Following the introduction of a new cybersecurity law on 1 January 2024, soldiers at junta checkpoints in Palaw and Tanintharyi townships in Tanintharyi Region, are searching pedestrians’ mobile phones for virtual private network (VPN) apps.

If they find any such apps on people’s phones they are extorting money from them, even though the personal use of VPNs has been decriminalised in the new cybersecurity law.

According to residents of Palaw and Tanintharyi townships in Myeik District, the junta has revived its practice of checking mobile phones for VPN apps following the junta's official enactment of Cybersecurity Law No. 1/2025, on 1 January 2025.

Previously, in the early days after the February 2021 coup, when the junta first declared VPN apps illegal, phones were checked for VPN apps by junta soldiers and police throughout Myanmar and they would extort money from anyone found with a VPN app on their phone. But, the junta’s searching of phones for VPN apps had largely subsided until these recent inspections started again in Myeik District.

A driver in his 40s recounted having to pay soldiers at the Tanintharyi Bridge checkpoint in Tanintharyi Township after they discovered a VPN app installed on his phone.

He said: “Actually, I was quite familiar with them, but during the check, they found a VPN app on my phone, so I had to pay the amount they demanded.”

According to bus drivers, since 1 January checkpoints at Tanintharyi Bridge, the General Aung San Statue in Tanintharyi Township, and in Magyikone Village in Palaw Township have been conducting targeted checks for VPN apps.

If junta soldiers find VPN apps on people’s phones they often demand payments of between 10,000 and 30,000 MMK from the phone’s owner to not prosecute them.

Some bus passengers caught with VPN apps on their phones said that the junta soldiers warned them that if VPN apps were again found on their phones they would be prosecuted under the new cybersecurity law.

But, this is a lie. The new law,  Cybersecurity Law No. 1/2025 under Article 419 of the Constitution has actually decriminalised the use of VPNs by private individuals. This means that, unlike before this new law was introduced, the people caught by junta soldiers with VPN apps are not breaking the law. The soldiers are not implementing any laws, they are just illegally extorting and threatening people for their own gain.

Instead of targeting VPN users the new cybersecurity law targets the providers of VPNs. Establishing a VPN or providing VPN services without approval from the designated ministry (to be appointed later by the government) can result in significant penalties. For individuals, the punishment may be 1–6 months imprisonment, a fine of 1–10 million MMK, or both, with the proceeds of the violation being confiscated. If the violator is a company or organisation, the minimum fine will be 10 million MMK, and the proceeds will be confiscated.

The new law also covers online gambling. Under the law, anyone who establishes an online gambling system without permission will be imprisoned for between six months and one year and/or pay a fine of at least five million MMK up to a maximum of twenty million MMK. It also includes provisions for confiscating devices and materials used in alleged cybercrimes.”

Note: This article was amended on 13 January 2025 to correct an error about the new Cybersecurity Law. Previously it said that under the new Cybersecurity Law people could be prosecuted for using VPNs. This was wrong, the new law has actually decriminalised the personal use of VPNs.