The Privacy Risks of India's Smart City Projects

-- and the thing is, I was sitting in one of these Integrated Command and Control Centres last year. Bhopal's, specifically. A friend who works in the state IT department got me a tour. The room looked like something out of a Hollywood movie -- a massive wall of screens showing live CCTV feeds from across the city, traffic flow dashboards, air quality monitors, water pressure readings, emergency call locations plotted on a map in real time. An operator zoomed in on a traffic intersection and I could clearly read the license plate of a car stuck at the signal. Another screen showed a heat map of crowd density near a temple during a festival.

"Impressive, right?" my friend said. I told him it was terrifying.

Because here's what I kept thinking as I stood there watching feeds from hundreds of cameras: nobody in that city opted into this. No resident of Bhopal was ever asked, "Hey, do you consent to being tracked by AI-powered cameras as you walk to the grocery store?" There was no public consultation, no referendum, no consent mechanism. The cameras went up because a tender was issued, a vendor was selected, and a government order was signed. The citizens found out when they noticed the cameras on the poles.

The Scale of What's Been Built

The Smart Cities Mission was launched in June 2015 with a selection of 100 cities across India. The stated goals were genuine urban improvements: better sanitation, reliable water supply, efficient public transport, sustainable environment, and citizen safety. Nobody objects to those goals. The controversy is about how "citizen safety" has been interpreted in practice, and what kind of surveillance infrastructure has been deployed under that umbrella.

According to data compiled from Smart City proposals and annual reports, the 100 smart cities collectively planned to install over 5 million CCTV cameras by the end of the mission's initial timeline. Not all of those have been deployed -- many smart city projects ran behind schedule and over budget -- but the numbers that are operational are staggering. Hyderabad alone has over 500,000 cameras across the city, many connected to its ICCC. Lucknow has over 300,000. Surat, Pune, Chennai, Indore -- the numbers vary but the pattern is consistent: massive camera deployments with centralized monitoring.

And it's not just cameras. Smart city projects include environmental sensors that track air quality and noise levels (which also capture location data from Bluetooth and Wi-Fi signals), smart streetlights with embedded sensors, GPS-tracked public buses, smart water meters that record usage patterns by household, and public Wi-Fi networks that log user connections. Each of these generates data. Some of it is aggregated and anonymized. Much of it isn't.

What the ICCCs Actually Do

The Integrated Command and Control Centre is the brain of a smart city. Every city selected under the mission was required to build one. By mid-2025, over 75 ICCCs were operational. They're typically run by a combination of the city's municipal corporation and a private technology vendor -- companies like Honeywell, L&T, Wipro, IBM, or smaller domestic firms.

An ICCC aggregates data from every connected source in the city. The feeds from thousands of cameras come in. Traffic flow data from sensors embedded in roads comes in. Public transport GPS data comes in. Emergency call locations come in. Utility consumption data comes in. Weather data, pollution data, crowd density estimates -- all of it funnels into one room, operated by a handful of people at terminals who can query, filter, and display the data in various ways.

On a good day, this enables genuinely useful things. During floods in Chennai in 2023, the ICCC coordinated rescue operations by identifying waterlogged areas and directing relief teams. During COVID lockdowns, several ICCCs tracked quarantine compliance through a combination of CCTV and phone location data. For daily traffic management, the ability to see congestion in real time and adjust signal timings is a real improvement over the old system of fixed-cycle traffic lights.

On a bad day -- or rather, on any day when someone decides to repurpose the system -- the same infrastructure becomes a surveillance tool of extraordinary power. During protests, ICCCs in several cities have been used to monitor crowd movements, identify individual participants through facial recognition, and track their movements before and after the protest. I haven't been able to confirm this on the record from government sources, but multiple journalists and activists I've spoken to describe similar patterns in different cities, independently of each other.

Facial Recognition: The Camera That Knows Your Name

Not all smart city cameras have facial recognition capabilities. But an increasing number do, and the trend is accelerating. The National Automated Facial Recognition System (AFRS), proposed by the National Crime Records Bureau, envisions a centralized database that would link facial recognition feeds from across the country. Individual cities and states have also procured their own systems independently.

