so that if you were logged in, the layout would be personalized according to your own choices. Over time, the personalized elements become very familiar. If you later receive an email that directs you to "verify your account" or whatever they say these days, it's unlikely that a forged site could match the unique layout and feel of your bank's site. By itself, this doesn't really protect you from phishing, but it does give you an opportunity to notice that something is different. Ambient signifiers are just design elements that seem familiar, regardless of whether they're explicitly noticed. If your users become suspicious whenever something is unfamiliar, it might be just enough to keep them from providing sensitive information to a forged web site. Thus, the point of ambient signifiers in this context is identifying that something is different, not necessarily what is different.

A practical example of this idea is MyOpenID's personal icon:

This page lets you upload a personal icon which will be displayed, for your browser on this computer only, in this site's title banner. Since no other site will know what image you uploaded, they won't be able to display it. This means that if you see your image in the title bar, you're talking to this site and it's safe to use it. If you see something that looks like this site, but without your icon, you should be suspicious.

VeriSign's Personal Identity Provider (PIP) uses a similar technique.

As OpenID continues to grow in popularity, phishing is sure to be a growing concern, and although this idea of a personal icon doesn't exactly fit the description of an ambient signifier, it is very similar.

Can you think of other useful applications of ambient signifiers?