A Genuine Engineering Achievement
For Hajj 2026, the Saudi Data and AI Authority (SDAIA), working with the Ministry of Interior, fielded a mobile device that captures a pilgrim's facial image, biometric data and passport information in under 40 seconds. The tool was deployed across roughly 75 holy-site locations and 14 dedicated screening and security-control centers, and was specifically credited with speeding processing for elderly pilgrims and people with disabilities (Asharq Al-Awsat). It runs alongside two AI-driven monitoring platforms, Baseer and Sawaher, which use computer vision and thermal imaging to read crowd density in real time around the Grand Mosque and help locate missing persons, plus a separate "Banan" device used for biometric identity checks at a highway security center (Arab News). Sawaher alone draws on more than 5,000 cameras across roughly 80 locations, run through 16 AI algorithms and 31 dashboards (Asharq Al-Awsat).
Steelmanning the Deployment
The strongest case for this system is not abstract. Hajj is the largest recurring mass gathering on Earth, and crowd crushes have repeatedly been its deadliest failure mode — the 2015 Mina crush remains the worst disaster in Hajj's modern history, killing more than 700 pilgrims by Saudi Arabia's own count and, by most independent tallies compiled from dozens of countries' repatriation records, well over 2,000. Faster, more accurate identity verification reduces the bottlenecks and overcrowded queuing that turn checkpoints into crush points, and real-time crowd-density analytics genuinely can flag dangerous congestion before it becomes lethal. A regulator moving deliberately and specifically to prevent a repeat of Mina, rather than reflexively expanding surveillance for its own sake, has a defensible public-safety rationale that critics of biometric policing often underweight. Faster processing at scale — millions of pilgrims moving through a fixed set of sites in a compressed window — is also a legitimate logistics problem, not merely a pretext.
Where the Justification Runs Out
The difficulty is that Hajj-specific crowd safety and general-purpose biometric law enforcement are being built on the same rails, with no visible line between them. Baseer and Sawaher are described by their own developers as platforms for identifying individuals in real time, not merely counting them — a materially different capability than anonymized density mapping, and one that persists in the same camera network long after Hajj concludes. Saudi Arabia's Personal Data Protection Law, in force since September 2023 and enforced by SDAIA itself, classifies biometric data as sensitive information requiring heightened protection — but it also carves out processing that serves "public interest or security purposes" without the data subject's consent (Arab News). That is the same regulator writing the rules, enforcing them, and running the surveillance systems the rules are meant to constrain. There is no independent data protection authority, no published retention schedule for Hajj biometric captures, and no disclosed audit of how long facial-image data from foreign pilgrims — the large majority of the roughly 1.8 million people who attend Hajj — is retained after they leave the Kingdom.
The Regional Pattern Matters
This gap is not unique to Saudi Arabia, but it is not hypothetical either. Meta has geo-blocked more than 100 Facebook and Instagram accounts belonging to human rights researchers and activist organizations inside Saudi Arabia and the UAE since March 2026 at government request, according to a joint statement from Access Now and partner organizations (Access Now) — evidence that platform and infrastructure cooperation with Gulf state requests already extends well beyond crowd logistics into speech suppression. Regionally, the transparency fight is playing out elsewhere too: in Paraguay, EFF, TEDIC and CEJIL filed a legal challenge in June 2026 specifically because authorities there refused to disclose basic details of how facial recognition systems are procured, deployed and audited (EFF). Saudi Arabia's Hajj deployment has the opposite problem in degree but the same shape: SDAIA has been unusually forthcoming about capability (device speed, camera counts, algorithm counts) and almost entirely silent on governance (retention limits, independent audit, redress for foreign pilgrims whose data is mishandled).
A Narrower, Better Standard
None of this argues for banning biometric checkpoints at Hajj. A pro-innovation, evidence-based position should welcome technology that measurably reduces crush risk at a gathering with a documented history of mass-casualty failures. But "it works for crowd safety" is a claim about Baseer's density-mapping function, not a blank check for a facial-identification network layered onto the same cameras. The proportionate fix is straightforward and does not require slowing deployment: publish a retention schedule specific to Hajj biometric captures (distinct from any general national biometric database), commit publicly to purpose limitation — Hajj crowd-safety data should not silently become general law-enforcement data — and let an oversight body outside SDAIA itself review compliance. Saudi Arabia has shown it can ship fast, well-engineered biometric infrastructure at extraordinary scale in under 40 seconds per pilgrim. The question for 2027's Hajj season is whether it can ship the governance half of that system as visibly as it has shipped the technology.