DEV Community

Cover image for How India Court Ruling Threatens Domain Registration Privacy
MonstaDomains
MonstaDomains

Posted on • Originally published at monstadomains.com

How India Court Ruling Threatens Domain Registration Privacy

Originally published at https://monstadomains.com/blog/domain-registration-privacy/

Your name, home address, and phone number could soon be one public lookup away, and a single court order in New Delhi is the reason. On paper, the Delhi High Court was trying to fix a phishing problem. In practice, its ruling takes direct aim at domain registration privacy for everyone, not just Indians. If it stands, the default protection that keeps your identity off public WHOIS records vanishes, replaced by mandatory ID checks and a guaranteed 72-hour pipeline to law enforcement. This is not hypothetical. GoDaddy is already appealing, and the fallout could redraw the rules of domain registration privacy far beyond one country.

What the Delhi High Court Actually Ordered

Reporting in early July confirmed that the Delhi High Court had ordered domain registrars to strip privacy out of the default registration flow. Under the ruling, buyers can no longer hide their contact details automatically. They must opt in to privacy, and registrars may charge an extra fee for it. That single change flips the model on its head. For years, domain registration privacy was something responsible registrars gave you by default. The court wants it downgraded to a paid add-on that most people never enable, leaving their data exposed the instant a domain goes live.

KYC Checks on Every Buyer

The order does not stop at WHOIS records. It compels registrars to run Know Your Customer checks, reviewing government-issued IDs or other identifying documents before selling a domain. This is the same surveillance-first logic that already smothers the banking system, now bolted onto domain names. Once a registrar holds your passport scan, domain registration privacy is gone at the source. It no longer matters what the public record shows, because the registrar has already built a verified identity file that a court, a regulator, or a breached database can later surrender.

A 72 Hour Disclosure Window

The ruling also starts a clock. Law enforcement agencies and courts can compel a registrar to hand over domain owner information within 72 hours of a request. There is no meaningful friction here, no adversarial hearing baked into the process, just a deadline. For journalists, activists, and businesses operating in hostile environments, that turns every registrar into a fast-response identity desk. Domain registration privacy cannot survive a system engineered to resolve identity requests in three days flat.

How the Ruling Dismantles Domain Registration Privacy

Strip the legal language away and the ruling attacks domain registration privacy on three fronts at once: collection, exposure, and disclosure. Collection comes first, as mandatory KYC forces you to prove who you are before you own anything. Exposure follows, with your details populating public WHOIS records by default. Disclosure closes the loop, giving authorities a guaranteed 72-hour route to your file. A privacy model only works when every layer holds. This order breaks all three, which is why domain registration privacy advocates reacted so sharply instead of shrugging it off as a routine regional tweak.

There is a bitter irony here. WHOIS records were never meant to be a public directory of home addresses. Even ICANN has spent years walking back the mass exposure of registrant data. A court ordering registrars to reverse that progress, in the name of stopping fraud, hands attackers exactly the personal information they need for spearphishing and doxxing. Weakening domain registration privacy to fight phishing may quietly end up feeding it.

domain registration privacy - public WHOIS records exposing a domain owner personal identity

The Phishing Problem India Says Justifies It

India’s argument is not baseless. The country has a genuine phishing epidemic. Its National Technical Research Organization identified more than 1,100 phishing domains in the first quarter of 2025 alone, and American brands have repeatedly sued over spoofed and typo-squatted domains aimed at their customers. The court framed its ruling as a fraud-prevention measure, and on that narrow point the motivation is real enough.

But the logic collapses under pressure. Criminals running 1,100 phishing domains are not the people who enable domain registration privacy and dutifully pass KYC. They use stolen identities, hijacked accounts, and bulletproof registrars that ignore court orders entirely. Mandatory identity checks punish the law-abiding majority while sophisticated fraudsters route straight around them. The outcome is a policy that guts domain registration privacy for ordinary owners without meaningfully raising the cost of running a phishing operation.

There is also a displacement effect the court seems to ignore. Tighten domain registration privacy rules in one country and determined bad actors simply register through jurisdictions that ask no questions. The honest small business owner in Delhi loses protection, while the phishing crew relocates a click away. That asymmetry is the recurring flaw in every blanket identity mandate, and it is why security researchers rarely cheer them.

Why a Local Ruling Threatens Domain Registration Privacy Everywhere

Here is the part that should worry you even if you have never set foot in India. Domain names are not region-locked. A .com resolves identically in Mumbai, Madrid, and Miami, so a registrar cannot easily apply one privacy rule to Indian customers and another to everyone else. GoDaddy warned the ruling could “fundamentally upend one of the expectations of privacy currently afforded to people on the modern internet.” Put plainly, a single national court could set the floor for domain registration privacy worldwide.

This is regulatory extraterritoriality, and it is fast becoming the norm. GoDaddy is appealing, with the court expected to hear its objections on 16 July. But the direction of travel is obvious. When any one jurisdiction can force registrars to collect IDs and republish contact data, the weakest privacy regime on Earth becomes everyone’s baseline. That is exactly why choosing a registrar that treats domain registration privacy as non-negotiable, rather than a checkbox it will abandon under pressure, matters more now than it ever has.

The Wider Fight Over WHOIS and Registration Data

The Delhi ruling did not appear in a vacuum. It landed in the middle of a long, unresolved global argument over who gets to see registrant data and when. That fight is where the future of domain registration privacy is actually being decided, one policy revision at a time.

ICANN’s Shifting Rulebook

ICANN spent the post-GDPR years redacting personal data from public WHOIS, then built the Registration Data Request Service so police and trademark holders could request non-public data case by case. In May 2026 it revised its Registration Data Policy again, standardising the timeline registrars must follow when answering lawful disclosure requests. The trend was toward structured, auditable access rather than blanket publication. India’s court just tried to vault over all of it and reopen the public directory, colliding head-on with the domain registration privacy norms the rest of the industry spent a decade building.

Privacy advocates have warned for years that public registration data is a gift to stalkers and authoritarian regimes. The Electronic Frontier Foundation has long documented how exposed personal records endanger dissidents, journalists, and ordinary people who simply want a website. Rulings like this one ignore that lived reality in favour of enforcement convenience, and domain registration privacy is what gets sacrificed in the trade.

What Domain Owners Should Do Now

You cannot overturn a foreign court order from your laptop, but you can make yourself a harder target while this plays out. Start by confirming your details are actually shielded. Reputable registrars offer WHOIS privacy that swaps your name, address, and phone number for proxy data, and you should verify it is switched on rather than assume it. If it is not, enable it today, before any rule change filters down to your provider.

Beyond that, weigh where your domains actually live. A provider that operates as a true zero KYC registrar never collects the ID a 72-hour order could demand, so there is nothing to hand over. That is the model MonstaDomains is built on. If your current provider is warming to identity checks, treat it as a cue to move toward anonymous domain registration elsewhere. Domain registration privacy is now an active choice, not a default you can take for granted.

Where to Go From Here

The Delhi High Court ruling is one court in one country, but its logic is contagious, and it targets the exact protections privacy-minded owners depend on. Three things are worth remembering. Mandatory KYC destroys anonymity at the source, before WHOIS even enters the picture. Public-by-default records hand attackers a ready-made target list. And because domains cross borders, a single national rule can quietly become the global standard for domain registration privacy.

Watch the 16 July appeal, keep your WHOIS record locked down, and back providers that will not fold the moment a regulator leans on them. If you want that protection built in from day one, MonstaDomains treats privacy-first domain registration as the baseline, not an upsell.

Top comments (0)