Hyderabad's police deployed a facial recognition system built by a company that claims the ability to identify individuals in real-time from CCTV feeds. Independent researchers who tested the system's accuracy found error rates that were concerning, with significantly higher false positive rates for darker-skinned individuals and women. The system, as of the reporting I've seen, hasn't undergone any independent, publicly disclosed accuracy audit. The police cite crime prevention statistics as justification; civil liberties organizations point to the risks of misidentification and mass surveillance.

Delhi used facial recognition during Republic Day events and various public gatherings in 2024 and 2025. The software was reportedly used to match faces in crowds against databases of "known troublemakers" and missing persons. The definition of "known troublemaker" is, I should probably mention, not publicly available. Who's in the database, how they got there, and how long they stay -- none of that information has been disclosed.

There's a basic civil liberties question here that India hasn't answered. In most democracies that have deployed facial recognition at scale, there's been at least a public debate, often leading to restrictions or outright bans. San Francisco banned government use of facial recognition in 2019. The EU's AI Act restricts real-time facial recognition in public spaces. India has done... nothing. There's no law specifically governing facial recognition. There's no regulation. There's no ban, no moratorium, no set of guidelines. It's being deployed into a legal vacuum, and the deployment is expanding faster than any regulatory discussion can keep up with.

Where the Data Goes (and Who Has Access)

This is the part that should probably worry you most. Smart city data doesn't stay within the municipal corporation. The private vendors who build and operate the ICCCs typically have access to the data, often under contracts whose terms aren't publicly available. An RTI filing in 2024 by a digital rights researcher asked the Bhopal Smart City Development Corporation for a copy of its contract with its ICCC vendor. The request was denied on the grounds that the contract contained "commercially confidential" information. Similar requests in Jaipur and Indore were also denied.

So we have a situation where private companies are processing massive amounts of citizen data collected by the government, under contracts that the public isn't allowed to see. What data the vendor can access, how long they can retain it, whether they can use it for purposes beyond the original contract, whether they can share it with third parties -- all of this is hidden behind commercial confidentiality claims.

Some cities have better governance structures than others. Pune's smart city subsidiary publishes more data about its operations than most. Surat has a citizen-facing dashboard that shows some ICCC statistics. But these are exceptions. The default across most smart cities is opacity -- the cameras watch you, but you can't watch them watching you.

There's also the question of data security. A 2024 cybersecurity audit (conducted by a private firm, not a government agency) of a sample of ICCC systems found vulnerabilities in several of them, including default passwords on admin portals, unencrypted data transmission between sensors and the central system, and inadequate access logging. If a hacker breached one of these ICCCs, they'd have access to real-time camera feeds, historical movement data, and potentially personal information linked to utility accounts and emergency calls. The audit was shared privately with the relevant city authorities. Whether the vulnerabilities were fixed is unknown.

No Privacy Impact Assessments

In the EU, deploying a system with this kind of surveillance capability would require a Data Protection Impact Assessment before the first camera goes up. The DPIA would analyze what data is being collected, why, what the risks are to individuals, and what measures are in place to mitigate those risks. It'd be reviewed by the data protection authority. In many cases, there'd be a period of public consultation.

India's Smart Cities Mission required no such assessment. The DPDPA does include provisions that could theoretically require Privacy Impact Assessments for government data processing at this scale, especially if the government classifies itself as a "Significant Data Fiduciary." But as of early 2026, no smart city project in India has published a privacy impact assessment. Not one. Across 100 cities, with millions of cameras, sensors, and data collection points, there is no publicly available document that systematically analyzes the privacy risks to residents and the measures taken to address them.

The absence of this basic accountability mechanism is, I think, the most damning indictment of how the Smart Cities Mission has handled privacy. It's not that they conducted assessments and found the risks acceptable. They simply didn't ask the question.

How Barcelona and Amsterdam Do It Differently

When people tell me that surveillance is the inevitable price of smart cities, I point them to Barcelona. The city launched its "digital sovereignty" programme in 2015, around the same time India's Smart Cities Mission began. Barcelona's approach was built on a few core principles: citizen data belongs to citizens, not to the city government or its vendors. All smart city data is stored on a city-owned platform (DECODE), not on vendor servers. Contracts with technology providers include strict data minimization clauses and prohibit the vendor from using city data for their own purposes. Citizens can access their data, know what's being collected, and in many cases opt out.

