When Fighting Fake Websites Means Exposing Real People

Imagine registering a small blog, a nonprofit's donation page, or a side business website, and discovering that your home address and phone number are now one search away from anyone who wants them — not because you did anything wrong, but because a court thousands of miles away decided that hiding that information makes fraud too easy. That is roughly the situation domain registrars say they now face because of a ruling from the Delhi High Court, and it is why GoDaddy, Namecheap, and other companies that sell website addresses for a living are pushing back hard.

A person reviewing a domain registration screen and privacy settings, illustrating domain privacy in cybersecurity

The case sits at an uncomfortable intersection: courts trying to stop scammers from impersonating trusted brands, and an internet-wide system that was built to let anyone own a website without broadcasting their personal life to strangers. Untangling how those two goals collided says a lot about what "anti-fraud policy" actually costs — and who pays it.

The Problem the Court Was Trying to Solve

India’s internet population has grown enormously in a short window, and that growth has brought a wave of newly connected users who are easy targets for scams built on convincing-looking websites. Fraudsters routinely register domains that mimic real companies — a practice known as typosquatting, which relies on misspelled or look-alike web addresses to trick people who don’t look closely at a URL. India’s National Technical Research Organization reported identifying more than 1,100 phishing domains in just the first quarter of 2025, and the specific case behind this ruling, Dabur India v. Ashok Kumar, arose after more than 1,100 domains were found impersonating brands like Tata Sky, Amul, Bajaj Finance, Meesho, and ITC to sell fake franchises and jobs.

In December, Justice Prathiba M. Singh of the Delhi High Court responded with a sweeping set of directions to domain registrars. Among 14 requirements, three are now at the center of an appeal: registrars must run electronic identity verification (e-KYC) on every domain buyer, they must stop offering registrant-privacy masking as the automatic default, and they must hand over a registrant’s details within 72 hours if a court, law enforcement agency, or "rights holder" asks.

How Domain Privacy Normally Works

To see why registrars are alarmed, it helps to understand what’s being changed. Every domain has an entry in WHOIS, a public lookup system that has long let anyone check who registered a given web address. Because that record traditionally included a real name, address, phone number, and email, most registrars started offering domain privacy services — a proxy layer that swaps a registrant’s real contact details for masked, registrar-owned information. For years this has been offered as a free or low-cost default, not a special favor: it’s simply treated as a baseline protection, the way an unlisted phone number once was.

The Delhi High Court’s order flips that default. Privacy becomes something a buyer has to actively request and, per the ruling as reported, potentially pay for. As one legal analysis of the judgment put it, this shifts consent "from a function of individuality" to "one of monetary means" — in plain terms, privacy stops being a right you have unless you object, and becomes a privilege you can afford.

The following comparison captures what actually shifts in practice:

Rule design Who is checked/exposed Fraud-fighting logic Privacy cost
Privacy-by-default (status quo) Registrant identity hidden unless waived Relies on takedown requests, trademark suits, blocklists Low — ordinary users stay unlisted
Privacy opt-in / paid add-on Registrant exposed unless they pay/opt in Makes bulk lookups of any domain owner trivial Higher — cost becomes a privacy gatekeeper
Mandatory e-KYC at registration All buyers identity-checked upfront Deters anonymous mass registration of scam domains Moderate — data collected but not necessarily public
72-hour disclosure to "legitimate interest" requesters Anyone framed as a rights holder or authority Speeds enforcement against confirmed fraud Depends entirely on who qualifies as "legitimate"

That last row is where much of the legal argument is happening. GoDaddy says it has no reliable way to judge who has a genuine "legitimate interest" in someone’s private data, since the court borrowed that phrase from Europe’s GDPR without defining it. A researcher on internet governance quoted by Reuters put the practical risk bluntly: the people most likely to be exposed by faster, looser disclosure are not sophisticated scammers, who can already hide behind stolen identities or offshore registrars, but "journalists, activists, [and] small business owners".

From One Courtroom to the Whole Internet

Here is the detail that turns an Indian court case into a global story: domain names don’t recognize borders. A registrar can’t easily run one WHOIS privacy policy for Indian customers and a different one for everyone else, because the same lookup systems and databases serve the entire internet. That is the core of GoDaddy’s warning — comply fully, and the change in practice could ripple outward to registrants who have never set foot in India.

flowchart LR
 A[Buy a domain] --> B[Registrar applies privacy masking]
 B --> C[Public WHOIS shows proxy details]
 D[Court order / law enforcement / rights-holder request] --> E{Registrar evaluates request}
 E --> F[Real registrant details disclosed within 72 hours]
 C --> D

Justice Singh’s order rests on a specific reading of India’s Digital Personal Data Protection Act — she held that a provision allowing data processing without consent when complying with a court order effectively permits, rather than blocks, the disclosures she ordered. GoDaddy disputes that reading and argues it conflicts with both Indian and European data-minimization rules. Notably, the same court reportedly interpreted the same law differently just weeks earlier in an unrelated privacy case — a reminder that this legal question is genuinely unsettled, not resolved.

What the Numbers Don’t Tell Us

It’s worth being honest about the limits of what’s known. The scale of India’s fraud problem is real but not precisely quantified in the available reporting — figures on cyber-fraud complaints and phishing-domain counts come from different agencies measuring different things, and no source establishes how much this specific rule would actually reduce fraud compared with other tools already in use, like trademark takedowns or blocklists. GoDaddy, Namecheap, and Hosting Concepts have filed separate appeals, and a larger bench of the Delhi High Court was expected to hear the case in July. Whether it upholds, narrows, or scraps the December directions remains open.

The Real Lesson

It’s tempting to frame this as good guys versus bad guys — protecting brands and users from scammers versus protecting everyone’s privacy. The more useful frame is that "anti-fraud" and "good privacy policy" are not the same thing and don’t automatically travel together. A rule can genuinely make it harder for a scammer to hide behind a fake domain while also making it easier for a stalker, a corporate rival, or an authoritarian government to unmask a critic, a small business owner, or an ordinary person who just wanted a website. The difference isn’t the goal — it’s the design: who gets checked, who decides what counts as a "legitimate" request, and how fast disclosure happens once someone asks. India’s court fight over fake domains is, underneath the legal language, an argument about exactly those design choices — and how they answer will shape more than one country’s internet.

Sources

  1. GoDaddy Challenges Delhi HC Order Ending Domain Privacy
  2. GoDaddy Sounds Alarm Over How India Law Would Upend Internet Privacy Everywhere
  3. Another conflict between internet freedom and regulation
  4. GoDaddy warns India’s fake website crackdown could damage the Internet and users’ privacy – BusinessToday
Scroll to Top