Ask HN: What to do when someone clones your site?

106 points by preinheimer ↗ HN
Our B2B SaaS had its entire website cloned at another domain. The cloner then took the time to create a new logo and change a few colors.

We reached out to the hosting provider, and the registrar, neither care.

The cloned website is hosted in Europe (Germany), with a small hosting provider. Domain registration appears to be hostinger.com.

Our concerns: Search engine trouble, potential customer confusion, lost sales.

We found the clone when ahrefs started reporting a new domain linking to one of our sites, because they'd helpfully cloned our entire footer.

Thanks for all your advice!

99 comments

[ 3.1 ms ] story [ 166 ms ] thread
Disclaimer: I am not a lawyer

In my opinion you should first get technical people to document as much "discovery" in both technical and simple layman's terms, then get lawyers to review your findings and determine if a legal case and if there are financial or brand damages can be built. They can take it from there.

Controversial opinion: ignore it and keep building.

This happened to me years ago when a Russian website copied a website I was running. We had an API that helped them get not just the design, but the data.

Google is pretty smart (sometimes) about figuring out content of origin. If you already have an established site with links pointing in your should be fine. If you're new and you're entire business can be copied that quickly, you have likely larger problems than SEO at this point.

Thanks.

They haven't cloned the actual product, just the marketing copy on the public site. We've been around for ~10 years, so we have plenty of history with search engines, and a reasonable amount of organic links spread around the internet.

We've also been copied in the past. At first, it was a little concerning. But it turned out that people cannot be ahead of you if they're busy copying your features.
(comment deleted)
Focus on your product, there will always be competition and they'll lose interest quicker than you.
Imitation is the sincerest form of flattery
Controversial opinion: DDOS them
Via a link posted here, perhaps. A "soft" DDOS, if you will.
I once worked with a chap that did that.

The miscreants DDOSed right back, X100, and he lost his entire site.

I'd gently suggest against bear-poking.

(comment deleted)
How did they know who was behind the ddos?
Not sure. It was many moons ago, and he recounted it to me, so I did not observe it, myself. At that time, DDOS was still a fairly new (and highly effective) technique.

Slightly different context. They were exfiltrating data from his site, as opposed to completely cloning it.

I feel like in a race to the bottom we have the most to lose. Both reputationally, and as like a real company with assets worth suing for.
Do you have people clamoring to pay you for your service? Ignore the clone site, you have found a viable market and need to focus on on boarding customers and not stumbling.

Still have nothing like a lot of people wanting to pay you to use your service? Ignore the clone site, they haven't stolen anything of any value.

It sounds glib, but tons of startups are arguing about roles and responsibilities of employees and their vacation policy while the bank account runs down to 0 and nobody notices because they have no costumers.

Get a lawyer. If you're not willing to pay for a lawyer, then it doesn't matter, because that's the only way you'd actually enforce anything.

But, if your service can be cloned in a mechanical manner, it's doubtful it's that valuable anyway. And, if there's money to be had, you'll likely see legitimate competitors that make this cloning incident seem like a drop in the bucket.

It's incredibly unlikely they've cloned our actual service (which would require hundreds of proxy servers around the world). They've cloned the marketing part of our site.
If they copied anything you can see with "view source" and you haven't licensed it in that way, a lawyer could help you. If they copied the layout by writing their own code and creating their own assets, then I'm not sure.
Why does it matter then
I think they’re worried about the seo which is valid concern
Lawyers in Germany are cheap (compared to US lawyers). Normally they charge a percentage of the value of stake which is quite small since its regulated by the law and not negotiated. Also, in Germany, loser pays all, i.e. own lawyer, court costs, your lawyer.
For context, I’ve mostly worked for smaller SaaS companies that went after “whales” in a specialized vertical and that informs my opinion.

Is your only “unfair advantage” that you hope to rank high in organic search? How do you acquire customers - conferences, targeted ads, a sales team? None of those efforts would be affected by a cloned site.

For some types of businesses, this could matter. For B2B SaaS, if you're running your business right it absolutely should not. You should have a sales team generating leads and making sales. As you continue to grow, your reputation in the space will start to bring in more leads.

At the end of the day, they're cloning your website, not your product, and that means they're not going to be taking any business from you.

You should talk to a lawyer if you want real advice or want to pursue this.

You should also consider the outcome if someone in an unreachable country (eg. Russia) cloned your website. If this is a grave issue, then you need to re-evaluate your business plan.

Clone theirs! ... oh wait ...
If they copied your site and beat you, they deserve to win. Ignore and keep building. Your superior product and eventual superior brand are not cloneable.
In theory isn't this what EV certs are for? I know users don't really notice though.
We actually bought an EV cert years ago!

Modern browsers don't actually give them any special display features these days, so it doesn't seem worth it.

