In December, several district administrations in Jammu and Kashmir banned the use of “unauthorised Virtual Private Network services”, citing security concerns. District officials claimed that VPNs could be misused by “terrorists and their supporters for encrypted communication”.
VPNs allow users to mask their Internet Protocol, or IP, address and browse the internet securely while shielding their identity and data. This also allows users to bypass government and local restrictions on websites.
However, experts argue that the blanket ban on the use of VPNs in Jammu and Kashmir is legally and constitutionally flawed. For one, there are no provisions under any Indian laws prohibiting or restricting the use of VPNs. The ban also contradicts Supreme Court rulings on privacy and the right to access the internet.
“At present, no law in India prohibits the use of VPNs,” said former judge and advocate Bharat Chugh, who practises in Delhi. He said the Information Technology Act, 2000, criminalises the misuse of digital technology for hacking or identity theft, but “does not outlaw the tools through which such offences might be committed”.
The fresh ban on VPNs is tied to Jammu and Kashmir’s long history of internet shutdowns and the use of even anti-terror provisions against residents to curb internet and social media access. In the past, too, the local administration had tried to crackdown on the use of VPNs.
This time, as experts pointed out, the administration used prohibitory orders under the Section 163 of the Bharatiya Nagarik Suraksha Sanhita to ban the use of VPNs.
Chugh described the ban on VPNs as a constitutional concern and an overreach of emergency powers. Section 163 of the Bharatiya Nagarik Suraksha Sanhita was “never intended to regulate everyday digital behaviour”, said Chugh. “...Such emergency powers are meant for imminent, localised law-and-order situations and cannot and should not be converted into tools for regulating digital technology.”
Bans through prohibitory orders
In Jammu and Kashmir, at least 10 district administrations banned the use of VPNs using Section 163 of the Bharatiya Nagarik Suraksha Sanhita which empowers district magistrates to issue prohibitory orders in “urgent cases of nuisance or apprehended danger”.
The Kulgam district administration, in its order dated December 27, said that the decision followed a warning from the Senior Superintendent of Police about an “unprecedented surge” in the use of VPNs by a “significant number of suspicious internet users” across the district.
The order claimed that such “excessive and abnormal usage” could be misused for “unlawful and anti-national activities”, such as “incitement of unrest, dissemination of inflammatory or misleading content, and coordination of activities prejudicial to the maintenance of public order and security”.
The administration said that since it was “not feasible to serve notice individually”, it passed the order “ex-parte” – without hearing the other side.
Similar prohibitory orders were issued in other districts, including Baramulla, where the order clarified that VPNs could be used only by those “authorised/permitted by the government or any competent authority for legitimate official or professional purposes”, without mentioning what constituted such use.
Following the orders, the Kashmir Police said they carried out “systematic verification and monitoring” across several districts and found 24 people in violation of them between December 29 and January 2. The police registered FIRs against two individuals, whom they described as having “adverse terror-related backgrounds”.
Preventive proceedings were initiated against 11 others under Sections 126 and 170 of the Bharatiya Nagarik Suraksha Sanhita. Section 126 empowers an Executive Magistrate to take preventive action, while Section 170 grants the police the power to make preventive arrests without a magistrate’s order or warrant.
Police reported similar action in Pulwama, Sopore, Anantnag, and Kulgam, marking an expanded use of preventive law to enforce the VPN ban.
Scroll contacted three police officials asking about the arrests. Two declined to comment, while one said the “decision was taken by the district administration and they were merely following due procedure”. Kulgam District Magistrate Athar Aamir Khan was also contacted, but he did not respond to calls and messages.
No laws against VPN use
Legal experts said there is little legal basis for district administrations in Jammu and Kashmir to impose a blanket ban on VPNs and arrest people.
Apar Gupta, founder of the Internet Freedom Foundation, told Scroll that India’s existing legal framework focuses on VPN service providers, not users. “There is no general statutory ban in the IT Act or the BNSS on ordinary citizens using VPNs,” Gupta said. “Instead, compliance duties are imposed on providers.”
Using a VPN is not illegal under existing laws but the Indian Computer Emergency Response Team had issued cyber security directions in April 2022 under the Information Technology Act, 2000. These directions required a wide range of entities, including hosting, VPN and Virtual Private Server service providers, to maintain detailed records of their users’ activities.
After the issuance of these directions, several VPN service providers chose to shut down their servers in India, citing concerns over “user privacy and data retention”.
According to a report by the Internet Freedom Foundation, “these service providers could be required to hand over this information” to CERT-In at any time. The report also noted that the 2022 directions do not place any limits on how long CERT-In may retain this data or with whom it may be shared.
