A Look at Upcoming Innovations in Electric and Autonomous Vehicles GoDaddy Fights Indian Court Order That Strips Default Domain Privacy

GoDaddy Fights Indian Court Order That Strips Default Domain Privacy

One of the world's largest domain registrars is pushing back against an Indian court ruling that would require it to expose the personal details of website owners by default - a measure framed as anti-fraud protection but condemned by GoDaddy as a threat to user safety and the commercial viability of operating in India. The company has filed an appeal before a larger bench of the Delhi High Court, which is scheduled to take up the matter on July 16. At stake is a set of directives that could reshape how domain registration works across one of the internet's fastest-growing markets.

What the Delhi High Court Actually Ordered

The ruling emerged from a series of lawsuits filed from 2019 onward by major brands - including Amazon and McDonald's - against fraudulent websites that mimicked their identities to deceive consumers. In December, a New Delhi court ordered more than 1,100 such websites blocked. So far, that portion of the ruling is largely uncontroversial.

The dispute centers on the broader structural measures the court attached to that order. The court directed domain registrars to stop offering privacy protection as a default feature, reasoning that it functions "as a cloak" shielding rogue operators from accountability. Under the new rules, registrars would also be required to disclose a domain owner's name, address, phone number, and email address within 72 hours to anyone who can claim a "legitimate interest." Additionally, registrars would be barred from accepting registrations for domain names that are recognizable variations of protected brand names.

The court described fraudulent websites as having become "engines for large-scale deception" - a characterization backed by the scale of India's cyber fraud problem. Government data cited in the case shows Indian authorities received 2.4 million complaints of alleged cyber fraud worth approximately US$2.4 billion in a single year, figures that reflect the mounting pressure on regulators and courts to act.

Why GoDaddy Says the Cure Is Worse Than the Disease

In appeal documents reviewed by Reuters, GoDaddy argues that stripping default privacy protection would harm far more legitimate users than fraudulent ones. The concern is straightforward: when a domain owner registers a website, their contact details are stored in a publicly queryable directory known as WHOIS. Privacy protection - sometimes called WHOIS masking - replaces those personal details with proxy information, preventing anyone from running a simple lookup and obtaining a private individual's home address or phone number.

GoDaddy warns that removing this protection by default would expose journalists, activists, small business owners, and private individuals to stalking, harassment, and targeted threats. Fraudsters, the company notes, are unlikely to register under accurate personal details regardless of the rules - they will simply falsify the information. The burden, in practice, would fall almost entirely on those operating in good faith.

The company went further in its filings, describing the directives as "commercially destabilizing" and warning they could force domain registration companies to exit the Indian market altogether. That is not a trivial concern: India has roughly 900 million internet users and the number continues to grow. For a global registrar, walking away from that market would be a significant decision - which makes the warning a measure of just how seriously GoDaddy views the compliance burden.

A Tension Built Into Internet Governance

The conflict between brand protection, user privacy, and fraud prevention is not new to internet governance. For years, the organization that oversees global domain name policy - ICANN - has grappled with exactly this tension. The introduction of the European Union's General Data Protection Regulation in 2018 accelerated the widespread adoption of WHOIS privacy protections, as registrars faced legal liability for publishing personal data without consent. Many jurisdictions have since moved toward restricting public WHOIS access, not expanding it.

India's court order moves in the opposite direction. The "legitimate interest" standard the court proposes for triggering a 72-hour disclosure is vague enough to invite misuse. Unlike a formal legal subpoena process - which creates a documented record and legal accountability for the requester - a broad legitimate interest test could be invoked by private parties with commercial or personal motives that have little to do with fraud prevention.

The preemptive blocking of domain name variations presents a separate set of problems. Determining whether a domain name is a protected variation of a brand requires editorial judgment, and automating or mandating that process at the registrar level risks blocking legitimate websites - parody, criticism, fan communities, or businesses that happen to share a word with a large corporation's trademark.

What Comes Next

The Delhi High Court's July 16 hearing will determine whether the broader directives survive appeal or are narrowed significantly. Other registrars are likely watching closely: a ruling that stands would set a precedent affecting every company that sells domain registrations to Indian customers, regardless of where the registrar is based.

India's cyber fraud problem is genuine and serious, and the courts are right to take it seriously. But the measures challenged here are blunt instruments applied to a problem that requires precision. Effective fraud enforcement typically depends on coordinated mechanisms - abuse reporting systems, rapid response protocols between registrars and law enforcement, and legal processes that can compel disclosure when warranted - not blanket exposure of all domain owners' private data. The GoDaddy appeal, whatever one thinks of the company's commercial interests, raises questions of real public importance about how anti-fraud rules are designed and who ultimately bears their cost.