Image of the letter W which is the logo and links to the homepage
Photo by Towfiqu barbhuiya on Unsplash
A pair of hands typing on a laptop in a dark room

My Website Was Stolen

By

April of 2021. I'm finishing up a project idea I'd hatched up a few months earlier, but never got around to developing due to uni.

It's a machine learning web app built for an impressive-sounding use-case relating to medicine. I lovingly handcrafted the entire thing from scratch, writing raw HTML, Sass, and React which piped data and forth from a Node backend, which in turn ran the trained models. It was fairly complicated for a one-man hobby project, and I was pretty proud of it.

After deploying to production, I tuned a few SEO settings in Google's Search Console and gradually forgot about it as I moved onto a new project.

A little while later, during some downtime, I was reading up on some SEO tips and tricks. In doing so, I remembered my previous project, and out of curiousity, I decided to give Google a quick spin to see how the rankings were going.

It was doing pretty good... but so was something else.

Right below my website, was a seemingly identical one. Unfortunately (and I hate myself for this), I didn't take a screenshot of it, so I can't remember the exact details. But IIRC, it had the same title and meta description. Puzzled, I jumped in to check it out.

It was an exact, word-for-word clone of my web app. Everything was the same. The content, the styling... all of it.

There were only 2 notable differences:

  1. The domain was different (obviously).
  2. The backend didn't work. In other words, when trying to use the web forms to submit inputs to the machine learning models on the backend, it always gave a "Submission Failure" message. So the whole point of the web app - the core product, if you will - was non-functional.

And then... I did nothing.

This is gonna sound super weird and super stupid... but at the time, I didn't think much of it.

I was used to facing a plethora of obscure bugs and strange quirks when it comes to software. Somehow, I managed to convince myself that this was just that - a bug in the system. A glitch. The idea that someone saw my website and deliberately copied it was unfathomable to me.

If that sounds like the dumbest reasoning you've ever heard - it's because it is. I don't know what I was thinking. I've heard stories about people's work being stolen... but I never thought it could actually happen to me. I won't sugarcoat it - I was in denial.

It was only a few weeks later that what I had seen randomly popped back into my head. "Wait... was my website actually STOLEN?!"

Immediately, I felt extraordinarily uncomfortable. I did some research on what to do, and was pointed towards a tool by Google to request removals of copyrighted content.

Then, I decided to try to find out more about the perpetrators. The domain that was hosting the clone was actually a subdomain of a software company based in Mexico. Their product? A cloud-based project management platform. Yeah. Needless to say, it had absolutely nothing to do with my medical web app. Talk about confusing.

After looking around a bit, I found some contact information which I used to draft an email. I guess in legal terms this would be called a "cease-and-desist" letter?

At this point, you have to understand that I was feeling very uncomfortable and out of my element. Like a lot of people, I'm a little wary of confrontation and try my best to handle things diplomatically. Now I'm in a situation where I've already filed a DMCA takedown request and I'm about to confront the people responsible for stealing my website. Fun stuff!

Here goes nothing. I give my email the subject: Copyright Infringement - Takedown Request. That should get their attention. Now for the content...

A polite email of me asking the company to take down their clone of my website
Note the name of the subdomain. That comes into play a little bit later.

I want to note that I'm not a lawyer or anything, and I certainly don't have the money to hire one. Basically, I don't really have any actual power to enforce that they take down the clone. That's why I had to be pretty careful in how I came across in the email. Stern, a little forthright... but respectful. Did it work? Well, one day later, I got a response from a company rep:

A company representative replies to my email, simply asking me to schedule a call
https://youtu.be/_JOsUhrrxeg

No thanks, bro! (In case you couldn't get that link to work.)

At this point, I've noticed that their clone is now AWOL. Still on Google, but returning a 404. As far as I'm concerned, they've done what I wanted - they took the clone down. Now the onus is on Google to follow through on my request to take the search result down. I've got absolutely no interest in talking about this any further with the rep - I'd rather put this uncomfortable experience behind me.

I let the company know that they did what I wanted, and that there's no need for a call
Our business is done here. Got it?

I hit send, and hope that I never hear a word from these people ever again. But I get one last email:

Company rep says that if I'm using cloudways, then they might be doing something with my web app
THE MYSTERY CONTINUES

Sounds ominous. I don't really understand what they're trying to get at here, but it seems like they're trying to shift the blame towards Cloudways, which is a cloud-hosting platform that just so happened to have its name as part of the subdomain of the clone: "cloudways-delete"

But the thing is... I don't use Cloudways. At the time of the correspondence, my web app had been hosted on DigitalOcean. I've since moved on to AWS Lightsail, but that's a story for another time (summary: it's cheaper).

Not to mention, the fact that the clone went AWOL after my email proved that they had control over it. They had the power to take the clone down, which was hosted as a subdomain on their website, which presumably means they were the ones who started this whole fiasco.

The only basis for Cloudways' involvement is that the phrase "cloudways" was part of the subdomain, and what if that's just a name and doesn't mean anything of importance?

I don't know. To be perfectly honest, I don't have enough information to explore the "cloudways-was-behind-everything" hypothesis, and from what I do know, that hypothesis is probably garbage that a panicking company is trying to push to avoid any potential legal action.

And even if I did have convincing information suggesting that Cloudways was the bad actor, I don't know if I'd care.

At least in this case, I'm not looking for revenge. And look, I get it. Revenge is satisfying. But I'd rather just let it go and get on with my life. That's why I've blackened out parts of the screenshots: I'm not trying for a "name-and-shame" style of blog post. As long as the clone stays dead and doesn't keep coming back like a Resident Evil villain, I'm happy.

So that's that. As of writing, it's been about two months since that last email, and I've had no further correspondence with the company. Google has acted on my DMCA takedown request, and if you were to look up the web app today, you'd see no clone...

...just the OG, baby.