"Arbitrary and excessive" - Specialists critique two-month VPN restriction implemented in India
In the Jammu and Kashmir region of India, the district of Doda has imposed a two-month ban on the use of Virtual Private Networks (VPNs) due to national security concerns. The ban, enforced on May 2, 2025, was made under Section 163 of the Bharatiya Nagarik Suraksha Sanhita (BNSS) law.
The order cites individuals and groups misusing VPNs to circumvent lawful cyber restrictions and access prohibited applications. However, digital rights and legal experts have expressed concerns over the ban, arguing that it infringes on citizens' fundamental rights, particularly their right to privacy and freedom of speech.
The ban applies to all individuals, institutions, internet service providers, and cyber cafes operating in the district. This means that all residents are barred from using VPN services or similar tools for two months to avoid potential legal action. Reports suggest that individuals have already been arrested for allegedly using VPNs, and several have been detained before the arrests.
Senior Policy Counsel and Encryption Policy Lead at Access Now, Namrata Maheshwari, points out that the Indian government has already implemented an onerous mandate for VPN providers when it enforced a new data retention law in 2022. This law requires online services to store users' data for up to five years and share it with authorities on request.
Maheshwari believes that a blanket ban on all VPNs for two months is unnecessary and disproportionate. She argues that people have a fundamental right to information and freedom of expression, and restrictions on these rights should be legal, necessary, and proportionate—a standard this ban does not meet.
Experts are also concerned that the ban could increase vulnerabilities in the country's cyberspace, ultimately weakening security as opposed to strengthening it. They emphasize that, even in an emergency, preventative measures cannot be this vague and overreaching, particularly where less intrusive means are available.
According to Maheshwari, the ban affects not only individual users but also businesses and institutions that regularly use these services for security purposes. The ban raises ethical debates about privacy and digital rights, and experts warn that such measures undermine people's digital security and rights, especially in a region already subject to frequent internet restrictions.
[1] Indian Constitution - Articles 19 and 21.[2] Namrata Maheshwari, Access Now.[3] The Wire - May 18, 2025.[4] Doda authorities - May 16, 2025.[5] Recent terror attack - Unspecified.
The ongoing cybersecurity measures in Doda, India, have elicited concerns from digital rights and legal experts, with Namrata Maheshwari of Access Now arguing that the two-month ban on VPNs violates citizens' fundamental rights to privacy and freedom of speech, as stipulated in Articles 19 and 21 of the Indian Constitution.
Moreover, experts caution that this ban, while cited for national security concerns, could inadvertently increase cyber vulnerabilities and weaken security, as businesses and institutions need these services for their digital security purposes. This is especially pertinent in the context of Section 163 of the BNSS law, which has already increased the burden on VPN providers with the 2022 data retention mandate.
