In a series of sweeping judgments on the Domain Name System, the Delhi High Court has framed anonymous and infringing domain registrations as a problem of systemic online fraud rather than routine trademark disputes. Vishno Sudheendra critically examines the Court’s wide-ranging directions, arguing that their ex ante regulatory turn is overbroad, raises serious data protection concerns, and blurs key doctrinal distinctions in domain name law. Vishno is a fourth-year B.A., LL.B (Hons) student at the National Law School of India University, Bangalore, with a keen interest in various aspects of technology, media, telecommunications and IPR law.
Regulating Domain Name System: DHC’s Ex Ante Turn
By Vishno Sudheendra
In landmark judgments on the Domain Name System running close to 250 pages, the Delhi High Court in Dabur India Ltd. v. Ashok Kumar, Colgate Palmolive Company & Anr. v. NIXI & Anr (paras from this copy are referenced in the post) and other connected matters, has attempted to tackle what it describes as a systemic pattern of online fraud and consumer deception facilitated through anonymous and infringing domain name registrations. The Court viewed these cases as more than routine trademark disputes, which involve large-scale cheating and deception of users. It issued wide-ranging directions toDomain Name Registrars (DNRs), Registry Operators, banks and the Government. These directions cover registrant identity, disclosure and verification obligations, domain suspension and blocking, intermediary liability, blocking DNRs under Section 69A of the IT Act and institutional coordination.
While many of these directions seek to curb large-scale fraud and long-standing non-compliance by DNRs, the judgment also marks a significant shift towards ex ante regulation of domain name registration and use. In this post, I seek to analyze the Court’s directions and argue that, despite their well-intentioned objective, several directions are overbroad, raise serious data protection proportionality concerns, and risk collapsing important distinctions between registration and use, similarity and infringement, and suspension and permanent blocking of domain names.
Anonymous Domains and Consumer Deception
Various trademark owners filed several suits seeking injunctions against the misuse of their trademarks via registration of domain names by unknown persons. Most of these suits were initiated against the DNRs as the identity of the registrants could not be verified from the WHOIS records. These fraudulent registrants registered multiple domain names similar to registered and well-known trademarks and defrauded unsuspecting users. DNRs either lacked, or failed to produce, accurate information regarding these fraudulent registrants. Moreover, foreign DNRs either do not comply with Indian Court orders or insist on the MLAT route. The Court noted that these are not one-off cases but there is “a clear pattern” warranting “a comprehensive and consolidated mechanism to deal with these situations”. The Court noted that this issue is not just about trademark enforcement or commercial interests, but about taking “steps against the large-scale cheating and deception of innocent consumers and users who are suffering huge losses” [Para 7]
For context, domain names are allocated through a layered system involving domain name registrars (DNRs – who sell domains to users) and registry operators (who manage top-level domains like .com, .in etc), under ICANN’s global framework. Interested readers may access the appendix overview of relevant terms at the end of the post.
The Directions
| Subject of Direction | Direction |
| DNRs and Registry Operators | End default masking of registrant details which would only be available as an unbundled value added service upon payment of additional charges. |
| Disclose registrant details within 72 hours when requested by courts, law enforcement agencies, and parties with legitimate interest. | |
| Permanent blocking (no re-registration) of domain names injuncted or found to be used for illegitimate and unlawful purposes. | |
| Strict obligations on DNRs to disable mirror, variant, or alternate domains for well-known and reputed marks when directed by Courts. | |
| DNRs are barred from promoting alternative domains for injuncted names (failing which protection under Section 79 of the IT Act may be lost). | |
| Transfer infringing domains to trademark owners upon court orders after payment. | |
| Appoint grievance officers, accept service of court orders via email to such officers. | |
| DNRs must undertake verification (KYC) and share registration data with NIXI. | |
| Search Engines and DNRs | Search engines and DNRs shall not provide any promotion or marketing or optimization services to infringing and unlawful domain names. |
| Registry Operators | Registry Operators are directed to operationalise Trademark Clearinghouse services (alerts trademark owners for conflicting domain registrations). |
| Government | Stakeholder consultations to put in place a framework similar to one used by NIXI. |
| Exploring a centralised data repository or data localisation (subject to DPDP Act). | |
| Coordinating with ICANN to enable reasonable TMCH access for Indian brand owners. | |
| Blocking non-compliant DNRs/registries under Section 69A IT Act. | |
| CGPDTM | The CGPDTM is encouraged to publish lists of well-known marks with authentic websites. |
| Banks | Banks to implement beneficiary name-lookup for online payments and comply with LEA SOPs to curb fraud. |
| Courts | Clarifies the scope of “Dynamic+” injunctions (domain names covering exact, prefixed/suffixed, and alphanumeric variations of marks) |
Mere Registration as Infringement?
