GoDaddy Is Quietly Fighting for WHOIS Privacy, and Almost No One’s Paying Attention

The CyberSec Guru

GoDaddy Is Quietly Fighting for WHOIS Privacy

If you like this post, then please share it:

Buy me A Coffee!

Support The CyberSec Guru’s Mission

🔐 Fuel the cybersecurity crusade by buying me a coffee! Why your support matters: Zero paywalls: Keep the main content 100% free for learners worldwide.

“Your coffee keeps the servers running and the knowledge flowing in our fight against cybercrime.”☕ Support My Work

Buy Me a Coffee Button

The order that has GoDaddy filing a 5,121-page appeal did not appear out of nowhere. It is the endpoint of a batch of Delhi High Court proceedings running since 2019, and the technical mechanism it targets, WHOIS privacy protection, happens to be a protocol that global internet governance had already spent the better part of a decade trying to fix through consensus rather than court order. Understanding why GoDaddy is worried requires understanding both threads: what an Indian judge actually ordered, and what WHOIS was already in the middle of becoming before she ordered it.

GoDaddy
GoDaddy

The case and the numbers behind it

The order in question is Dabur India Limited v. Ashok Kumar & Ors. (CS(COMM) 135/2022, citation 2025:DHC:11862), delivered on December 24, 2025 by Justice Prathiba M. Singh. It was the lead matter in a consolidated batch stretching back to 2019, folding in suits from Colgate-Palmolive, Godrej Properties, The Himalaya Drug Company, and others, all chasing the same problem: domain names that mimicked their trademarks, sold fake franchises, or ran phishing operations, with the actual registrant hidden behind privacy protection features. The judgment blocked more than 1,100 such domains impersonating brands including Tata Sky, Amul, Bajaj Finance, Meesho, Croma, ITC, and Mont Blanc. Delhi Police’s Intelligence Fusion and Strategic Operations unit had traced crores of rupees extracted from victims through these sites, and the court noted that out of those 1,132 infringing registrations, barring one or two, not a single bona fide registrant ever came forward to claim a legitimate interest in the domain. Nobody showed up to defend their WHOIS-shielded identity, which the judge treated as fairly damning on its own.

The scale problem behind the ruling is real. India’s internet penetration went from 15 percent of the population in 2015 to roughly 70 percent by 2025, a jump that outpaced the average user’s ability to spot a spoofed domain. Home Minister Amit Shah cited a cybercrime victim roughly every 37 seconds nationally, and the National Technical Research Organisation logged over 1,100 phishing domains in Q1 2025 alone. Reuters reported 2.4 million cyber fraud complaints last year totaling $2.4 billion in losses. Justice Singh explicitly rejected the idea that case-by-case takedowns could keep up, describing the pattern as a whack-a-mole problem structurally incapable of being solved by injunctions against individually named domains.

The three directives GoDaddy is fighting

The judgment issued 14 directions to domain name registrars. Three are the ones under appeal:

Mandatory e-KYC with periodic re-verification for every domain registration, run by the registrar, functionally identical to what NIXI already does for .in domains.

Termination of privacy-by-default. Registrars can still offer WHOIS masking, but only as a paid opt-in, not a baseline feature bundled into every registration.

72-hour disclosure of registrant name, address, phone number, and email to any party asserting “legitimate interest,” a term the court borrows straight from GDPR without defining who qualifies or who adjudicates the claim.

GoDaddy’s appeal argues, correctly as a matter of engineering, that it has no scalable way to arbitrate “legitimate interest” claims within a 72-hour SLA across millions of domains. It also argues the order is jurisdictionally impossible to contain: DNS resolution doesn’t respect borders, so a registrar can’t run one WHOIS policy for Indian registrants and a separate one for everyone else without rebuilding its entire registration data pipeline around a single country’s court order. Farzaneh Badii, an internet governance researcher based in New York, made the point that WHOIS redaction was adopted globally in the first place because publicly listed contact data had been repeatedly exploited for stalking and harassment campaigns, meaning the rollback risks reintroducing the exact harm category the order claims to be solving, just aimed at a different population (private registrants and small businesses instead of the fraud operators who mostly used fabricated details anyway).

