Data-mining of Indian Citizens and Company
Information by Godaddy.
Godaddy is an American company that offers website
hosting and domain registration services globally. With its headquarters based
in Tempe, Arizona (USA), and operations across many countries; as of June 2020, GoDaddy has
more than 20 million customers and over 7,000 employees worldwide;
essentially making it an influential (?) global corporate.
I have been
a customer of Godaddy for over 7 years, and have registered several domain
names with this company. In addition, multiple websites of my various companies
are hosted onto the Godaddy platform.
My issue
with Godaddy started about 6-weeks ago when I was not able to access my account
page. Now, we must first understand that there is a two-step account
verification protocol that is offered by Godaddy; whereby when customers try to
log into their account, the Godaddy servers generate and send
over an OTP (one time password, usually a code of six digits) to the registered
mobile number of the account holder, and upon inserting this OTP onto the
account login page, the customers can access their individual accounts.
However, despite multiple attempts over the first two
weeks, the mobile number that is registered with Godaddy did not receive any
SMS / text message with the OTP. When their customer service was contacted,
initially their explanation was that the Godaddy system was generating OTPs,
but my telecom carrier was not delivering the same. When I approached my
telecom carrier (Reliance Jio) customer service, they checked my number and
stated that there were no blocks to SMS delivery on my number. And, this is
factually correct, since I was receiving OTPs for my other transactions. Only
the Godaddy OTPs were not being delivered.
When I confronted Godaddy Customer service with this,
they advised me to request the removal of the two-step account verification
protocol, for which I had to send them an email from the specific email address
linked to my Godaddy account. I was also told that it would take Godaddy 72
hours to process my request. When nothing happened after 72 hours, I again
called the Godaddy customer service and then the situation became interesting.
Now, there was a new demand from Godaddy to unlock /
unblock my account. The wanted a Government issued Photo-ID (essentially the Aadhar
card) and copy of my PAN card to be submitted to them for “verification” and
confirmation that I was the actual owner of the account; along with copies of
the registration certificates of my various companies.
My question to them at this point was, how could they
verify my Aadhar & PAN information, when I had never submitted this
information to them in the first place? They had no legitimate answer to this
question, but were insistent that I had to submit copies of these documents to
resolve the issue. I went ahead with their request and submitted only my Aadhar
card and PAN, but also took the necessary precaution of taking advice from
legal experts, who advised me that Godaddy company’s demands were ‘prima facia’
in violation of the ‘Information Technology Act, 2000 ("IT Act")’ and its
corresponding rules under the ‘Information Technology (Reasonable Security
Practices and Procedures and Sensitive Personal Data or Information) Rules,
2011 ("SPDI Rules")’.
Furthermore,
in a landmark judgment delivered on 24 August 2017 (Justice K.S
Puttaswamy & another vs. Union of India), the Supreme Court
of India recognized the right to privacy as a Fundamental Right under Article
21 of the Indian Constitution as a part of the right to “life” and “personal liberty”,
and it would seem that Godaddy is in violation of my Fundamental Right as well.
The ongoing
saga took an interesting twist when Godaddy asked me for a copy of my passport.
When I refused to share the same, citing that I did not have a passport, the
response was that “records” show that I had recently travelled internationally.
My question at this point is; how does Godaddy have access to my personal
information and what they claim are my travel records?
These are
the same queries that I have placed officially before the Secretary, Ministry
of Home Affairs, Govt. of India; and the Secretary, Ministry of Corporate
Affairs, Govt. of India.
Within two
days of these letters reaching MHA & MCA, a friend of mine in the highest
levels of the Union Govt. had a conversation with someone in the Godaddy India
Corporate office (located in Gurugram, Haryana). My account was immediately unblocked
and I started receiving OTPs from Godaddy without any incident. I removed the
two-step verification process and assumed that the account would have no more
issues.
But I was
wrong. Two days later, the account is blocked again, this time under the
pretext that my physical address cannot be verified by Godaddy. The question
here is; why does Godaddy have the need to verify my physical location, when
their services have been paid for fully in advance on an annual basis?
My business
background of over 35 years, is in the areas of Anti-Terrorism and
Law-Enforcement with a deep study of Cyber-security and Data-security. In my
opinion, Godaddy is proactively collecting and collating my individual personal
information as well as my Corporate information; which can be defined as
‘data-mining’. Whether Godaddy is violating the Laws of India regarding
Data Privacy and also my Fundamental Rights as guaranteed by the ‘Constitution
of India’, will be decided by the officials of the Government of India and if
needed by the Courts of India.
To all those
who are reading this article, and feel that their privacy may have been
violated by Godaddy (or any other foreign corporate operating in India), do
write about it in detail to the Secretary, MHA, Govt. of India. Defending
ourselves from foreign anti-India activities is our Right and we have to demand
protection from data-mining of our information by foreign corporates.
Author of this article:
Sardar Sanjay Matkar
Email: matkar@outlook.com