DNRs are barred from promoting alternative domains for injuncted names, failing which they lose their safe harbour protection under Section 79 of the IT Act 2000 (and DNRs who repeatedly do not comply with orders/directions may be blocked under Section 69A of the IT Act 2000) . The Court’s directions functionally operate as if similarity equals infringement, without judicial adjudication, at the registrar level. Moreover, the possibility of users themselves looking for similar alternatives and seeking registration of the same still exists.
But, let’s take a step back, is mere registration of a similar domain name infringing, or does it depend on use? The Court relies on Satyam Infoway v Siffynetto hold that mere registration of a domain name bearing similarities to a trademark is infringing. The Court noted that Satyam Infoway “holds that registration of an infringing domain name would not be permissible as there is every likelihood that the same could be led to diversion of users from the genuine website to the infringing one” [Para 214]. However, this is an inaccurate reading of the case as Satyam Infoway does not prohibit the registration of similar domain names per se, the Court only held that where a domain name is used as a business identifier in a manner that creates a likelihood of confusion and diversion, principles of passing off would apply. Thus, the nature of use does depend on ascertaining passing off and registration by itself is neither impermissible nor determinative of liability.
Moreover, the Court notes that when a legitimate registrant objects against the suspension of a domain name, then “the DNR may then ask the IP owner to obtain a Court order”. While this partly takes into account existing legitimate registrants, but what about future bona fide registrants or domain names capable of distinguishing? The Court is silent on this aspect, and in that silence lies the presumption that any similar domain name is infringing per se.
This approach also has serious implications for free speech online. Domain names are not merely commercial identifiers but also function as media of expression, criticism, parody and non-commercial speech [the DHC in Tata Sons Limited v. Greenpeace International has recognised reasonable comment, ridicule, and parody of the registered trademarks]. Treating mere similarity at the registration stage as sufficient to trigger suspension or denial of registration, without any inquiry into use, effectively amounts to a prior restraint on speech. Further, by delegating this gatekeeping function to intermediaries under the threat of stripping safe harbor protection or blocking, the Court incentivizes over-compliance and private censorship. Such a presumption of infringement at the point of registration itself risks converting trademark protection into a speech-restrictive tool, while viewing domain names solely from a commercial aspect.
Suspension v Blocking of Domain Names
The aforementioned issue is exacerbated as the Court has directed permanent blocking of injuncted/unlawful domain names. Domain names are not permanently owned by registrants but are akin to licenses which are periodically renewed. The Bombay HC in HUL v. Endurance Domains has clearly held that while a registrar may suspend an existing domain registration, it cannot ensure continued suspension or effective access-blocking, as blocking is easily circumvented (e.g., via VPNs) and domain name registration is fully automated, making blacklisting or permanent prevention of re-registration technically impracticable.
Furthermore, blanket permanent suspension of all such domain names seems to be a disproportionate measure when suspending the domain name for the remainder of its registration period is still an option – where a new registrant has the opportunity to make bona fide use of the same.
Data Protection Concerns – Privacy as a Paid Option?
The Court’s direction that privacy-protect features (masking personal data of registrants) is supposed to be only a value added service to be availed upon payment raises some serious data privacy issues. As noted by the Court, Post-GDPR the DNRs engaged in masking personal data of registrants on WHOIS records (publicly available registrant information). But is making publicly available information the norm and data privacy to be availed after payment, the right way to go about it? This reverses consent and works on an opt-out model instead of a default opt-in model.
From a DPDPA standpoint DNRs would qualify as data fiduciaries while registrants would qualify as data principals, thus personal data may be processed only with the consent of the data principal or for certain legitimate uses [Section 4]. The Court relies on Section 7(e) which specifies Court orders to form part of legitimate use [Paras 199-200]. Though Section 7(e) of the DPDPA mandates disclosure based on Court orders – it must be case-specific orders and not blanket prospective orders like in the given case.