Amsterdam's approach is similar. Their "Responsible Sensing Lab" evaluates every proposed sensor deployment for privacy impact before it's approved. They've published a public registry of all IoT devices deployed in the city -- every sensor, every camera, with its purpose, data collection scope, and retention period. Citizens can look up what's on their street. Try finding equivalent information for any Indian smart city.

These cities prove that you can have smart urban infrastructure without mass surveillance. You can use sensors for traffic management without tracking individual vehicles. You can monitor air quality without linking the data to personal identifiers. You can even use cameras for public safety without running facial recognition on every face that passes. It requires design choices that prioritize privacy, which in turn requires political will to make those choices. India's Smart Cities Mission made different choices -- or more accurately, didn't make the choice at all, defaulting to maximum data collection because nobody in the decision chain was asking privacy questions.

What Residents Can Do (Limited, but Not Nothing)

I'll be honest: your options as an individual resident of a smart city are limited when it comes to surveillance in public spaces. You can't opt out of CCTV cameras on your commute. You can't stop sensors from detecting your phone's Wi-Fi probe requests as you walk past. But there are some things within your control.

Turn off Wi-Fi and Bluetooth on your phone when you're not actively using them. Your phone broadcasts Wi-Fi probe requests that can be picked up by smart city sensors and used for location tracking. Disabling Wi-Fi when you're walking around in public reduces your trackability. It also saves battery, so there's a practical benefit too.

If your city offers public Wi-Fi through the smart city project, think twice before connecting. Free public Wi-Fi often logs device identifiers, connection times, and browsing activity. If you do use it, use a VPN. Yes, India's VPN regulations are complicated and some providers have left the market, but several still operate with India-based servers or allow connection through nearby international servers.

File RTI requests with your city's Smart City Development Corporation or Special Purpose Vehicle. Ask what data they collect, who processes it, how long it's retained, and what their data security measures are. You may not get complete answers, but the act of asking creates a paper trail and signals to officials that citizens are paying attention. If enough people ask, it becomes harder to maintain the current level of opacity.

Support and engage with organizations working on urban surveillance issues. The Internet Freedom Foundation, Article 19, the Centre for Internet and Society, and several other groups have been researching and advocating on smart city privacy. Their work is publicly available and worth reading if you want to understand what's happening in your city.

Attend your city's municipal corporation meetings and smart city SPV board meetings when they're open to the public. Most citizens have never attended one, and the officials conducting them are not accustomed to being questioned about surveillance practices. Showing up, asking questions about CCTV policies and data retention, and putting those questions on public record does two things: it creates accountability pressure, and it signals to other residents that these are questions worth asking. One person at a meeting is easy to ignore. Twenty people at a meeting asking about camera data retention changes the conversation. Collective pressure from residents is, realistically, the only thing that's going to force transparency on smart city surveillance in India, because the political incentives for voluntary disclosure simply aren't there.

The Choices That Define What "Smart" Means

A smart city can be a city that uses technology to genuinely improve residents' lives while respecting their dignity and autonomy. Or it can be a city that uses technology to watch, track, and profile its residents in exchange for marginally better traffic flow. India's Smart Cities Mission is somewhere between the two, leaning uncomfortably toward the second.

The mission's deadline has been extended multiple times. Many projects are still incomplete. There's still time to course-correct -- to mandate privacy impact assessments, to establish independent oversight, to publish data collection policies, to give residents meaningful information about what's being collected and meaningful input into how it's used. Whether that happens depends on whether anyone with decision-making authority decides it matters.

I keep coming back to that room in Bhopal. The wall of screens, the real-time feeds, the operator casually zooming into a street corner. It was impressive technology serving a legitimate purpose. But there was no sign on the wall saying "This system is governed by Policy X." No posted guidelines about who can access what, when, and why. No visible audit trail. No citizen oversight committee. Just screens, data, and a handful of people with the power to watch an entire city. That's not smart. That's just surveillance with a better UI.