Godaddy is an American company that offers website hosting and domain registration services globally. With its headquarters based in Tempe, Arizona (USA), and operations across many countries; as of June 2020, GoDaddy has more than 20 million customers and over 7,000 employees worldwide; essentially making it an influential (?) global corporate. I have been a customer of Godaddy for over 7 years, and have registered several domain names with this company. In addition, multiple websites of my various companies are hosted on the Godaddy platform.
My issue with Godaddy started about 6-weeks ago when I was not able to access my account page. Now, we must first understand that there is a two-step account verification protocol that is offered by Godaddy; whereby when customers try to log into their account, the Godaddy servers generate and send over an OTP (one time password, usually a code of six digits) to the registered mobile number of the account holder, and upon inserting this OTP onto the account login page, the customers can access their individual accounts.
However, despite multiple attempts over the first two weeks, the mobile number that is registered with Godaddy did not receive any SMS / text message with the OTP. When their customer service was contacted, initially their explanation was that the Godaddy system was generating OTPs, but my telecom carrier was not delivering the same. When I approached my telecom carrier (Reliance Jio) customer service, they checked my number and stated that there were no blocks to SMS delivery on my number. And, this is factually correct, since I was receiving OTPs for my other transactions. Only the Godaddy OTPs were not being delivered.
When I confronted Godaddy Customer service with this, they advised me to request the removal of the two-step account verification protocol, for which I had to send them an email from the specific email address linked to my Godaddy account. I was also told that it would take Godaddy 72 hours to process my request. When nothing happened after 72 hours, I again called Godaddy customer service and then the situation became interesting.
Now, there was a new demand from Godaddy to unlock/unblock my account. They wanted a Government issued Photo-ID (essentially the Aadhar card) and copy of my PAN card to be submitted to them for “verification” and confirmation that I was the actual owner of the account; along with copies of the registration certificates of my various companies.
My question to them at this point was, how could they verify my Aadhar & PAN information, when I had never submitted this information to them in the first place? They had no legitimate answer to this question, but were insistent that I had to submit copies of these documents to resolve the issue. I went ahead with their request and submitted only my Aadhar card and PAN, but also took the necessary precaution of taking advice from legal experts, who advised me that Godaddy company’s demands were ‘prima facia’ in violation of the ‘Information Technology Act, 2000 ("IT Act")’ and its corresponding rules under the ‘Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules")’.
Furthermore, in a landmark judgment delivered on 24 August 2017 (Justice K.S Puttaswamy & another vs. Union of India), the Supreme Court of India recognized the right to privacy as a Fundamental Right under Article 21 of the Indian Constitution as a part of the right to “life” and “personal liberty”, and it would seem that Godaddy is in violation of my Fundamental Right as well.
The ongoing saga took an interesting twist when Godaddy asked me for a copy of my passport. When I refused to share the same, citing that I did not have a passport, the response was that “records” show that I had recently travelled internationally. My question at this point is; how does Godaddy have access to my personal information and what they claim are my travel records?
These are the same queries that I have placed officially before the Secretary, Ministry of Home Affairs, Govt. of India; and the Secretary, Ministry of Corporate Affairs, Govt. of India. Within two days of these letters reaching MHA & MCA, a friend of mine in the highest levels of the Union Govt. had a conversation with someone in the Godaddy India Corporate office (located in Gurugram, Haryana). My account was immediately unblocked and I started receiving OTPs from Godaddy without any incident. I removed the two-step verification process and assumed that the account would have no more issues.
But I was wrong. Two days later, the account is blocked again, this time under the pretext that my physical address cannot be verified by Godaddy. The question here is; why does Godaddy have the need to verify my physical location, when their services have been paid for fully in advance on an annual basis?
My business background of over 35 years, is in the areas of Anti-Terrorism and Law-Enforcement with a deep study of Cyber-security and Data-security. In my opinion, Godaddy is proactively collecting and collating my individual personal information as well as my Corporate information; which can be defined as ‘data-mining’. Whether Godaddy is violating the Laws of India regarding Data Privacy and also my Fundamental Rights as guaranteed by the ‘Constitution of India’, will be decided by the officials of the Government of India and if needed by the Courts of India.
To all those who are reading this article, and feel that their privacy may have been violated by Godaddy (or any other foreign corporate operating in India), do write about it in detail to the Secretary, MHA, Govt. of India. Defending ourselves from foreign anti-India activities is our Right and we have to demand protection from data-mining of our information by foreign corporates.