While the Court has relied on Neetu Singh to balance privacy and infringement concerns, yet again the judgment was to disclose subscriber information of those involved in infringing activity and not a blanket declaration against all current and future users.
Thus, the Court’s direction sits uneasily with the free, specific, informed, and unconditional consent requirements under Section 6 of the DPDPA, by making disclosure of personal data the norm, and opt out to be availed upon payment.
Moreover, the DHC in Snapdeal (Para 77) had upheld privacy-protect features employed by DNRs as the same were subject to private agreements between DNRs, Registry Operators and ICANN whose consequences lie within the said agreements which are not enforceable by third parties.
Conclusion
While the Court’s directions are motivated by genuine concerns of large-scale fraud and systemic non-compliance by domain name intermediaries, the remedial framework adopted by the Court is overbroad. By reversing privacy defaults, presuming infringement at the stage of registration, and endorsing permanent blocking of domain names, the judgment collapses key distinctions between similarity and liability, registration and use, and suspension and blocking. In doing so, it departs from Satyam Infoway’s use-based passing off analysis and overlooks the technical limits highlighted in HUL v. Endurance Domains. The result is an ex ante enforcement regime that risks prejudging infringement, undermining data protection principles, and prejudicing bona fide present and future registrants while raising concerns of chilling non-commercial free speech, proportionality and judicial overreach in intermediary governance.
______
Appendix of Terms
- Domain Name: human-readable address of a website on the internet, it represents the IP address, in the form of a string of letters instead of the numerical identifier. It has two major components:
- Top-Level Domain (TLD) – the suffix. Example: .com, .org, .in, .edu
- Second-Level Domain – the main name chosen by the registrant. Example: google in google[dot]com
- Registrant: person who registers a domain in their name
- Internet Corporation for Assigned Names and Numbers (ICANN): ICANN helps coordinate and support domain names across the world. It prescribes the policies that govern the domain name system.
- Registry Operator: It is the entity responsible for managing and maintaining a top-level domain (TLD) in the Domain Name System (DNS). Example: NIXI (India) for .in and Verisign for .com, .net.
- Domain Name Registrars (DNRs): entity authorised to sell and manage domain name registrations on behalf of end-users. Example: GoDaddy, Namecheap etc.
- Those interested in further reading on how the domain name system works can peruse through Paras 172-185 of the judgment which comprehensively explains the same.
(image from Para 175)
I would like to thank Praharsh Gour and Swaraj Barooah for their valuable inputs.
The article relies on complex legal theories, but it feels completely out of touch with the reality of how bad online scams have become. The author complains that the Court is enforcing too many rules too early, but honestly, it sounds like this article cares more about preserving the technical purity of the internet system, rather than protecting the public from getting cheated.
The Judgment makes clear at various places that we aren’t talking about two legitimate companies arguing over a similar logo or a parody site. We are talking about massive scam rings running fake distributorship rackets to steal lakhs and sometimes even crores from innocent people. To treat these widespread scams like normal business disputes is dangerous. The author seems to want the Court to wait and sue after the fraud happens, but anyone living in the real world knows that by then, the money is gone and the anonymous scammers have vanished.
The author is upset about the Court making privacy masking a paid feature, crying foul over data protection laws. But let’s be real, privacy by default has become the bff to cybercriminals. The Court isn’t trying to destroy privacy; it’s trying to stop anonymity from being a free pass for crime. By making people pay for privacy masking, we create a verifiable payment trail. If you are running a legitimate site, this shouldn’t be an issue. The only people who truly benefit from total, free anonymity are the ones the police currently can’t catch. Data protection laws were never meant to be a shield for criminal enterprises.
The article complains that the Court is treating mere registration as infringement. This is just splitting hairs. We aren’t talking about someone registering a generic word; we are talking about scammers registering exact copies or trick spellings of household names like Dabur or Amul specifically to fool people. Pretending that stopping this crushes free speech is just fear-mongering. These aren’t critics or comedians; they are impersonators. Plus, the author conveniently ignores the fact that the Court actually did provide a mechanism for genuine users to appeal if they get caught in the net.
Finally, the author thinks permanent blocking is too harsh and suggests we should just suspend the domains instead. That is incredibly naive. The Judgment points out that suspended domains often just get thrown back into the pool and re-registered by the same fraudsters to keep the scam going. Why keep a proven tool of fraud in circulation? Permanently blocking these domains isn’t disproportionate, it’s the only way to actually clean up the mess.
