A Delhi High Court ruling designed to expose the operators of fraudulent websites has provoked a sharp legal challenge from one of the world's largest domain registrars, GoDaddy, which warns the measures threaten the privacy and safety of millions of legitimate website owners. The dispute pits India's escalating campaign against cyber fraud against foundational principles of how the internet handles personal data - and the outcome could reshape domain registration practices across a country with one of the fastest-growing online populations on earth. The case is scheduled for further hearing before a larger Delhi High Court bench on July 16.
What the Court Ordered - and Why
The ruling emerged from a wave of lawsuits filed from 2019 onward by major corporations including Amazon and McDonald's, targeting fraudulent websites that mimicked their brands to deceive consumers. In December, the New Delhi court ordered more than 1,100 such sites to be blocked. But it went considerably further than a straightforward takedown list.
The court declared that websites impersonating established brands had become, in its own words, "engines for large-scale deception." To root out the operators behind them, it ordered domain registrars to stop offering privacy protection by default, to disclose the personal details of domain owners - names, addresses, phone numbers, and email addresses - within 72 hours to anyone who can demonstrate a "legitimate interest," and to block the registration of website names that are recognizable variations of protected brand names.
The reasoning was direct: privacy protection, the court found, acts "as a cloak" shielding rogue operators from accountability. Because the service is typically offered free of charge and automatically, bad actors exploit it at no cost and with no friction. Making it a paid, opt-in feature would, in the court's view, raise the barrier for abuse.
The scale of the problem the court was responding to is real. Indian government data cited in reporting on the case shows that authorities received 2.4 million complaints of alleged cyber fraud worth approximately US$2.4 billion in a single recent year - figures that reflect how dramatically online fraud has grown alongside India's rapid expansion of smartphone and internet access.
GoDaddy's Objections - Privacy, Commerce, and Governance
GoDaddy's appeal, drawn from non-public court filings reviewed by Reuters, does not dispute the goal of reducing fraud. Its argument is that the court's chosen mechanism creates serious collateral harm to people who have done nothing wrong.
The core privacy concern is structural. When a domain owner registers a website, they are required to supply personal contact information. Privacy protection services - commonly known as WHOIS privacy or domain privacy - replace that publicly visible information with the registrar's own contact details, shielding the actual owner from public exposure. This service has been standard industry practice for years, precisely because the WHOIS database has historically been harvested by spammers, data brokers, and in some documented cases, individuals seeking to identify and harass website operators.
Removing that protection by default, GoDaddy argues, would expose legitimate website owners - small business operators, journalists, activists, private individuals - to stalking, harassment, and other security risks. The 72-hour disclosure window is particularly contentious: requiring registrars to hand over personal data to any party claiming a "legitimate interest" creates an enforcement mechanism that could be misused without adequate safeguards or judicial oversight.
GoDaddy also raised commercial and structural objections, describing the directives in its filings as "commercially destabilizing" and warning they could compel domain registrars to exit the Indian market entirely. The broader implication - though unstated in those terms - is that reduced registrar competition would serve Indian internet users poorly.
A Tension Without Easy Resolution
The dispute reflects a genuine tension that regulators and courts in multiple jurisdictions have struggled to resolve. Domain privacy protection serves two populations with opposite intentions: people who have legitimate reasons to keep their home address off a public database, and bad actors who use anonymity as a shield for fraud, phishing, and brand impersonation.
The question of how to distinguish between the two - and who bears the cost of getting it wrong - is not new. When the General Data Protection Regulation took effect in Europe in 2018, ICANN, the nonprofit body that oversees global domain name policy, faced nearly identical pressure to restrict public WHOIS data. The resulting compromise required registrars to limit what they disclosed publicly while establishing a tiered access system for parties with verified legal standing. It was imperfect and contested, but it attempted to balance accountability against privacy rather than sacrificing one for the other.
India's approach, as interpreted by the Delhi court, leans more heavily toward exposure. Whether that reflects the scale of the fraud problem, the particular demands of Indian trademark law, or the limits of what a national court can practically engineer, is a matter the July 16 hearing will begin to clarify. What is already clear is that the ruling, if upheld as written, would set a precedent with consequences well beyond the 1,100 sites originally targeted - affecting every domain owner registered through an Indian-market registrar, regardless of whether their site has any connection to fraud at all.