A Look at Upcoming Innovations in Electric and Autonomous Vehicles GoDaddy Fights Indian Court Order That Strips Default Domain Privacy

GoDaddy Fights Indian Court Order That Strips Default Domain Privacy

One of the world's largest domain registrars is pushing back against an Indian court ruling that would strip privacy protections from website owners by default - a measure a New Delhi court introduced to combat the surge of fake websites impersonating major brands. GoDaddy has appealed the December ruling before a larger bench of the Delhi High Court, warning that the directives would expose millions of legitimate domain owners to harassment and could destabilize the domain registration industry in India. The court is scheduled to hear the appeals on July 16.

How the Ruling Came About

The legal dispute has its roots in a wave of brand-impersonation fraud that companies including Amazon and McDonald's began targeting through the Indian courts in 2019. Fraudulent websites mimicking well-known names have proliferated as India's internet and smartphone user base has expanded rapidly. Indian government data shows authorities received 2.4 million complaints of alleged cyber fraud last year, representing losses of approximately US$2.4 billion - figures that give the Delhi High Court's intervention its urgency.

In December, the court ordered more than 1,100 fraudulent websites to be blocked. It did not stop there. Describing fake websites as "engines for large-scale deception," the court also introduced systemic changes to how domain registration works in India: registrars must stop offering privacy protection as a default feature, disclose domain owners' details within 72 hours to anyone with a "legitimate interest," and block the registration of website addresses that are recognizable variations of protected brand names.

What Is at Stake for Domain Privacy

The privacy feature at the center of this dispute - commonly known as WHOIS privacy or domain privacy protection - shields the personal details of a website's registered owner from appearing in publicly accessible databases. When someone registers a domain name, they are required to provide contact information including their name, physical address, phone number and email address. Without privacy protection, that information is visible to anyone who runs a basic lookup query on the domain.

Privacy protection replaces that personal data in public records with the registrar's contact details, effectively anonymizing the owner. The system was designed partly to reduce spam and harassment, and its value extends well beyond corporations. Independent journalists, activists, small business owners, medical professionals, and ordinary individuals who maintain personal websites all rely on it to prevent their home addresses and phone numbers from being publicly indexed.

GoDaddy's appeal, as described in non-public filings reviewed by Reuters, argues that removing this default protection would expose legitimate website owners to stalking, harassment and security risks. The company called the directives "commercially destabilizing" and warned that registrars could be forced to exit the Indian market entirely if the measures are upheld. Those are not abstract concerns: a registrar operating at scale in India must weigh the legal liability and operational complexity of maintaining a regime that differs sharply from global industry norms.

A Genuine Tension, Not a Simple Contest

The court's reasoning is understandable. Anonymity tools have real dual-use problems. When fraudsters register domains impersonating Amazon or McDonald's to deceive consumers, the same privacy protections that shield a legitimate blogger also shield the operator of a scam site. The court's position - that privacy protection "acts as a cloak" for rogue operators - reflects a documented pattern in cybercrime enforcement: accountability is difficult when ownership cannot be established quickly.

But the remedy the court has chosen is a blunt one. Requiring disclosure to anyone with a "legitimate interest" within 72 hours introduces a category that is undefined in the ruling and open to abuse. Bad actors seeking to identify and threaten a journalist or a dissident need only assert a plausible interest. Making privacy a paid add-on, rather than a default, shifts the burden onto those with the least resources - individuals and small operators - while corporations and sophisticated fraudsters can simply absorb the cost or route registrations through other jurisdictions.

The broader question the Delhi High Court must weigh is whether measures designed to catch criminals will be effective against them at all. Determined fraudsters have long demonstrated the ability to register domains through intermediaries, use false credentials, or operate from jurisdictions where enforcement is weak. The individuals most affected by removing default privacy protections are likely to be the legitimate users who comply with registration rules in the first place.

What the Appeal May Decide

The July 16 hearing will determine whether India's courts apply a more targeted approach - one that preserves the blocking of specific fraudulent sites while revisiting the systemic privacy changes - or uphold the December ruling in full. The outcome will carry implications beyond India's borders. As one of the world's fastest-growing internet markets, India's regulatory decisions on domain governance can influence how other large jurisdictions approach similar trade-offs between accountability and privacy. International domain registrars, digital rights advocates, and brand protection lawyers will all be watching closely.

The case also surfaces a recurring tension in internet governance: the infrastructure that enables online anonymity was not designed with fraud prevention as its primary function, but dismantling it wholesale creates new victims in the process of addressing old ones.