That last point matters technically. The Dabur judgment itself notes that WHOIS records tied to the fraudulent domains frequently contained fake names, dead phone numbers, and throwaway emails. Removing privacy-by-default doesn’t touch registrants who never entered real data in the first place. It mainly exposes people who did.

Why this collides with a protocol transition that was already underway

Here’s the part that gets lost in the legal coverage: WHOIS, as a protocol, was already being retired independent of anything happening in Delhi. WHOIS dates to RFC 812 in 1982, a plaintext, unauthenticated, TCP port 43 query-response format with no standardized output. Every registry answered in its own dialect of free text, there was no encryption, and there was no way to distinguish a security researcher’s query from a spammer scraping contact data at scale. ICANN approved the RDAP Global Amendments in April 2023, setting a sunset date of January 28, 2025, after which gTLD registries and registrars were no longer contractually obligated to run WHOIS on port 43. Registration Data Access Protocol, standardized by the IETF (RFC 7480, 7481, and 9083, since updated by 9082/9083), replaced it with a RESTful HTTPS service returning structured JSON, discoverable through IANA’s bootstrap registry rather than a flat list of per-registry servers to memorize.

The adoption numbers moved fast once the deadline hit. ICANN logged around 122 billion WHOIS queries per month in January 2025 against 7 billion RDAP queries. By June 2025, RDAP query volume overtook WHOIS. By August, WHOIS had dropped to roughly 49 billion monthly queries against RDAP’s 65 billion, and 374 of about 1,000 gTLDs had shut off WHOIS entirely. In January 2026 ICANN revoked registrar Brennercom’s accreditation specifically for failing to implement RDAP, establishing that compliance is not optional going forward. For anyone doing domain recon as part of a pentest engagement or OSINT workup, this is the practical takeaway that matters more than the Indian litigation: if your tooling still shells out to a whois binary or opens a raw socket on port 43 for gTLD lookups, you’re querying a service nobody is obligated to keep answering. Grep your scripts for it. ccTLD coverage is patchier (roughly 60 percent RDAP adoption, with .de, .cn, and .jp still WHOIS-only in many configurations), so a mixed lookup strategy is still required if your target surface spans country-code domains.

The irony for the Delhi court’s order is that RDAP already ships with the exact capability the judges are trying to bolt onto WHOIS by judicial fiat. RDAP’s spec explicitly supports differentiated, role-based access: a registry can serve full contact data to an authenticated law enforcement query and a redacted response to an anonymous one, all through the same endpoint, governed by policy rather than a court re-litigating the question domain by domain. ICANN’s Registration Data Request Service (RDRS) exists precisely to handle law-enforcement and rights-holder requests for non-public registration data through participating registrars. GDPR is actually why any of this privacy tooling exists at all: the 2018 Tucows/EPAG dispute in Germany forced ICANN to adopt a Temporary Specification for WHOIS data handling almost overnight, and that temporary fix eventually hardened into the RDAP privacy model in use today. The Delhi court is essentially trying to solve, through a commercial trademark suit, a problem that the multilateral RDAP framework was purpose-built to solve through protocol design and contractual policy. Whether a system built for global consistency can survive a national court insisting on a different, manually-adjudicated disclosure standard is the actual question the larger bench has to answer on July 16.

The judgment leans on Section 7(e) of India’s Digital Personal Data Protection Act, which allows a data fiduciary to process personal data without consent when complying with a court order, and applies the Puttaswamy proportionality test to conclude that privacy protections cannot be used to shield ongoing illegality. GoDaddy’s appeal points out an inconvenient wrinkle: weeks before this ruling, the same Delhi High Court read the DPDP Act the opposite way in a right-to-be-forgotten matter, ordering Google and Indian Kanoon to de-index the names of acquitted persons. The larger bench has effectively been asked to decide which interpretation of the statute is going to govern going forward, since right now the same court has issued contradictory readings of the same law within the same season.

