Strengthening Security of the VWP through Enhancements to ESTA
The Secure Travel and Counterterrorism Partnership Act of 2007 (part of the Implementing Recommendations of the 9/11 Commission Act of 2007, also known as the “9/11 Act”) (Pub. L. No. 110-53) amended Section 217 of the Immigration and Nationality Act, requiring that the Department of Homeland Security (DHS) implement an electronic travel authorization system and other measures to enhance the security of the Visa Waiver Program (VWP). On August 1, 2008, DHS implemented the Electronic System for Travel Authorization (ESTA), adding a significant layer of security to the VWP by enabling U.S Customs and Border Protection (CBP) to conduct security vetting of prospective VWP travelers to determine if they pose a law enforcement or security risk before they board aircraft destined for the United States.
Although the U.S. Government does not currently have any credible information that the Islamic State in Iraq and the Levant (ISIL) or other Syria-based terrorist groups are planning imminent attacks against the United States, we do know that a significant number of foreign fighters have traveled to Syria over the past three years, including citizens from the United States and Europe. Many of these foreign fighters have joined ISIL’s and other terrorist groups’ ranks and there are significant concerns that these groups may use these fighters to conduct external attacks. These foreign fighters are likely to gain experience and training from the Syria-based groups and eventually may return to their own countries battle-hardened and further radicalized. Many of these fighters may possess valid European and U.S. passports or travel documents, and pose a potential threat for committing terrorist attacks in Europe or the United States.
ESTA has been a highly effective security and vetting tool that has enabled DHS to deny travel under the VWP to thousands of prospective travelers who pose a risk to the United States. Since program inception in August 2008, CBP has approved millions of ESTA applications, but has denied over 4,300 ESTA applications as a result of vetting against the U.S. Government’s known/suspected terrorist watchlist. During that same period of time, CBP has also denied over 22,500 ESTA applications for individuals who applied for an ESTA using a passport that had been reported as lost or stolen. As part of our commitment to preventing terrorist attacks here in the homeland and to strengthening border and immigration security, DHS has been carefully evaluating options for further strengthening the security of the VWP, to include enhancements to ESTA that would bolster CBP’s ability to identify potential security threats.
In response to increasing concerns regarding foreign fighters, the Department of Homeland Security (DHS) is strengthening the security of the Visa Waiver Program (VWP) through enhancements to ESTA. These improvements are designed to address the immediate foreign fighter threat, provide an additional layer of enduring security for the VWP and facilitate visa-free travel to the United States. DHS has determined that ESTA enhancements will improve the Department’s ability to screen prospective VWP travelers and more accurately and effectively identify those who pose a security risk to the United States. DHS also believes enhancements to ESTA will help the Department facilitate adjudication of ESTA applications. By requiring ESTA applicants to provide additional information, DHS will enhance its ability to identify ESTA applicants on the terrorist watchlist and therefore reduce the number of inconclusive matches that currently result in an ESTA denial, requiring the applicant to apply for a visa for travel to the United States.
ESTA is a web-based application and screening system used to determine whether certain aliens are eligible to travel to the United States under the VWP. As stated in the ESTA Privacy Impact Assessment Update dated June 5, 2013, DHS has entered a Memorandum of Agreement with the National Counterterrorism Center (NCTC) that permits NCTC to use ESTA information to facilitate NCTC’s counterterrorism efforts and helps to ensure travel authorizations are not issued to individuals who pose a threat to national security.
No single data element by itself enhances ESTA to address the foreign fighter threat. It is the combined totality of existing and new ESTA data elements that will help the U.S. Government mitigate the foreign fighter threat and facilitate lawful travel under the VWP. All ESTA data elements will help DHS adjudicate applications and, in many cases, enable DHS to distinguish between lawful applicants and individuals of concern.
Why is it necessary to expand the amount of ESTA information being collected from VWP travelers?
DHS is committed to protecting the United States by ensuring that ESTA adapts to meet evolving threats. The current ESTA application has been in operation for six years, and DHS has determined that the additional data requested will enhance our ability to more accurately screen and identify potential security risks.
DHS is concerned about the risks posed by the situation in Syria and Iraq, where increasing instability has attracted thousands of foreign fighters, including many from VWP countries. Such individuals could travel to the United States for operational purposes on their own or at the behest of violent extremist groups in Syria.
- We have already observed cases in which individuals traveled from Syria to Europe and carried out attacks, most notably a shooting at a museum in Belgium in late May, 2014. We have also seen several public threats to attack the United States and the West in response to our involvement in Iraq.
- The additional ESTA data fields will improve our ability to identify threats to the United States, as well as known or suspected terrorists seeking to travel to the United States.
- By expanding the data fields, DHS will be better positioned to verify identifies, limiting the number of rejections that result in applicants having to go through the visa process.
