[godelski]

There's a clear UX problem here. If you submit a scan it doesn't tell you it is public.

There can be a helpful fix: make clear that the scan is public! When submitting a scan it isn't clear, as the article shows. But you have the opportunity to also tell the user that it is public during the scan, which takes time. You also have the opportunity to tell them AFTER the scan is done. There should be a clear button to delist.

urlscan.io does a bit better but the language is not quite clear that it means the scan is visible to the public. And the colors just blend in. If something isn't catching to your eye, it might as well be treated as invisible. If there is a way to easily misinterpret language, it will always be misinterpreted. if you have to scroll to find something, it'll never be found.

[heipei]

Thanks for your feedback. We show the Submit button on our front page as "Public Scan" to indicate that the scan results will be public. Once the scan has finished it will also contain the same colored banner that says "Public Scan". On each scan result page there is a "Report" button which will immediately de-list the scan result without any interaction from our side. If you have any ideas on how to make the experience more explicit I would be happy to hear it!

[godelski]

I understand, but that is not clear enough. "Public scan" can easily be misinterpreted. Honestly, when I looked at it, I didn't know what it meant. Just looked like idk maybe a mistranslation or something? Is it a scan for the public? Is the scanning done in public? Are the results public? Who knows. Remember that I'm not tech literate and didn't make the project.

I'd suggest having two buttons, "public scan" "private scan". That would contextualize the public scan to clarify and when you are scanning is publicly __listed__. And different colors. I think red for "public" would actually be the better choice.

Some information could be displayed while scanning. Idk put something like "did you know, using the public scan makes the link visible to others? This helps security researchers. You can delist it by clicking ____" or something like that and do the inverse. It should stand out. There's plenty of time while the scan happens.

> On each scan result page there is a "Report" button which will immediately de-list the scan result without any interaction from our side.

"Report" is not clear. That makes me think I want to report a problem. Also I think there is a problem with the color scheme. The pallet is nice but at least for myself, it all kinda blends in. Nothing pops. Which can be nice at times, but we want to draw the user to certain things, right? I actually didn't see the report button at first. I actually looked around, scrolled, and then even felt embarrassed when I did find it because it is in an "obvious" spot. One that I even looked at! (so extra embarrassing lol)

I think this is exactly one of those problems where when you build a tool everything seems obvious and taken care of. You clearly thought about these issues (far better than most!) but when we put things out into public, we need to see how they get used and where our assumptions miss the mark.

I do want to say thank you for making this. I am criticizing not to put you down or dismiss any of the work you've done. You've made a great tool that helps a lot of people. You should feel proud for that! I am criticizing because I want to help make the tool the best tool it can be. Of course these are my opinions. My suggestion would be to look at other opinions as well and see if there are common themes. Godelski isn't right, they're just one of many voices that you have to parse. Keep up the good work :)

[heipei]

Thanks, that is great feedback and we'll try to improve how the scan visibility is shown and what it actually means. The suggestion of adding a text to the loading page is a great idea, and the feedback about the colors on the result page is totally valid.

I'm the last person who wants to see private data accidentally leak into the public domain. However experience has shown that combating the massive amounts of fraud and malicious activity on the web nowadays requires many eyes that are able to access that data and actually do something about it. That is the reason we have these public scans in the first place.

[godelski]

And thank you for being receptive and listening! I hope my thoughts and others can help make your tools better.

I really appreciate that people like you are out there trying to defend our data and privacy. I know it is such a difficult problem to solve and you got a lot of work ahead of you. But appreciation is often not said enough and left implied. So I want to make it explicit: Thank you.

(and I'll say this interaction is the best advertisement you could make, at least to me haha)

[vin10]

This is a very well formulated suggestion. Nicely written!