A Look at Upcoming Innovations in Electric and Autonomous Vehicles GoDaddy Challenges Indian Court Order That Threatens Domain Privacy Protections

GoDaddy Challenges Indian Court Order That Threatens Domain Privacy Protections

One of the world's largest domain registrars is pushing back against a sweeping Indian court ruling that would strip default privacy protections from website owners, warning the directives could expose millions of legitimate users to real-world harm. GoDaddy has filed an appeal before a larger bench of the Delhi High Court, targeting measures introduced in December as part of a broader effort to dismantle networks of fraudulent websites impersonating major brands. The case cuts to a fault line that regulators and technologists have long struggled to resolve: how to pursue online fraud without dismantling the privacy infrastructure that protects ordinary internet users.

How a Fraud Crackdown Became a Privacy Battle

The original dispute has roots in a wave of lawsuits filed from 2019 onward by companies including Amazon and McDonald's, targeting websites that mimicked their brands to deceive consumers. In December, a New Delhi court ordered more than 1,100 such sites blocked - a measure few would dispute. The controversy lies in what the court attached to that order.

The court ruled that domain registrars must stop offering privacy protection as a default feature, on the grounds that it functions "as a cloak" concealing fraudulent operators. Under the directives, registrars would also be required to disclose domain owners' personal details - names, addresses, phone numbers and email addresses - within 72 hours to any party claiming a "legitimate interest." Registrars would additionally be barred from accepting registrations of domain names that are recognizable variations of protected brand names.

The court described fake websites as "engines for large-scale deception," a characterization that reflects the genuine scale of India's cyber fraud problem. Government data cited in the case shows Indian authorities received 2.4 million complaints of alleged cyber fraud worth $2.4 billion in a single year - figures that underscore why courts and regulators have been under pressure to act forcefully.

The Case Against Eliminating Privacy by Default

GoDaddy's appeal, drawn from non-public filings reviewed by Reuters, argues that the cure carries serious risks of its own. The registrar contends that removing default privacy protection would publicly expose the contact details of countless legitimate website owners - small business operators, independent journalists, activists, healthcare providers and private individuals among them - who have no connection to fraud but would face the same disclosure requirements as bad actors.

The privacy protection in question, commonly known as WHOIS privacy or domain privacy, has been a standard feature of domain registration for well over a decade. When a person or organization registers a domain, their contact details are submitted to a centralized database governed by international standards. Without privacy protection, those details are publicly searchable. With it, the registrar's own contact information is listed instead, shielding the owner from unwanted exposure. GoDaddy argues that compelling disclosure of this information on a 72-hour turnaround, to anyone asserting a legitimate interest, would leave domain owners vulnerable to stalking, harassment, targeted scams and physical threats.

The company described the directives as "commercially destabilizing" in its appeal documents and raised the prospect that domain registration firms could choose to exit the Indian market entirely rather than operate under such conditions - a consequence that would reduce competition and potentially concentrate the domain registration market among fewer, less accountable providers.

A Tension With No Easy Resolution

The underlying tension here is not new, and India is not the only jurisdiction wrestling with it. Domain privacy has long been a contested tool. Law enforcement agencies worldwide have argued that it shields criminals; digital rights advocates counter that eliminating it punishes the many for the actions of the few. The global domain governance body ICANN has spent years attempting to broker frameworks that balance these competing claims, with only partial success.

What makes the Delhi High Court ruling unusual is its breadth. Blocking specific fraudulent websites is standard practice in most jurisdictions. Requiring registrars to proactively prevent the registration of brand-adjacent domain names is considerably more intrusive, raising questions about who defines what constitutes an infringing variation and how registrars are expected to police that in real time. Mandating the elimination of privacy-by-default across the board goes further still, creating systemic exposure for all domain owners rather than targeting identified offenders.

India's rapid expansion of internet access - driven by affordable smartphones and mobile data - has made the country both a major target for cyber fraud and a market of enormous significance for global technology companies. The outcome of the appeal, scheduled to be heard on July 16, will be watched closely by registrars, privacy advocates and brand protection lawyers operating across the region. The Delhi High Court's final position may well influence how other fast-growing digital economies approach the same dilemma.