How does this improve the security of the Visa Waiver Program?
Since the terrorist attacks on September 11, 2001, the VWP has evolved from a travel facilitation program concerned about the threat of economic migration to one with more robust security standards that are designed to prevent terrorists and other criminal actors from exploiting visa-free travel. On August 1, 2008, DHS implemented the Electronic System for Travel Authorization (ESTA), adding a significant layer of security to the VWP by enabling U.S Customs and Border Protection (CBP) to conduct security vetting of prospective VWP travelers to determine if they pose a law enforcement or security risk before they board aircraft destined for the United States.
ESTA has been a highly effective security and vetting tool that has enabled DHS to deny travel under the VWP to thousands of prospective travelers who pose a risk to the United States. Since program inception in August 2008, CBP has approved millions of ESTA applications, but has denied over 4,300 ESTA applications as a result of vetting against the U.S. Government’s known/suspected terrorist watchlist. During that same period of time, CBP has also denied over 22,500 ESTA applications for individuals who applied for an ESTA using a passport that had been reported as lost or stolen.
DHS continuously seeks to improve its ability to identify prospective travelers to the United States about whom derogatory information exists, but about whom there is currently insufficient information to identify them before they initiate an attack. In some cases, the U.S. government has only fragmentary or partial information about the identity of a terrorist operative, so having additional information is vital to DHS screening and vetting authorities.
For example, during one counterterrorism investigation, the discovery of a telephone number linked to the 2010 Times Square bomber’s vehicle purchase after the failed attack led to the identification of the perpetrator. Comparing that telephone number against travel information enabled law enforcement to identify the operative, prevent him from fleeing the country, and arrest him.
The ESTA enhancements are designed to address the immediate foreign fighter threat and to provide an additional layer of enduring security for the VWP and facilitate visa free travel to the United States.
What are the additional ESTA questions that are being added to the ESTA application?
The additional questions are:
- Other Names/Aliases or Other Citizenships
- Parents name(s)
- National Identification Number (if applicable)
- Contact information (email, phone, points of contact)
- Employment information (if applicable)
- City of Birth
Will this change discourage legitimate foreign national travelers?
DHS is committed to facilitating legitimate trade and travel while maintaining the highest standards of security and border protection. Requirements for travel to the United States have increased, especially since September 11, 2001, to enhance the security at the U.S. borders; however, the flow of goods and visitors into the United States continues to grow each year.
By adding these additional questions, won’t ESTA now be the equivalent of an electronic visa?
No. The requirements for a nonimmigrant visitor (B1/B2) visa are different under U.S. statute and more complex than the requirements for an ESTA. Applicants for a B1/B2 visa must complete a visa application (DS-160) and interview with a United States Department of State consular officer. Part of the application process requires the applicant to submit their biometric information in advance of travel, and provide additional biographic information as required. These requirements do not exist for VWP travelers and will not exist with the addition of new ESTA questions.
We have heard the concerns about the citizens of European countries traveling to Syria and Iraq to fight alongside the terrorists and who might then try to travel to the United States without a visa. However, the same threat does not exist at this time from citizens of most VWP countries that are outside of Western Europe. Why should citizens of these other VWP countries have to answer any additional questions if they pose little or no threat in terms of terrorist travel or aviation security?
DHS manages a VWP with uniform and high security standards, therefore any general changes to the Program’s requirements must apply to all countries. DHS and all VWP countries have a joint stake in identifying foreign fighters due to common security interests. After the passage of the Secure Travel and Counterterrorism Partnership Act of 2007, for example, all VWP countries—regardless their size or geographic location—were required to comply with the law’s information sharing requirements. The ESTA program is designed to be a consistent non-discriminatory mechanism applicable to all VWP travelers regardless of their passport or country of citizenship. Furthermore, the nationals of many countries from many parts of the world have joined terrorist groups and terrorism has threatened countries in all parts of the world.
Even with these additional ESTA questions, does the VWP represent a security vulnerability?
No. Countries that participate in the VWP are required to have a high degree of security cooperation with the United States; sign information sharing agreements regarding known, suspected or potential terrorists and serious criminals; report lost and stolen passport (LASP) data to the United States; and issue International Civil Aviation Organization-compliant e-passports. VWP countries are also subject to biennial eligibility reviews, which provide DHS with the opportunity to conduct broad and consequential inspections of foreign security standards and operations, and verify the level of law enforcement and counterterrorism cooperation with the United States. The Director of National Intelligence is required to complete an intelligence assessment to support each eligibility review conducted by DHS.
