How a Federal Register notice is quietly transforming routine travel into comprehensive digital interrogation

🎧 Related Podcast Episode

Executive Summary

U.S. Customs and Border Protection has proposed the most invasive expansion of border surveillance since 9/11. The December 10, 2025 Federal Register notice (OMB Control Number 1651-0111) would transform the Electronic System for Travel Authorization (ESTA) from a simple visa-waiver application into a comprehensive digital dragnet affecting 14 million annual travelers from 42 countries.

The proposal isn’t just about collecting more data—it’s about constructing a biometric-verified, device-linked surveillance architecture that treats every traveler as a data node in an expanding federal security graph. Your DNA becomes permanent government property. Your social media history becomes pre-travel profiling material. Your family network becomes part of a permanent federal database with zero guaranteed safeguards against abuse, misuse, or breach.

Flock Safety: How a $7.5 Billion Surveillance Company Built America’s Largest Warrantless Tracking Network

What CBP Is Actually Proposing

Mandatory Data Collection Requirements

Under the proposed changes, ESTA applicants would be required to provide:

Biometric Data:

  • Facial images (mandatory selfies)- Fingerprints- Iris scans- DNA samples (listed as “high value data elements” to be collected “when feasible”)

Digital History:

  • Social media identifiers from the past 5 years (now mandatory, not optional)- Email addresses used in the past 10 years- Telephone numbers from the past 5 years- IP addresses associated with applications

Family Network Mapping:

  • Names, birthdates, and places of residence for parents, spouses, siblings, and children- Contact histories for family members- Extended relationship mapping

Technology Requirements:

  • Forced migration from web-based ESTA to mobile-only application- Mandatory use of CBP Home mobile app for departure confirmation- Geolocation tracking to verify exit from U.S.- Liveness detection software to prevent photo spoofing

The DNA Collection Framework

While CBP includes the qualifier “when feasible” for DNA collection, privacy advocates warn this is groundwork for future mandates. The federal government is explicitly stating its intent to collect DNA from travelers before the technology exists to do so conveniently.

Currently, no mobile device can collect DNA samples. But CBP’s proposal creates the regulatory framework to implement mandatory DNA collection the moment portable collection technology becomes available.

The Scale of the Surveillance Expansion

By The Numbers

  • 14 million annual ESTA travelers affected- 42 countries in the Visa Waiver Program targeted- 22 minutes estimated time to complete application (per CBP)- 5 years of social media history required- 10 years of email addresses demanded- 2.6 million+ DNA profiles already in CODIS database from immigration enforcement- 70 million+ annual visitors to U.S. potentially subject to expanded surveillance

The Surveillance State Emerges: UK Police Live Facial Recognition Explodes Without Legal Framework

What “High Value Data Elements” Really Means

The Federal Register notice describes DNA, face images, fingerprints, and iris scans as “high value data elements” without defining what makes them “valuable” or how they will be used beyond initial identity verification.

This vague terminology creates a blank check for future data usage. Once collected, this biometric data enters federal databases where it can be:

  • Searched by law enforcement without warrant- Shared across federal agencies- Retained indefinitely- Used for purposes not disclosed at collection- Integrated with other surveillance systems

Understanding Biometric Data Categories: For a comprehensive breakdown of how different biometric data types are collected, stored, and regulated across jurisdictions, see our Biometric Tracker which categorizes facial recognition, voice biometrics, DNA verification, and iris scanning technologies currently deployed worldwide.

The Technical Infrastructure Behind the Surveillance

Mobile-Only Applications: Control Through Design

CBP’s decision to decommission the ESTA website and force all applications through mobile apps isn’t about convenience—it’s about control and data extraction.

Mobile applications provide access to:

  • Device identifiers: IMEI, MAC addresses, device fingerprinting- Geolocation data: Continuous tracking capability- Biometric sensors: Camera, microphone access- Application metadata: Usage patterns, installed apps- Network information: WiFi networks, Bluetooth devices

The proposed system would use geolocation services to confirm travelers are outside the U.S. when reporting departure, creating a permanent record of international movements.

Liveness Detection and Facial Verification

The proposal requires “liveness detection” software to verify selfies are live photos rather than previously captured images. This technology:

  • Requires camera access during sensitive moments- Creates additional biometric data points- Enables real-time verification capabilities- Generates metadata about photo capture circumstances

The facial images are then compared against all facial images CBP already retains for that person, creating a comprehensive biometric identity profile.

UK National Security Act: When Building End-to-End Encryption Makes You a “Hostile Actor”

Privacy and Security Concerns

Zero Data Protection Guarantees

CBP’s proposal contains no specific privacy protections, retention limits, or breach notification requirements for the vast amounts of sensitive data it plans to collect:

Data Retention:

  • No specified retention limits- DNA profiles added to CODIS are kept indefinitely- No automatic expungement provisions- No path to request data deletion

Understanding PII Classifications: Biometric data represents one of the most sensitive categories of Personally Identifiable Information (PII) under various U.S. state privacy laws. Our PII Compliance Navigator breaks down how different states classify biometric identifiers and the legal protections that should apply (but are absent from the CBP proposal).