In September 2022, SnTHostings, a company which provides hosting, VPN, and VPS services, approached the Delhi High Court challenging the legality of the CERT-In directions. The petition was eventually withdrawn on the petitioner’s instructions on March 14, 2024.
Advocate Abhinav Sekhri, who represented SnTHostings before the Delhi High Court, told Scroll that the case had to be withdrawn as the client “didn’t wish to pursue the case”.
On the merits of the challenge, he said that the issue “has not been heard by any court in India,” and therefore, “there is no answer to whether these directions will stand judicial scrutiny”.
Sekhri added that the 2022 directions introduced “business practices that effectively gave the government a backdoor to access large amounts of VPN-related data”, thereby undermining the very purpose for which VPNs are used.
Misuse of prohibitory orders
Legal experts also flagged the misuse of prohibitory orders.
Gupta of the Internet Freedom Foundation said it is doubtful that Section 163 of the Bharatiya Nagarik Suraksha Sanhita can be used to justify a district-wide ban on VPNs in Jammu and Kashmir. “These powers are meant to be urgent and time-bound, based on material facts showing a specific apprehended danger,” he added.
A blanket ban, like the ones being imposed in Kashmir, wrongly assumes that privacy tools like VPNs are inherently harmful and risks “turning an emergency power into a routine policy decision”, rather than a response to a specific and immediate threat, he said.
Sekhri, the lawyer who represented SnTHostings, said that “since the use of VPNs is not illegal in itself”, it also raises serious questions about “how preventive powers under Section 163 of the BNSS can be invoked to restrict VPN” use or to take individuals into custody.
Chugh, referring to the absence of any specific legal ban on the use of VPNs, warned against punishing actions that are not illegal. “There is no crime without law,” he said. “Detaining or questioning people just for using VPNs blurs the line between prevention and punishment”.
“Section 163 is a fire-extinguisher provision”, said Chugh. “It is designed for sudden and imminent threats, riots, epidemics, and violent assemblies, not to restructure the digital habits of an entire population.” Using such powers to prohibit VPN usage, he argued, “represents a fundamental category error”.
Gupta also pointed to the Supreme Court’s ruling in January 2020 in the case of Anuradha Bhasin, where the court held that internet restrictions cannot be “indefinite and must meet the tests of necessity and proportionality”. He also referred to the Supreme Court’s KS Puttaswamy ruling on privacy, which laid down that “any intrusion into privacy must have a clear legal basis”, pursue a legitimate aim, and be proportionate.
Against this legal backdrop, Gupta argued that a district-wide VPN ban is “unlikely to withstand scrutiny under Articles 19 [freedom of speech] and 21 [right to life] unless it is narrowly tailored to a clearly demonstrated emergency” and supported by explicit statutory authority.
A pattern of restrictions
Jammu and Kashmir has a long history of internet censorship and shutdowns. A complete communications blackout was imposed in 2019, ahead of Parliament’s decision to abrogate Article 370.
When internet services were partially restored in January 2020, access was throttled at 2G speeds for verified users, with only whitelisted websites allowed and social media platforms blocked. During this period, many residents turned to VPN services to access information unavailable due to these restrictions.
A 2020 Scroll report highlighted that residents of several villages in Kulgam alleged that army personnel checked young people’s phones for VPN apps, and that those found using them were allegedly assaulted. VPN use in Kashmir was also curtailed through “written undertakings” that broadband internet users were required to sign, committing that they would not use VPN services.
In February 2020, the cyber wing of the Jammu and Kashmir Police registered a first information report alleging the “misuse of social media” through VPNs. The FIR invoked provisions of the Unlawful Activities (Prevention) Act and several sections of the Indian Penal Code against unknown persons.
Around the same time, a 17-year-old was taken into custody and booked under the Unlawful Activities (Prevention) Act, highlighting the harsh legal consequences linked to alleged VPN use.
Such restrictions have not been limited to Jammu and Kashmir. In June 2025, the Manipur government also suspended internet and mobile data services, including VPN services, for five days across five districts of the state. According to reports, the state’s government said that social media platforms were being used to “facilitate and/or mobilise mobs of agitators and demonstrators.”
The ban was imposed under Rule 2 of the Temporary Suspension of Telecom Services Rules, 2017, which allows the Centre or state home secretaries to suspend telecom services.
You’ve read Scroll.
Now help sustain it
Scroll is funded by readers, not corporate owners. If you believe our work matters, support our newsroom. Become a member today!
We’re not driven by clicks or corporate interests – just honest, independent reporting. Keep us going. Support Scroll today!