The Indian government has formally requested that Internet Corporation for Assigned Names and Numbers (ICANN) enforce a 24-hour disclosure window for domain-owner (registrant) information in cases of emergency law-enforcement requests. The appeal, voiced at the 2025 India Internet Governance Forum (IIGF), highlights growing concerns over anonymous or proxy-registered domains being misused for subdomain abuse, phishing, and other cyber-threats. The proposal also calls for all accredited registrars to commit — via a pilot programme — to timely and accurate data sharing. If accepted, the move could considerably strengthen India’s capacity to respond swiftly to cyber-incidents and illegal online activity.
---
Government Pushes for Rapid WHOIS Transparency
During IIGF 2025, a senior official from the Ministry of Electronics & Information Technology (MeitY) announced that India has pressed ICANN to institute a strict 24-hour turnaround for disclosing domain-owner data (registrant/WHOIS information) upon emergency requests from law-enforcement agencies.
The request reflects deep frustration with the existing system, where registrants may register a domain and have up to 15 days to validate their credentials — a window often exploited by malicious actors. Given the scale of internet penetration in India, officials warned that the current lag in data disclosure undermines timely investigations into cyber-threats, including subdomain abuse and illicit content distribution.
---
The Role of ICANN’s Registration Data Policies
ICANN currently employs a system — recently updated — for handling registration data under its gTLD (generic top-level domain) regime. The organisation has introduced a mechanism, the Registration Data Request Service (RDRS), designed to process authorised requests for nonpublic registration data from law enforcement or other legitimate requestors.
Under prevailing policy, registrars may exercise discretion based on local laws when deciding whether to disclose a registrant’s personal data (name, contact address, email, phone number). Despite this flexibility, India’s proposal urges more robust, time-bound compliance, especially for requests flagged as urgent.
---
Challenges and Privacy Implications
Enforcing a 24-hour disclosure mandate globally raises substantial challenges. As per recent analyses and correspondence within the broader ICANN community, ensuring data subject privacy and verifying the legitimacy of requestors (especially cross-border law enforcement) may require more than hours — often several business days.
Moreover, data-protection and privacy frameworks (similar to those that curtailed public WHOIS data in some jurisdictions) may conflict with blanket disclosure mandates. Should registrars be compelled to always share registrant information rapidly, there may be concerns over misuse of personal data, erosion of privacy for legitimate domain owners, and potential legal liability for registrars operating under varying national regulations.
---
India’s Motivation: Curbing Abuse, Protecting Citizens
Indian officials emphasised that unverified or proxy-registered domains pose particular risks: they can be used to host malicious content, carry out phishing campaigns, or propagate illegal material — all while cloaked under anonymity.
In the context of increasing cyber-threats and a burgeoning digital user base, the government argues swift access to ownership data is essential for effective prevention, investigation, and deterrence. As the Minister of State for Electronics and IT remarked, ensuring online safety requires cooperation among registrars, platform operators, and regulatory authorities, rather than reliance solely on government action.
---
Broader Implications for Internet Governance
If ICANN accepts India’s proposal, this could mark a shift toward faster, more enforceable global standards for domain-registrant data disclosure — especially in emergencies. Such a change may influence other countries grappling with similar cybersecurity concerns, prompting a rebalancing between privacy protections and public-safety priorities.
For registrars and domain-service providers, the move could inject additional compliance burdens, requiring tighter verification protocols and faster turnaround processes. It could also foreground tensions between data privacy standards and legitimate law-enforcement needs.
---
Conclusion
India’s push for a 24-hour domain-owner data disclosure regime represents an assertive effort to reinforce cybersecurity, trace malicious online actors, and protect citizens. While the proposal brings clear benefits for rapid investigative response, it also raises complex questions about privacy, governance, and how global internet-policy bodies like ICANN balance transparency with individual rights.
Whether the call results in concrete policy change remains uncertain. What is clear, however, is that as cyberspace continues to evolve — and threats multiply — nations like India are demanding faster, more reliable tools to safeguard security and accountability online.
Comments