By a notice published today in the Federal Register, US Customs and Border Protection (CBP) is requesting approval not only to make all foreigners visiting the US without visas submit a comprehensive set of biometric identifiers (“face, fingerprint, DNA, and iris”) but to do so by installing and using a closed-source CBP smartphone app that requires permission to access Wi-Fi scanning and network data; take photos and video; access any fingerprint, iris scan, or other biometric sensors, and even turn on and off your flashlight.

Each visitor to the US under the Visa Waiver Program (VWP), for which the fee has recently been raised from $21 to $40 per person, would be required to submit, in advance, through this smartphone app, identifiers for all social media accounts they have used in the last five years.

Each visitor would also be required to submit what CBP calls “High Value Data Elements”. According to the notice:

The high value data fields include:

a. Telephone numbers used in the last five years;
b. Email addresses used in the last ten years;
c. IP addresses and metadata from electronically submitted photos;
d. Family member names (parents, spouse, siblings, children);
e. Family number telephone numbers used in the last five years;
f. Family member dates of birth;
g. Family member places of birth;
h. Family member residencies;
i. Biometrics—face, fingerprint, DNA, and iris;
j. Business telephone numbers used in the last five years;
k. Business email addresses used in the last ten years.

CBP thinks that the average visitor could compile and enter all of this data (typing on a smartphone) in 22 minutes,  including the time needed to contact each of their siblings and children to find out their five-year history of addresses and phone numbers.

Welcome to the 2026 World Cup!

Applicants for US visas are already required to provide a much more extensive set of personal data, including biometrics and identifiers for all social media accounts they have used. So this proposal, if approved, would expand collection of biometrics, social media identifiers, and the additional “high value data elements” to almost all foreign visitors to the US, with or without visas. The only remaining exception, which CBP doesn’t mention, is for asylum seekers who may have no documents and who require no pre-approval.

We continue to oppose warrantlesss, suspicionless compelled disclosure of social media or biometric identifiers or other information as unconstitutional and a violation of the human rights of travelers. And we oppose any requirement to provide this information in advance, when it could be collected on arrival in the US, when visitors apply for admission.

The only reason for the US government to surveil and interrogate travelers before they arrive  in the US is in order to try control their departure from foreign countries. This is an impermissible assertion of extraterritorial jurisdiction, an attempt at prior restraint of the right to travel by common carrier, and an attempt to foreclose asylum claims  before asylum seekers can leave a place of persecution or reach a place of potential sanctuary.

The notice from CBP is couched as a request for approval of a “collection of information”, which in most cases means approval of a printed form. But in this case, the “form” is the app, and only the app. There’s never been a paper ESTA application form.

CBP is proposing to discontinue the ESTA application website and require all ESTA applications to be submitted through the ESTA app on an Android or iOS device. So the “collection of information” for which approval is sought is synonymous with this app.

Full access to the app is thus essential to notice of the proposed information collection. Full review of the app is essential to informed comment on the proposal.

The notice in the Federal Register doesn’t include the source code of the app, or say how that can be obtained. As of now, only Google, Apple, and the US government really know what this app does. This makes the opportunity for “public comment” a sham.

To be clear, you don’t have to have a smartphone. You can use someone else’s device, as long as it meets the requirements for the app. But that does nothing to reduce the amount of data the app collects or sends to CBP. It just shifts the risk of data exfiltration onto someone else. And there are countries with their own dominant mobile app markets, where few devices have access to the Google Play Store or the Apple App Store.

What data does the app collect or or read from the device or its sensors? What data does it send to CBP? How does it make decisions about which applications to approve? As of now, we don’t know.

No smartphone can collect DNA samples. It looks like CBP is asking for pre-approval of every type of data it might someday want to collect from or about visitors to the US, regardless of whether it has the ability to do so now or in  the foreseeable future. That calls into question whether all of this information is really “necessary” for CBP’s mission.

We do know that the ESTA app doesn’t just collect information and pass it on to CBP. According to the notice, the app includes decision-making algorithms. CBP has delegated to the app the ability to make fully-automated but consequential decisions to deny some ESTA applications without human involvement:

The ESTA Mobile application provides superior identity verification methods, including liveness detection,
facial recognition and Near Field Communication (NFC)-based passport scanning/electronic chip verification…. The current ESTA Mobile submission process includes retrieving biographic information and portrait photo from the e-Chip, matching the portrait with a live selfie via the CBP Traveler Verification Service (TVS), and auto-denying applications that fail Country Signing Certificate validation from the Traveler Document Authentication System.

What are the substantive and procedural criteria for “auto-denying” these applications? What notice is provided to an applicant is “auto-denied” by the app, and what procedure is available for administrative appeal or judicial review of that denial?  These are embodied only in the source code of the app, which has not been disclosed.

How can the applicant tell if that denial is arbitrary, capricious, an abuse of discretion, or otherwise contrary to law? Is it per se an abuse of discretion to delegate decisions on applications for admission to the US to an app, if the app decides your selfie isn’t “live”?

If your ESTA application is denied, you can still apply for a US visa. But that costs at least $185 in fees, plus many hours of time preparing your applications and a wait of weeks or months for a visa interview. If you have to travel to a distant US consulate for your interview, that could cost you hundreds of dollars. ESTA denial is not a trivial decision.

The ESTA app is available only (1) as a compiled, closed-source executable blob, (2) through the  Google Play Store or the Apple App Store, which require agreement to Google or Apple’s license terms including granting Google or Apple root permissions on the device.

Granting a commercial third party root access to one’s device, or agreement to arbitrary conditions of a commercial third party, may not be made a condition of obtaining notice of a proposed government action. A “notice” available only on such arbitrary commercial terms fails to satisfy the requirements for “public” notice.

There are procedures by which documents can be incorporated by reference in Federal Register notices, if they are made available to the public in other ways, but CBP hasn’t followed those procedures with the ESTA app. We’ve written to the address in the CBP notice to request a copy of the source code for Android and iOS of the ESTA app.

Comments on the CBP proposal can be submitted by email to “CBP_PRA@cbp.dhs.gov” through February 9, 2025. Include “CBP, OMB Control No. 1651–0111” in the subject line.