VWP travelers must obtain approval through the Electronic System for Travel Authorization (ESTA) prior to commencing VWP travel to the United States. ESTA continuously vets applicants’ biographic information against the Terrorist Screening Database (TSDB); lost and stolen passport records (including INTERPOL’s Stolen and Lost Travel Documents [SLTD]); visa revocations; previous VWP refusals; expedited removals; and Public Health records, e.g., records from the Centers for Disease Control and Prevention for persons who have a communicable disease constituting a public health threat.
Will the ESTA fee increase with these changes?
There is no plan to increase the ESTA fee when the changes take effect.
Will DHS reduce the number of elements once the threat has passed?
DHS will remain agile and ready to adapt to evolving situations. It is possible that DHS will make further changes to the collection of data in the future.
How do additional data elements provide additional security?
The additional information that is collected will enable DHS to use ESTA data to better identify potentially high-risk travelers who may pose a threat to the United States from VWP countries.
Why is DHS doing this under a Paperwork Reduction Act and not a regulation?
The relevant regulatory provision does not list the specific data elements that VWP travelers must provide in order to obtain an ESTA. Instead, the regulation states that “ESTA will collect such information as the Secretary [of Homeland Security] deems necessary to issue a travel authorization, as reflected by the I-94W Nonimmigrant Alien Arrival/Departure Form (I-94W).” Since there are no data elements listed in the regulation, there is no need to update the regulation. The revisions to the ESTA data elements fall under the Paperwork Reduction Act since DHS is amending an information collection (Form I-94W) and not amending a regulation.
I have a valid, approved ESTA application. Do I need to update my application or submit a new one?
No, individuals with a current and valid ESTA do not need to reapply. However, upon the expiration of that ESTA or expiration of the passport a new ESTA with the new data fields will be required for any future travel under the VWP.
How will this information be used?
DHS will handle the new information in the same manner as other information collected through ESTA - through the System of Record Notice (SORN) and Privacy Impact Assessment (PIA). As before, DHS will screen intending VWP travelers to determine their eligibility to travel to the United States under the VWP. The additional questions will improve DHS’s ability to identify individuals with links to terrorist activities, and the additional data fields will make DHS screening more accurate, enhance our ability to conduct identity resolution, and help DHS pinpoint security threats.
Will DHS disclose the new ESTA information outside DHS?
The information collected by and maintained in ESTA may be used by other components of DHS on a need-to-know basis consistent with the component's mission.
Under current agreements between DHS and the Department of State (DOS), information submitted during an ESTA application may be shared with consular officers of DOS to assist them in determining whether a visa should be issued to an applicant after a travel authorization application has been denied.
Information may be shared with appropriate federal, state, local, tribal, and foreign governmental agencies or multilateral governmental organizations responsible for investigating or prosecuting the violations of, or for enforcing or implementing, a statute, rule, regulation, order or license, or where DHS believes information would assist enforcement of civil or criminal laws.
Additionally, information may be shared when DHS reasonably believes such use is to assist in anti-terrorism efforts or intelligence gathering related to national or international security or transnational crime. All sharing will remain consistent with the Privacy Act System of Records Notice, which was published in the Federal Register on October 3, 2014 and is available on the DHS Web site.
Although carriers will not receive the ESTA application information that travelers provide to DHS, they will receive confirmation of a passenger's ESTA status via the Advance Passenger Information System (APIS) indicating whether an ESTA is required and whether authorization has been granted.
How long will DHS retain the data generated from these additional ESTA questions?
The data retention period remains unchanged. ESTA application data remains active for the period of time that the approved ESTA is valid, which is generally two years, or until the traveler’s passport expires, whichever comes first. DHS then maintains this information for an additional year after which it is archived for twelve years – with further limited access – to allow retrieval of the information for law enforcement, national security, or investigatory purposes. These policies are consistent with both DHS Customs and Border Protection’s (CBP) search authority and with the border security mission mandated for CBP by Congress. Data linked to active law enforcement lookout records, CBP matches to enforcement activities, and/or investigations or cases, including applications for ESTAs that are denied, will remain accessible for the life of the law enforcement activities to which they are related.
How will this information be safeguarded?
Information submitted by applicants through the ESTA Web site will continue to be subject to the same strict privacy provisions, use limitations, and access controls that have been established for similar traveler screening programs.
With the additional questions, will it now take longer for a VWP traveler’s ESTA to be approved?
DHS does not anticipate any delays in processing ESTA applications after the new questions are added.
Will my ESTA be denied if I leave a mandatory field blank?
All mandatory fields must be completed. If erroneous information is entered this will not result in an automatic denial, but it may require manual adjudication (therefore additional time) prior to CBP providing a response back to the applicant. DHS has included flexibility in the ESTA application process to account for circumstances where applicants may not know the answer to a question or may not have information readily available to answer specific questions. For example, some applicants may not know have a U.S. point of contact, and the applicant may complete that mandatory question by answering “unknown.”