In Sum, while this article writes a nice defense of the theoretical internet, the Judgment is dealing with the actual internet where people are losing their life savings. We don’t need more immunity for tech platforms; we need to stop active financial crimes. This isn’t judicial overreach, it is the justice system finally catching up to the sophistication of modern cyber-fraud.
Dear Anon,
Thank you for your comment and engagement with the blog post.
Before I proceed with my reply, I would like to iterate that I work with two premises:
1. The Court’s role is to adjudicate, not formulate new legal frameworks and policies, especially those which override existing laws. (There is line between judicial activism and judicial overreach)
2. If exceptions are to be created for rights conferred by statute, then the same must be undertaken by the legislature and not the judiciary (barring violations of fundamental rights)
If you disagree with these two premises, we are conversing in different dimensions.
Before I proceed, I would like to clarify that I’m not stating scams/frauds do not exist or that they do not merit intervention. Rather, I’m examining the implications of the ex-ante interventions made by the Court (it’s the Court not Legislature) are merited, and if it would amount to overreach. [While you aptly restate the problem, I seek to examine the implications of the proposed interventions]
First, you state that the distinction between legitimate and illegitimate is made by the Court, however the directions apply irrespectively, and obviously DNRs being gatekeepers, to avoid liability would over-apply the restrictions. Moreover, the dynamic injunction remedy issued by the Court and other judicial remedies like interim injunctions, dynamic injunctions, mandatory injunctions, etc, exist, which ensure that we don’t “wait and sue after the fraud happens”. Again, please keep in mind judicial overreach, and whether Court is the right fora to formulate such frameworks.
Second, the critique is not that disclosure to law enforcement or courts is impermissible. The DPDPA itself expressly allows disclosure pursuant to court orders and lawful investigation. My concern is with reversing privacy defaults for ALL registrants (and neither is there a possibility to identify potential miscreants, we all know the problems with predictive policing). “Privacy is the bff of criminals” is a slogan, not a legal argument. While Court judgments are legitimate use as per Section7(e) of DPDPA, such Court judgments must be case-specific, not blanket directions which override the DPDPA itself. You also note that paying for privacy will ensure a “payment trail”, however, such a payment trail would exist irrespective of availing privacy masking since the registrant would have paid the DNR for registration [enabling tracking given Court’s directions to banks]. Moreover, you state that “If you are running a legitimate site, this shouldn’t be an issue”, this is a classic defence which is used to justify excess policing and surveillance but lacks substance, again I’m cognizant that some may not recognise the inherent values of privacy and data protection.
Third, treating mere registration as infringement not a mere hair splitting exercise. Trademark law has long drawn a distinction between similarity and liability, and between registration and use, precisely because overbreadth creates collateral harm. Once registrars are instructed to disable or refuse domains based on similarity alone, under threat of losing safe harbour, the risk is not to scammers, but to delegating adjudicatory functions to intermediaries, incentivising over-blocking without judicial application of mind. You restate the problems scammers have caused but also uncritically accept the directions as the only solution without a proportionality analysis.
On a similar note, free speech concern is not about protecting impersonators, it is about avoiding prior restraints at the registration stage, before any inquiry into use. Domain names are used for purposes other than frauds and business. The Court in Tata v Greenpeace has recognised that “speech (or expression) can be in any form …. The speaker can choose any medium he wishes … The Court cannot also sit in value judgment over the medium (of expression) chosen by the defendant since in a democracy, speech can include forms such as caricature, lampoon, mime parody and other manifestations of wit.”
Further, the post does not ignore “the fact that the Court actually did provide a mechanism for genuine users”, in fact it acknowledges it and also points out that it is for existing registrants only and does not take into account future registrants (thus the bona fide user problem).
