For the 2026 Hajj, Saudi Arabia's General Authority for Statistics counted 1,707,301 pilgrims, including 1,546,655 who arrived from abroad through air, land and sea ports. To connect them, the Communications, Space and Technology Commission (CST), working with the Ministry of Interior and the licensed operators STC, Mobily and Zain, is running a remote eSIM and SIM activation service. The pitch is genuinely useful: instead of queuing at an airport kiosk, a pilgrim can request a line before travelling and finish activation on arrival.
The convenience, however, is inseparable from a condition. Activation runs through the government's Absher platform with a facial-biometric check, and the line is then bound to the pilgrim's verified identity. Saudi Arabia is, in effect, extending its standing real-name SIM regime — under which every mobile line is tied to a named identity in the CST database — to the largest temporary population it hosts all year.
What is actually being deployed
The service was first rolled out for the 2025 season and is now operating at scale for 2026. According to ID Tech Wire's account of the launch, the system 'leverages Saudi Arabia's Absher platform to verify users' digital identities and conduct biometric authentication... through facial recognition and integrated database checks,' with biometric stations deployed at King Abdulaziz International Airport and Jeddah Islamic Port. Gulf News confirms the joint CST–Ministry of Interior framing and the Absher biometric step.
This sits on top of one of the world's stricter SIM regimes. CST rules bind every line to an identity verified through Nafath and Absher; citizens may hold up to 10 lines, residents two, and visitors typically one. CST's own SIM Authentication Code service routes verification through the 'National Digital Identity portal,' issuing a code valid for four hours and a single transaction. The architecture is built for one purpose: no anonymous line exists on the network.
The case for it, stated fairly
The strongest argument for identity-bound SIMs is not trivial, and it deserves to be met head-on. A pilgrimage that concentrates 1.7 million people into a few square kilometres is a genuine safety and security problem. Crowd-crush disasters have killed thousands at past Hajj seasons; the ability to locate and contact a specific pilgrim through a known line is a real emergency-response tool. Untraceable burner phones are a documented vector for trafficking, smuggling and fraud against vulnerable travellers, and identity binding raises the cost of SIM-swap scams that target people far from home. Remote activation also removes a real friction point — hours lost in airport queues — and that is a legitimate innovation worth keeping.
Where proportionality breaks down
The problem is that the regime bundles a desirable feature with a far more consequential mandate. Remote eSIM activation does not require a facial-biometric tie to a state identity database; passport-based registration would deliver the same convenience. By making the biometric bind the gateway to connectivity itself, the Kingdom converts a telecom service into population-scale surveillance infrastructure — one that now ingests the faces and movements of more than 1.5 million foreign nationals from 165 countries each year.
That matters because the same identity layer that helps a lost pilgrim also makes anonymous communication impossible and dissent traceable. This is not hypothetical. On 20 May 2026, a coalition led by Access Now documented that, at the Saudi government's request, Meta had geo-blocked the Facebook accounts of the rights groups ALQST and Democratic Diwan and of researchers Abdullah Alaoudh and Yahya Assiri inside the Kingdom since 30 April 2026, part of more than 100 pages and accounts restricted since March. The state had also asked X to geo-block prominent Saudi activists. A government that compels platforms to silence critics is precisely the actor for whom a face-to-line registry is most powerful and most dangerous.
The secondary risks compound the principle. Function creep is the default trajectory of identity systems: data collected for connectivity is rarely sequestered from policing. Retention is unaddressed — there is no public commitment that pilgrims' biometric templates are deleted when they leave. And a centralised registry of millions of foreigners' faces is itself a concentrated breach target.
A proportionate path
None of this requires abandoning the convenience pilgrims plainly value. It requires separating the innovation from the mandate. Saudi Arabia could offer remote eSIM activation on a passport and entry-record basis without compelling facial biometrics; reserve identity binding for the narrow security cases it cites rather than applying it universally; commit publicly to data minimisation, purpose limitation and deletion of pilgrim biometrics after the season; and submit the registry to independent oversight. The empirical case that blanket real-name SIM registration reduces crime is contested at best, and the speech costs are concrete and now documented.
The Hajj eSIM service shows the Kingdom can ship genuinely modern citizen-facing technology fast. The question is whether that capability is deployed to serve travellers or to enlarge a surveillance perimeter. Right now it does both, and the second function is the one pilgrims cannot opt out of.