If it's hosted in Germany, send the host an Abmahnung by registered mail. It's a cease and desist letter, German style. Copyright law in Germany leaves no doubt about this being very illegal. I'm surprised that they didn't react.

At the same time, file a DMCA notice with search engines. This could get them delisted.

Don't forget to document everything, as you will need it to do the above.

My website (see profile) has a list of English-speaking lawyers in Berlin.

> My website (see profile)

The value of the 'email' field is hidden to other HN users. Only the text in 'about' is visible to others.

You have a few options.

Any requests coming from that server network should be goatse-d on all images.

Or, since they're hosting from Germany, make sure to throw in some pro-nazi stuff and "holocaust didnt happen" stuff, and then turn them in to their government.

Basically, you can either just use normal troll defacement, or you can poison them with illegal to their location content. Your choice.

If you’re actually worried about customers confusing the sites, this might not work out well.
1) Generally ignore, it doesn't matter. If you're prioritizing your customers and they're prioritizing copying you, they'll always be second to you.

2) Despite the above, call them out publicly. A YC company ripped us off blatantly and we decided to call them out. It will hamper their image and make people aware of what they're doing. Evidence: https://twitter.com/Bensign/status/1512110156275986433

Generic design system looks generic shocker!
This. There's only so many ways you can design a graph, table, and rule editor. The icons just seem to be from two packs, so they likely picked out the most appropriate icon for the action, and when you have limited icon packs you'll likely converge on similar icons.

Notably, in a reply where they're calling out the similar icons, only one is the same while the other two are different, the only similarity that one of them has a graph.

I have to disagree with both comments on this... That was my first thought as well. But looking at the screenshots in the Twitter post, it goes beyond design systems. Structurally, it's the same. Layout, it's the same. Purpose, it's the same.
I don’t really buy it.

There’s only so many logical ways to layout a graph, breadcrumbs, and table. If the breadcrumbs perform an action, which they seem to do, then you’ll want them center to emphasize that. That’s just basic UX design.

I could argue they copied the query builder from dozens of different sites because they all look identical. It’s a query builder, there’s only a few ways to design and implement one.

The tables straight up are just standard design tables. They could’ve come from Bootstrap at how plain they look. The only thing they have in common in terms of the things they show is costs, which, I mean for two tools used to keep track of cloud spending, seems like a given.

The copy is completely different even if the purpose is the same, and “slicing and dicing data” is a go to phrase in the industry. We used the phrase all the time when developing a graphing tool.

Nothing in that Twitter post is unique. It’s what I, and I’m sure many others would converge on for any sort of tool that interacts with graphed data. Especially for two tools in the same space, there’s only so many ways to show people their cloud costs. If anything, both companies just have extremely generic looking and feeling UIs.

Um. Their marketing copy... the words used to describe things and the order in which they're laid out? You think that's GENERIC?
Please show me the exact marketing copy that is the same. They use different words to describe slicing and dicing data, which as I already said is an extremely common term in the industry. For two companies doing the same niche and relatively simple thing, I would certainly think that there would be a lot of similarities.

As I have said like half a dozen times now, there’s only so many ways you can show cloud costs. It’s not like this is some innovative space, it’s just showing costs over time on a graph and table. If I were to clean room design an interface for this problem, I would certainly have the same sort of design, layout and copy as these two.

And yes, all of those things are generic, for the reasons I’ve given. Do you have any actual response other than being incredulous that someone has a different opinion than you?

Pretty much generic nonsense text. The one of the left didn't optimize like the one on the right.
Nice try, Cloudthread.

Yes, the design is fairly generic but if you can't see that someone ripped off someone here then you must be trying a bit too hard to not see it.

I'm trying but both looks like countless other soul-less corporate sites.
Ya, not sure how they do not get your point… regardless of that fact, it is a completely uninspired design and it’s not hard to imagine this is some stock Tailwind UI component. Yes, they are wrong, but this isn’t some revolutionary stuff here. Let’s call a spade a spade.
...actually the team openly admitted to copying the site directly after we called them out publicly.

Here is the direct message of them apologizing: https://imgur.com/a/OlNJ5U4

Yeah I am with you the screenshots look like some bootstrap or whatever generic CSS framework of the day there is
> it doesn't matter

I've heard in the past that it can hurt your SEO, but I don't know that firsthand.

Is there a risk that google considers your site to be spam if it detects mirrors of the same content?

> Is there a risk that google considers your site to be spam if it detects mirrors of the same content?

I read about this happening a while ago, as the content thieves set an earlier publication date in their cloned pages metadata...

Yes, it does affect SEO, assuming the other party duplicated content and URL structure, the OP was not clear on this matter. Just HTML duplication won't (shouldn't) do anything. Google's bots will see 2 pages with similar content and URL structure, and make a judgment call as to which one is canonical, and present that one in search results as the authoritative source. And no, the methods Google uses to determine the canonical source are not known, and in my experience, don't often make much sense to us humans.
(comment deleted)
I don't see the rip off. I think it's about 60% similar but your design isn't special at all and very generic. The idea that someone "ripped you off" is a huge stretch to me.
I think the 'slice and dice' seals it, and it's right they apologise.

