We tend to quantify the tragedy of the terror attack in Mumbai in November 2008, by the over 160 lives lost. “26/11” was beamed into the living rooms of the country’s elites for three days through broadcast television. The sounds of bullets and explosions, the dome of the Taj Hotel swallowed by smoke, and the valour of the Mumbai Police played out alongside a steady refrain in studios and by commentators of a “major intelligence failure”. That charge was not conjured out of grief alone.
The report by the high-level inquiry committee on 26/11 and the material placed before Parliament pointed to lapses in the handling of intelligence alerts. This “intelligence failure”, it was argued, was the inability to stitch scattered fragments into a coherent warning. David Coleman Headley, a key conspirator, travelled to India on several occasions, leaving a paper-and-pixel trail in visa applications, hotel registries and travel itineraries. Security hawks offered a seductive proposition. Would the lives lost been saved had those disparate data points been aggregated and analysed in time?
Evolution of a ‘crown jewel’
Out of that psychological aftershock emerged institutional expansions, but the technological crown jewel was the National Intelligence Grid (NATGRID). Its premise was a middleware interface that would allow 11 specified central agencies to query databases across 21 categories, routed through provider organisations spanning identity and assets, travel and movement, financial intelligence and telecommunications.
Even in its early days, the unease was visible. NATGRID was first publicly announced on December 23, 2009, in a speech by the Home Minister.’
The constitutional question that arose immediately was not whether the state may ever conduct surveillance, but on whether a project of this magnitude could operate without a statutory framework and independent oversight. This daily reported on February 10, 2010 (“‘Big Brother’ fears stall Chidambaram data plan”) that “Ministers raised queries about safeguards and said there was a need for further study”. Yet, on June 14, 2012, NATGRID was cleared not through an Act of Parliament, but by executive order and the Cabinet Committee on Security, with a first-phase allocation of ₹1,002.97 crore branded “Horizon–I”.
For years, NATGRID’s constant delays led people to believe it was ‘vaporware’. A project that existed on paper but did not actually work as a massive search engine for tracking citizens that was only announced to calm public anger after the 26/11 attacks. Well, it is now becoming a reality that can no longer be ignored.
Two recent reports in this daily (“National intelligence grid gains traction as Central agencies, police scour for information”, December 8, 2025 and “Intel grid linked to NPR with details of 119 crore residents”, December 26, 2025) reveal a quantitative and qualitative expansion of this mass surveillance project. First, following a national conference of Directors General of Police in Raipur in late November 2025, chaired by the Prime Minister, States were asked to “scale up” NATGRID usage. The first report also said that NATGRID receives around 45,000 requests every month. Worse, access, once presented as the preserve of central intelligence and investigative agencies, is being widened to police units, including officers down to the rank of Superintendent of Police.
An integration that unsettles
The second development that is even more unsettling is the reported integration of NATGRID with the National Population Register (NPR). The NPR is a repository with the details of 1.19 billion residents, with a relational cartography of households, lineages and identities. It is also politically volatile, repeatedly invoked in the acrimony surrounding the National Register of Citizens (NRC) as a prelude to citizenship filtering. Grafting a population register onto an intelligence query platform crosses a fundamental boundary. It shifts the paradigm from tracking discrete events as intelligence inputs to the mapping every Indian. NATGRID’s evolution is not unfolding in the technological climate of 26/11, but in 2025, amid rapid advances in machine learning and large-scale analytics.
This daily has also highlighted the deployment of “Gandiva”, an analytical engine capable of “entity resolution”.
This is further explained as providing the triangulation that is required to decide whether fragmented records belong to the same individual. Paired with facial recognition that can trawl telecom Know Your Customer (KYC) databases and driving-licence records, this is no longer the state’s “search bar”. It is inference at scale and changes the nature of the risk. Here, intentions are subjectively determined by an algorithm.
Two features make this qualitatively different from older surveillance debates. First, the spectre of bias. Algorithms do not merely excavate truth but reproduce distortions embedded in the data they ingest and claim that they are objective determinations based on pattern recognition. If policing is already skewed by caste, religion or geography, analytics will harden those inequities and cloak them in an aura of objectivity. For the affluent, a false positive is an administrative nuisance. For a young Muslim man in a small town, already living under a pall of suspicion, an automated “hit” can trigger an ordeal and misidentification may carry a blood price.
Second, the tyranny of scale. The danger of modern analytics is not omniscience, but ubiquity. NATGRID reportedly classifies queries by sensitivity, and officials maintain that every access is logged and justified. Without independent scrutiny, these are facial safeguards. When tens of thousands of requests are processed each month, logging risks becoming a clerical ritual particularly in the absence of autonomous oversight, which is lacking even at the level of Parliament.
The lack of course correction
Defenders will fall back on the familiar claim that NATGRID is a matter of life and death. But is it so once it has drifted from counter-terror into everyday policing? Intelligence failures are rarely born of data droughts alone. They are more often the products of institutional weakness, perverse incentives and the rot of unaccountability — as we learned in 26/11 where the local police had not conducted any firearms training for over a year.
Tragically, a correction seems distant. Our constitutional courts have lapsed into deep slumber, allowing the expansive privacy doctrine in Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors. (2017) to gather dust while the surveillance state expands. The legality of intelligence programmes that lack any clear statutory foundation or meaningful oversight has not been squarely adjudicated, despite multiple pending cases. In place of scrutiny, we have a martial public temper fanned by political rhetoric and cultural moulding, including mainstream cinema, that treats questioning the security establishment as heresy. The result is a near silence about accountability for acts of terrorism such as the New Delhi bombing of November 10, 2025, and the heartbreaking loss of 15 lives. Is it impolite to ask whether there was an “intelligence failure” even with NATGRID in place?
The shock of 26/11 continues to haunt us, but we have mistaken the remedy. If we genuinely care about prevention, we need professional investigation insulated from political whims, transparency about intelligence lapses, and oversight vested within the parliamentary and the judiciary. Without these, NATGRID is an architecture of suspicion, built in the name of safety and normalised through fear, but functioning in the service of digital authoritarianism.
Apar Gupta is a lawyer and the founder director of the Internet Freedom Foundation
Published – January 08, 2026 12:16 am IST