Fourth, on permanent blocking, the article does not dispute that repeat abuse of suspended domains is a real problem. The question raised is whether permanent, system-wide blacklisting, including barring future bona fide registrants, is the least restrictive means available. A proportionality analysis requires asking whether narrower tools (suspensions, use-based injunctions, registrar monitoring, or targeted re-registration controls) could address the mischief without extinguishing the domain name altogether. Domain names are reusable identifiers, permanent blacklisting forecloses future lawful use without adjudicating future conduct. Calling proportionality “naive” does not make permanent bans lawful or effective. [you may read more on infeasibility here: https://www.internetsociety.org/resources/doc/2025/mandated-dns-blocking/ and the Bombay HC judgment which the post references]
In short, it is not apt to treat legal limits as an inconvenience and assume that urgency justifies everything. This is precisely how exceptional measures become normalised excess. This judgment is not being criticised for trying to stop fraud. It is being criticised for rewriting data protection defaults and trademark doctrine through judicial directions. Protecting people from scams and respecting legal limits are not mutually exclusive. Treating them as such is how exceptional measures quietly become permanent overreach.
Warm Regards,
Vishno
Dear Vishno,
Thank you for the detailed and thoughtful rejoinder. We are indeed operating from different philosophical starting points, but I appreciate the engagement.
To your two premises: I do not disagree that the legislature should ideally be the one to update laws. However, I disagree that the Judiciary must sit on its hands while the legislative machinery lags years behind the “quantum and magnitude” of modern cyber-fraud. Remember Vishakha v. State of Rajasthan? When existing laws are being weaponized by criminals due to technological loopholes, the Court’s equitable jurisdiction allows it to fashion remedies to fill that vacuum until the legislature catches up. That is not “overreach”; that is “doing justice.”
Here is my response to your specific points:
1. The “Gatekeeper” & Over-blocking Fear You argue that DNRs will “over-apply” restrictions to avoid liability. But we must look at the current incentive structure. Right now, DNRs are incentivized to turn a blind eye because they make money on every registration, legitimate or fraudulent. The Judgment shifts this economic incentive: if you profit from facilitating fraud by failing to do basic due diligence, you lose safe harbour. Regarding existing remedies (dynamic/interim injunctions): These are reactive. You mention we shouldn’t “wait and sue,” but dynamic injunctions literally require a lawsuit to already be filed. The Court’s ex-ante direction aims to stop the fraud before the domain goes live and the money is stolen. In the context of “fly-by-night” operators, a remedy that comes even 24 hours late is effectively useless.
2. Privacy Defaults & The Payment Trail You argue that a payment trail exists regardless of privacy masking. This is factually contested by the reality of the investigations cited in the Judgment. Fraudsters often use stolen credit cards, crypto, or layering to pay the DNR fees. However, the specific requirement to opt-in for privacy masking adds a layer of friction and verification (KYC) that makes it harder for automated bots and bulk-registrants to operate anonymously. Regarding the “nothing to hide” argument: You call it a classic defense for surveillance. I call it a necessary trade-off in a commercial sphere. A domain name is a public-facing commercial asset. Why should a commercial entity (or someone acting as one) have the same expectation of anonymity as a private individual sending an email? If you want to own a piece of the public internet real estate, accountability is the price of admission.
3. “Mere Registration” & Adjudication You worry about delegating adjudicatory functions to intermediaries. But intermediaries already make these decisions constantly (e.g., taking down copyright content under DMCA/IT Act notices). The Judgment provides them with specific criteria: “identical or deceptively similar.” This isn’t rocket science for a DNR. If someone registers dabur-distributor.com, it doesn’t take a judge to see the intent. Regarding Tata v. Greenpeace: The “Bona Fide” concern is valid in theory but weak in this specific context. The Judgment targets specific keywords associated with fraud (distributorship, franchise, customer care). It is highly unlikely a satirist is going to register dabur-franchise-apply-now.com for a parody. The risk of chilling speech is minimal compared to the proven certainty of financial ruin for victims.
4. Permanent Blocking vs. Proportionality You cite the Internet Society on the technical issues of blocking. However, the “technical purity” argument often ignores the “social cost.” If a domain string dabur-franchise.com has been used for fraud, what legitimate future use could it possibly have? Why does that specific string need to be “reusable”? The probability of a future legitimate user needing that exact fraud-tainted string is near zero. Blocking isn’t about “punishing” the string of characters; it’s about sterilizing a toxic asset. If the “least restrictive means” (suspension) has been proven to fail (as the Court noted with re-registrations), then proportionality dictates moving to the next effective step.
Conclusion We agree that the legislature needs to step up. But until they do, I cannot fault the High Court for refusing to let the “values of privacy” become the “tools of plunder.” If that makes me a pragmatist over a purist, so be it.