There’s also an enforcement lever most coverage skips. ICANN’s Registrar Accreditation Agreement, Section 5.5.2.1.4, allows ICANN to terminate a registrar’s accreditation if a court of competent jurisdiction finds the registrar failed to comply with an order relating to domains it sponsors. MeitY has already engaged ICANN’s Contractual Compliance Mechanism over non-compliant registrars in this same batch of litigation, and earlier orders in the case directed the Ministry to act under the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 against registrars who hadn’t appointed grievance officers. Registrars operating in India also risk losing Section 79 IT Act safe harbor as intermediaries if courts decide they aren’t doing enough to prevent trademark infringement on their platforms. That’s the actual leverage India holds over a company like GoDaddy: not just a disclosure order, but the threat of losing both its ICANN accreditation and its intermediary liability shield in one of its largest markets.

The court didn’t stop at registrars, either. It ordered the RBI to build bank-side fraud tooling, and the Beneficiary Bank Account Name Lookup facility for RTGS and NEFT transfers went live on December 30, 2024, with mandatory bank-wide implementation by April 1, 2025, letting anyone verify the actual name on a receiving account before sending money. That single fix closes a gap that had nothing to do with domains: fraudsters were collecting payments into accounts that didn’t match the billing name a victim thought they were paying.

The trademark-scope argument

Separate from privacy, GoDaddy is also contesting the order’s bar on registering alphanumeric variations of a protected trademark. Its argument here is more linguistic than technical, but it’s a good illustration of how brand protection collides with the domain namespace. GoDaddy points out that “McDonald” is a Scottish surname predating the fast food chain by centuries, and that treating any string variation as off-limits risks handing a monopoly over common words and names to whichever company trademarked them first. Its filing cites Merriam-Webster research showing 118 English words contain the string “HUL,” Unilever’s Indian trademark, including “hulk” and “moghul,” and argues it’s close to impossible to register any domain in English that doesn’t overlap somewhere with a registered mark. Reuters found mcdonalds-india-franchise.com still purchasable on GoDaddy India for about $10 as of the reporting, which either undercuts the enforcement claims or just shows how far a 1,100-domain blocklist is from actually closing the gap, depending on how charitable you’re feeling.

Namecheap and Hosting Concepts (Openprovider’s parent) have filed separate challenges to the same order, though the specifics of their appeals haven’t surfaced publicly. The larger bench hears all three on July 16. If it narrows the December directives, that reaffirms that ICANN’s negotiated global frameworks still take precedence over a single national court’s order. If it upholds them, any court with jurisdiction over a major registrar has effectively been shown a template for rewriting WHOIS policy unilaterally, and the assumption that domain privacy works the same way everywhere stops being something you can rely on.

Buy me A Coffee!

Support The CyberSec Guru’s Mission

🔐 Fuel the cybersecurity crusade by buying me a coffee! Your contribution powers free tutorials, hands-on labs, and security resources.

Why your support matters:
  • Writeup Access: Get complete writeup access within 12 hours
  • Zero paywalls: Keep the main content 100% free for learners worldwide

Perks for one-time supporters:
☕️ $5: Shoutout in Buy Me a Coffee
🛡️ $8: Fast-track Access to Live Webinars
💻 $10: Vote on future tutorial topics + exclusive AMA access

“Your coffee keeps the servers running and the knowledge flowing in our fight against cybercrime.”☕ Support My Work

Buy Me a Coffee Button

If you like this post, then please share it:

News

Discover more from The CyberSec Guru

Subscribe to get the latest posts sent to your email!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from The CyberSec Guru

Subscribe now to keep reading and get access to the full archive.

Continue reading