Muslims’ pilgrimage season (Hajj) was marked by the extensive use of 32 modern technologies by Saudi authorities to facilitate the trip of 1,833,000 pilgrims from 200 countries. Among these were 17 new technologies introduced this year.
One of the standout innovations was the “virtual glasses” used by security services to protect pilgrims. These glasses aim to streamline the process of inspecting vehicles and retrieving their data within seconds.
Saudi authorities also implemented a facial recognition system to enhance security and monitor crowds. Smart cameras were installed to detect suspicious behavior and identify accidents.
Drones also monitored and followed up on Hajj regulation violations, identified potential problems, and evaluated the road network using thermal scanning. They were also used to transport blood units and laboratory samples.
Despite the Saudi authorities’ efforts to appear vigilant in ensuring the comfort of pilgrims, many questions and concerns about the nature of these technologies remain unanswered.
Why is using these technologies mandatory, with the risk of being banned from Hajj for non-compliance? How long is the data collected from pilgrims retained without even their consent? Do the data processing terms and conditions apply equally to Saudis and non-Saudis? How does the Saudi data protection system fit into all of this?
The “Nusuk” Card
This year, the “Digital Nusuk Card,” a physical and electronic card issued to every pilgrim was introduced. This card allows pilgrims to access all the holy sites and benefit from the services provided, facilitating the performance of Hajj rituals with ease.
Every pilgrim entering the country must download the official “Nusuk” application by scanning a QR code. When used on a large scale and during large events like Hajj, this system may pose significant risks. Since users cannot preview the QR codes or know what scanning them will do in advance, the system can be easily exploited to spread phishing links.
The card includes five main portals: the pilgrim’s personal information, medical record, place of residence in Mecca, the service company to which the pilgrim belongs, and the information of the group leader. This card is mandatory and must be carried throughout Hajj, from arrival until departure.
Despite the sensitivity of the data collected by the application, the Ministry of Hajj and Umrah, which collects and uses the data, disclaims responsibility for any damage or misuse resulting from using this open data on the Ministry’s official website.
The Ministry also rejected any responsibility towards users of this data for any damage or loss that may occur due to its reuse.
Among the terms of reuse, the application policy states that “the data must not be used for political purposes, or to support illegal, criminal, or racist activity, or fuel, negatively influence culture or equality, or to incite or support any other activity that is illegal or contrary to the customs and traditions of the Kingdom.”
Terms like “incitement,” “negative influence on culture,” “equality,” or “any activity contrary to the customs and traditions of the Kingdom” can be broadly interpreted. This flexibility allows authorities to file charges and arrest individuals without clear violations.
This approach is not new in Saudi Arabia and other countries in the region, such as Jordan and Iraq, which employ broadly defined legal terms to grant authorities more room to silence opponents, journalists, and activists critical of state policies.
The Smart “Hajj Bracelet”
Another advanced technology used this year during the Hajj season is the smart “Hajj bracelet” or “Nusuk bracelet.” The AI-powered device monitors health data such as blood oxygen levels and heart rate and includes a GPS chip for location tracking.
In June 2023, the Undersecretary of the Ministry of Hajj and Umrah for Hajj Affairs, Ayed Al-Ghuwaynem, stated that the bracelet is essential for using the Al-Mashaer Train, entering and exiting the Great Mosque of Mecca for Tawaf, and using an integrated electronic scheduling platform.
That platform provides a program that matches pilgrims’ religious preferences and helps them move from place to place on a set schedule.
KSA requires pilgrims to use these technologies and submit their biometric and personal data. If they refuse, they will not be allowed to perform Hajj rituals.
Saudi Arabia’s Personal Data Protection System
Employing these technologies is dangerous because they handle sensitive biometric and personal data. Previous research and reports indicated that Saudi Arabia’s track record in data preservation, processing, confidentiality, and privacy is robust.
SMEX’s analysis of the Saudi “Personal Data Protection Law” showed that it only aligns with international standards in certain aspects, while some provisions are concerning and contain loopholes that may allow for privacy and data protection rights violations.
The issue is not with the law’s text itself but with its potential application and enforcement in Saudi Arabia, given the country’s repressive rule.
Certain articles and exceptions related to security, the Kingdom’s reputation and diplomatic relations, sources of confidential information, and exceptions for public authorities are concerning because they are ambiguous.
For example, Article 6 states that “notwithstanding the provisions on withdrawal of consent, the Personal Data Protection Law makes it clear that data processing does not always require the consent of the data subject” in certain cases.
Given the Kingdom’s record of violations and its extensive use of AI to process sensitive data of both Saudis and non-Saudis, concerns about data security in the country are growing. The current laws grant authorities the right to act as they see fit, allowing them to manipulate legislation to serve their interests.
Image from AFP.
