Regulation Bearish 7

India’s forced domain privacy removal triggered by 1,100+ fake sites poses fresh cyber risks

· 4 min read ·
Share

Key Takeaways

  • The New Delhi court order to remove default WHOIS privacy to fight fake websites could inadvertently expose millions of legitimate domain owners to cyberstalking, doxing, and targeted attacks.
  • Security experts worry that public registrant data will fuel a new wave of social engineering and identity theft.

Mentioned

GoDaddy company GDDY Namecheap company Hosting Concepts company Amazon company AMZN McDonald's company MCD Delhi High Court court European Union GDPR regulation India Digital Personal Data Protection Act regulation Indian government government

Key Intelligence

Key Facts

  1. 1Indian authorities recorded 2.4 million cyber fraud complaints totaling $2.4 billion in 2025.
  2. 2In December 2025, a New Delhi court ordered the blocking of more than 1,100 fake websites and mandated that WHOIS privacy protection become a paid service.
  3. 3GoDaddy, managing approximately 80 million domain names globally with $5 billion in annual revenue, describes the directives as 'commercially destabilizing' and warns registrars may be forced to exit India.
  4. 4The ruling directly conflicts with India’s Digital Personal Data Protection Act and the EU’s GDPR, both of which promote privacy-by-default principles.
  5. 5Competitor registrars Namecheap and Hosting Concepts have also filed challenges against the order.
  6. 6GoDaddy argues the forced disclosure of registrant data would expose legitimate website owners to stalking, harassment, and other security risks.

Who's Affected

Legitimate website owners
groupNegative
Cyber fraud investigators
groupPositive
Brands (Amazon, McDonald’s)
companyPositive
Domain registrars
companyNegative
Privacy Risk Assessment

Analysis

For cybersecurity practitioners, the court’s remedy — turning off privacy protection by default — is a double-edged sword. While it may assist investigators in unmasking fraudsters, it simultaneously hands cybercriminals a treasure trove of verified personal data on website owners, from home addresses to phone numbers. The very people the order purports to protect could become prime targets for phishing, swatting, and real-world harassment.

GoDaddy’s appeal against a New Delhi court order signals a high-stakes collision between India’s escalating cyber fraud crackdown and globally accepted privacy norms. At the center of the dispute is a December 2025 ruling that ordered the blocking of over 1,100 fake websites impersonating brands such as Amazon and McDonald’s, and — more critically — mandated that domain privacy protection become a paid service, stripping away the ‘privacy by default’ model. GoDaddy argues that this forced exposure of registrant data (names, addresses, phone numbers, emails) would not only violate India’s own Digital Personal Data Protection Act and the EU’s GDPR but also invite harassment, stalking, and identity theft against millions of legitimate website owners. The company has called the directives ‘commercially destabilizing’ and warned that domain registration companies could be forced to exit India entirely.

Authorities registered 2.4 million cyber fraud complaints valued at $2.4 billion in 2025 alone, a staggering volume fueled by a booming digital user base.

India’s motivation is clear. Authorities registered 2.4 million cyber fraud complaints valued at $2.4 billion in 2025 alone, a staggering volume fueled by a booming digital user base. Fake e-commerce sites, phishing portals, and counterfeit payment gateways have proliferated, leveraging default WHOIS privacy to hide behind anonymized registrations. The court branded these sites ‘engines for large-scale deception’ and concluded that free privacy functions as a shield for criminals. By monetizing privacy, the court aims to introduce a friction model — legitimate users can still hide their details, but at a cost, while law enforcement gains a clearer path to track bad actors.

Yet GoDaddy and competitors Namecheap and Hosting Concepts contend the remedy is worse than the disease. In legal filings, GoDaddy emphasized that domain registrars across the world rely on privacy-by-default to comply with data protection frameworks, and that suddenly pivoting to a paid model would fracture the global WHOIS system, invite jurisdictional chaos, and erode user trust. For a company managing 80 million domains and generating roughly $5 billion in annual revenue, India is not just a regulatory headache — it is its largest emerging market, and any threat to operations there carries material financial risk.

The ruling also raises profound internet governance questions. If India’s approach succeeds, other nations grappling with fraud may follow suit, creating a patchwork of conflicting mandates that could balkanize the internet. Registrars might be forced to implement geo-fenced WHOIS disclosure, a technically complex and legally fraught endeavor. The appeals process at the Delhi High Court is thus being watched not only by domain registrars but by brand owners, cybersecurity firms, privacy advocates, and global internet governance bodies.

What to Watch

GoDaddy’s core argument rests on proportionality. The company does not dispute the need to combat fraud but insists that less intrusive methods — such as faster judicial disclosure mechanisms, better coordination with registrars, and enhanced verification systems — can achieve the same goals without dismantling privacy for all. The EU’s GDPR and India’s 2023 data protection law both enshrine ‘privacy by design,’ which the court ruling directly contradicts. A larger bench of the Delhi High Court will now weigh whether national security and anti-fraud imperatives can override fundamental privacy rights, especially when alternative remedies exist.

The outcome could redefine the business landscape for international tech companies in India. If upheld, the ruling might prompt a rapid escalation in compliance costs, force domain registrars to reevaluate their Indian presence, and potentially trigger similar demands from other jurisdictions. Conversely, a reversal could establish that India’s data protection framework, still nascent, holds sway over judicial discretion in technology matters. The case is a litmus test for how the world’s most populous democracy balances digital growth, consumer safety, and individual rights.

From the Network

How we covered this story

Every story in our cybersecurity coverage is assembled from multiple primary sources, cross-referenced for factual consistency, and scored along three independent dimensions: sentiment, operational impact, and source-cluster confidence. Single-source rumors and unverifiable claims do not pass our editorial gate. When a story shows "Verified by N sources" with N≥2, the development is independently corroborated; when N=1, we mark it explicitly so readers can weigh the signal accordingly.

Impact scoring uses a 1-10 scale weighted toward regulatory, financial, and operational consequence rather than coverage volume. A topic that runs in every outlet but moves no real decisions ranks lower than a niche regulatory filing that reshapes how operators in the cybersecurity space have to behave. Read our full methodology for the scoring rubric, our glossary for term definitions, and our trends index for the longitudinal view across the beat.