Otherwise, yes I agree, it's not a particularly innovative design, and 'graph with breadcrumbs and a datatable', and 'SQL query builder with madlibs type interface' are pretty generic, the implementations here are nice, but look very similar to Airtable/Notion/Coda, I don't think there's a huge amount of originality there. On the line between 'inspired by' and 'copied from', I think.

File a DMCA complaint and move on with your life.

Reference: 24 years in the web hosting industry

Is it possible that the site owner is an inexperienced business person who was conned by a "web designer" and doesn't know that the site was copied? (It doesn't really sound like it but it's a possibility to consider.)
Just curious - was this a result of your team ‘building in public’ (i.e., sharing regular updates publicly on Twitter or other communities as you build)?

I’ve seen more and more cases of this happening when founders build in public, especially if they share revenue numbers.

Regardless, sorry to hear about this happening to you…

Do you have a valid trademark in the domain registrars/hosting country?

No? Than as annoying as it is there are few options. However, "About Us" pictures of people at your company do have implicit copyright, and image misuse is 100% enforceable with take-down strikes.

Mostly endured the problem by posting our fiscal mistakes like a running joke, and proudly presenting them for others to "clone". Some folks are even brazen enough to try to sell trademarked squatter-domains. The good news is the .com and country suffix usually ranks higher in searches than most domains by default.

The truth is if you can be cloned with ease, than the product likely falls squarely in the low-hanging-fruit category. Thus, as a business model it is unsustainable.

>The truth is if you can be cloned with ease, than the product likely falls squarely in the low-hanging-fruit category. Thus, as a business model it is unsustainable.

if its a SaaS, they are likely talking about the marketing site - not the logged in experience.

Than they did not setup incentivized service deals, partner profit-sharing arrangements, or licensing agreements.

Thus, a castle without a moat you can fill with legal alligators. Note, a service company is actually easier to handle than shipped product firms.

Cheers ;)

"Good artists copy, great artists steal" ...

Without people blatantly copying stuff, we wouldn't have the iPhone.

Apparently in Chinese culture, copying is seen as a complement.
Yes. In college I always saw the students from China complementing each other’s assignments.
After the fact might be too late for this, but there are defensive programming techniques you can use to make a cloner's job a bit tougher. In some industries, this is more important than others.

> Obfuscate and compress your frontend code - It's harder to clone a big pile of random code that's not pretty.

> Put subtle watermarks in your site images - Makes their job harder and very easy to slip up.

> Use absolute rather than relative links so your own URLs appear everywhere in the site - It's easy for them to slip up and miss one.

> Use some of that obfuscated JS and frontend code to check what URL you're at and consider your options for redirecting, popping up a warning message, or rewriting the URLs in the body - it's a nightmare to try and figure out what a pile of crazy compressed JS actually does.

> Have your site rely on your own API in some fashion - hard for them to clone if they have to rely on you for the data.

> Put some hidden messages in your source code that might slide by a casual cloning job, but might be enough to verify ownership of the original code.

Brilliant. I'd add to this that the domain name shouldn't just be a constant at the top, because then they can just change it. My first guess is, make a few functions that "generate" it, kind of like what some people have on their websites for their email address.
>Obfuscate and compress your frontend code

Even more so, while slightly advanced, you can set up a OTP verification on the front end before rendering things. JS code calls your backend which receives a OTP code (generated through some private key), and verifies this using public key. If obfuscated/minified properly, it would take some effort to reverse engineer properly.

Additionally you can do sneaky things like make a request to your backend trigger on some random large time interval, where the Origin header is passed, so you can see which domain the client site got rendered from, and then return some displayed warnings about using a fake copied website.

>If obfuscated/minified properly, it would take some effort to reverse engineer properly.

ah, this strange network request fails with this base64 and it stops loading, whatever could it be!

> Even more so, while slightly advanced, you can set up a OTP verification on the front end before rendering things.

How to get yourself de-listed from Google. This one weird trick all your competitors want you to know!

There's a few things that can help:

- DMCA takedowns (domain registrar, ISP, IP space owner)

- Report the fake site as phishing in Google Safebrowsing and similar

- If they're hotlinking any assets, replace them with broken / nasty ones

I would ignore and focus on your product. There's not a lot that can be done to prevent this from happening and money, time and resources spent on lawyers with no certain outcome is probably not as beneficial as directing that money, time and resources towards improving your product.

The people who do this tend to be lazy and uninterested in the actual business. (If they had a real passion for it, they wouldn't just clone your public facing website) Thus, they will probably vanish on their own sooner than later anyway.