The authorities in Jammu and Kashmir’s Doda district have imposed a two-month ban on the use of Virtual Private Networks (VPNs) starting May 2, following the April 22 Pahalgam terror attack.
Enforced under Section 163 of the Bharatiya Nagarik Suraksha Sanhita (BNSS), 2023, the ban is intended to counter what officials described as a “serious threat to public order, tranquility, and national security”. The order extends to all individuals, institutions, internet service providers, and cyber cafes operating in the district.
A VPN, or Virtual Private Network, is a tool that allows users to mask their internet activity and bypass regional restrictions by routing their connection through encrypted servers.
On May 16, the Doda District Police also confirmed that “several individuals” had been detained for allegedly defying the order. “These individuals were using VPNs to bypass internet restrictions,” the police said in a statement, adding that they were being questioned and that further legal proceedings were being considered.
Legal experts have raised significant concerns, arguing that the ban contradicts constitutional protections under Article 19, which guarantees freedom of speech and access to information, and Article 21, which upholds the right to privacy.
They also emphasised that using VPNs is not illegal in India, warning that invoking Section 163 in this context could establish a troubling precedent.
“Section 163 - Analogue to IPC Section 144”
Commenting on the use of Section 163 of the BNSS to justify the VPN ban, Supreme Court Advocate-on-Record Talha Abdul Rahman said the move was legally unsound and potentially excessive.
The section empowers executive magistrates to issue prohibitory orders for preventing nuisance or anticipated danger, including in the digital space.
In his view, the Information Technology Act and its accompanying rules already "completely occupy the field," leaving no legal space for invoking Section 163 to prohibit VPN usage.
“If the Parliament has not prescribed a penalty for the use of VPNs under the IT Act, then no officer can suddenly make it unlawful, even temporarily,” Rahman said, stressing the importance of legislative supremacy and due process.
“VPNs are neutral tools, and their use alone does not justify such preventive restrictions unless there is a clear and immediate threat in a given case,” the advocate added.
Pranesh Prakash, research fellow at LIRNEasia, who called Section 163 “an analogue to Section 144 of the earlier Indian Penal Code”, also acknowledged that an emergency may indeed have existed in this case, but the specific action taken, of blocking VPNs, falls outside the legal powers granted to magistrates. “That power is expressly not provided to magistrates,” he said.
Section 144 of the Indian Penal Code, enacted during the colonial period, authorised executive magistrates to issue prohibitory orders to prevent obstruction, nuisance, or danger to human life. In 2023, it was replaced by Section 163 of the BNSS, which was introduced as part of a broader effort to “de-colonise” criminal laws.
While BNSS was positioned as a move away from colonial-era legislation, Section 163 continues to grant magistrates similar preventive powers, including over digital spaces.
Even if one were to argue that VPNs fall under the category of telecommunications rather than computer resources, Prakash noted, “it would still need to be routed through the Department of Telecommunications, typically via the state Home Ministry, and only then could regulated entities be directed to act.”
According to him, neither of these legally prescribed routes was followed in the Doda case. “Magistrates can’t claim this power unto themselves, especially when dedicated emergency blocking procedures exist,” he said.
Is the response proportionate?
Responding to whether the VPN ban was proportionate, Prakash said that simply accessing information does not pose a threat to national security. “The real concern arises when individuals, knowingly or unknowingly, share sensitive information that shouldn't be disclosed,” he noted, adding that any censorship should target harmful transmissions, not the receipt of information.
He stressed that restrictions on free expression must be lawful, necessary, and proportionate. “You shouldn’t be blocking speech when the same objective can be achieved through less intrusive means,” Prakash said.
Alluding to both international human rights principles and Indian legal standards, the research fellow added, “The action must be necessary, specifically allowed by law, and the least restrictive option available.”
Rahman echoed these concerns, saying that VPNs only become problematic when used to carry out unlawful acts. “Mere potential for misuse is not a sufficient ground for restriction; there must be demonstrable misuse with a clear nexus to a threat to public order,” he said.
Rahman also pushed back against the narrative that privacy is expendable in the name of security. “Invasion of privacy is often justified with rhetoric like ‘why worry if you have nothing to hide?’ But this sort of question is not acceptable in our republican polity, which does not allow invasion of privacy unless there are concrete reasons,” he said.
“Citizens cannot be treated as if they live in a glass house, open to the prying gaze of the State,” Rahman added.
Courts and government have backed VPNs
While the Doda administration frames VPNs as a threat, both the Indian judiciary and central government have acknowledged their legitimate role in safeguarding privacy and access to information.
In the landmark K.S. Puttaswamy vs Union of India (2017) case, the Supreme Court recognised privacy as a fundamental right under Article 21. The judgment laid the groundwork for protection-oriented digital tools like VPNs, which are widely used to safeguard personal privacy and encrypt communication.
Similarly, in Anuradha Bhasin vs Union of India (2020), the Supreme Court recognised that access to the internet is integral to the freedom of speech and expression under Article 19(1)(a). While the judgment primarily dealt with internet shutdowns, it implied that tools like VPNs, which enable secure and private access to information, play a critical role in protecting citizens' rights to free expression and privacy, especially in regions facing connectivity restrictions.
The Court had also mandated transparency by requiring that “all orders related to internet suspensions or restrictions must be made public,” ensuring accountability when restricting digital freedoms.
Government bodies too have supported VPNs. CERT-In, under the Ministry of Electronics and IT, has issued multiple advisories recommending VPNs for secure remote work and protection against cyber threats.
Therefore, while it's true that VPNs, anonymising networks like Tor, or I2P (Invisible Internet Project) can be misused for illicit purposes such as espionage, it's equally important to recognise their legitimate applications.
As Prakash explained in this context, “There’s simply no practical way to permit only the good users without also enabling bad users—or to block bad users without inevitably blocking good ones too.”