Security Safeguards:

  • No encryption standards specified- No breach notification requirements- No independent auditing requirements- No penalties for misuse by officials

Access Controls:

  • Broad sharing with “law enforcement agencies”- Vague “routine use” provisions- No warrant requirements for searches- No restrictions on secondary uses

The Data Breach Reality

DHS has a documented history of data breaches affecting sensitive personal information:

Recent Breaches:

  • October 2025: FEMA/CBP breach exposed employee and contractor data- 2019: CBP subcontractor breach exposed facial recognition images of travelers- 2019: FEMA mistakenly shared banking and personal information of 2 million+ disaster survivors- 2025: Airlines Reporting Corporation secretly sold passenger data to CBP without consumer knowledge

For ongoing tracking of biometric and sensitive data breaches affecting government systems, see Breached.Company.

Once your DNA, biometric data, and digital history enter federal databases, they become permanent targets for:

  • Nation-state adversaries- Criminal organizations- Insider threats- Future policy changes

Unlike passwords, you cannot change your DNA. Unlike email addresses, you cannot abandon your biometric identifiers. A breach of this data creates permanent, irreversible harm.

The DNA Database Expansion

CBP’s proposal builds on an existing DNA collection program that has exploded since 2020:

Current DNA Collection:

  • 1.5+ million DNA profiles added to CODIS from immigration enforcement (2020-2024)- 5,000% increase in immigration-related DNA collection since 2020- 2.6+ million profiles now in CODIS detainee index- 133,000+ DNA samples from minors collected- 97% of DNA collected from people under civil (not criminal) authority

CODIS Integration Risks:

  • DNA data shared across all federal, state, and local law enforcement- No judicial oversight for immigration DNA collection- Profiles retained indefinitely- Used for purposes far beyond identity verification- Disproportionate impact on communities of color

Senator Ron Wyden warned in a July 2025 letter that the Trump administration’s DNA collection program “may undermine the constitutional rights of adults and children in the United States” and represents a “chilling expansion” that could “result in the over-policing of immigrant communities.”

Beyond Criminal Profiling: Why GrapheneOS Represents Digital Freedom, Not Criminality

Fourth Amendment Concerns

Legal experts argue the warrantless collection and indefinite retention of biometric data from travelers violates Fourth Amendment protections against unreasonable searches and seizures.

The Chavarria v. DHS lawsuit, filed days before the Federal Register notice, alleges:

  • Warrantless cellphone and laptop searches at borders- Prolonged retention of seized device data- Broad searching of personal information without probable cause

First Amendment Implications

Mandatory social media disclosure creates severe First Amendment concerns:

  • Chilling effect on free speech- Government surveillance of political beliefs- Potential for viewpoint discrimination- Pre-travel self-censorship

Travelers face impossible choices:

  • Delete years of social media history- Self-censor to avoid denial- Avoid U.S. travel entirely- Accept permanent government surveillance of political views

Privacy Act Violations

The Privacy Act of 1974 requires agencies to maintain records on individuals that are “relevant and necessary” to agency purposes. Critics argue:

  • 5 years of social media history is excessive- 10 years of email addresses exceeds necessity- DNA collection from tourists serves no legitimate immigration purpose- Family network mapping creates guilt by association

The Executive Order Connection

CBP frames this expansion as compliance with Executive Order 14161, “Protecting the United States From Foreign Terrorists and Other National Security and Public Safety Threats,” issued in January 2025.

This executive order directed DHS to:

  • Implement enhanced vetting standards- Collect additional information from visa applicants- Improve identity verification for foreign arrivals- Shift vetting from point-of-arrival to pre-travel screening

By tying the proposal to counter-terrorism, CBP attempts to bypass normal privacy analysis. However, the connection between collecting DNA from tourists and preventing terrorism remains unexplained.

France’s Encryption War Escalates: GrapheneOS Exodus Signals Dangerous Precedent for Open Source Privacy Tech

International Implications and Precedent

GDPR Conflicts

The European Union has raised concerns about U.S. compliance with General Data Protection Regulation (GDPR) requirements. EU officials warn the proposal may:

  • Violate data minimization principles- Lack lawful basis for processing- Fail to provide adequate security measures- Conflict with EU citizen data rights

Global Surveillance Escalation

Privacy International warns that many governments follow the U.S. lead on border surveillance:

  • European Union’s Entry/Exit System (EES) requires biometric registration- Russia implemented social media identifier requests after U.S. pilot program- Countries worldwide are watching this proposal as potential model

If the U.S. implements DNA collection for visa-free travelers, other nations will likely follow, creating a global surveillance escalation that affects billions of travelers worldwide.

Similar Systems Already Deployed: Mexico’s mandatory Cédula Única de Identidad Digital (CUID) requires all citizens to submit fingerprints, iris scans, and photographs to a centralized government database. Australia’s Digital ID Act implements a three-tier biometric identification system. The CBP proposal follows this global pattern of governments demanding biometric submission as a condition of basic services.

Economic Impact on Tourism

Travel industry leaders warn the proposal will significantly damage U.S. tourism:

Current Tourism Challenges:

  • Overseas visitation already declining- 14 million ESTA travelers annually at risk- Major international events scheduled in U.S. (2026 FIFA World Cup, 2028 Olympics)

Expected Impacts:

  • Extended processing times for ESTA approvals- Increased denial rates from expanded vetting- Travelers choosing alternative destinations- Business travel disruption- Damage to U.S. reputation as welcoming destination

The mandatory 22-minute application (CBP’s own estimate) represents a significant barrier compared to current streamlined process. Many travelers will simply choose destinations with less invasive requirements.

Technical Vulnerabilities and Abuse Vectors

System Architecture Risks

The proposed mobile-only system creates multiple attack vectors:

Application Security:

  • Mobile apps are frequent breach targets- No stated security standards for development- Update mechanisms create persistent vulnerability- Users forced to trust government-controlled software

Data Transmission:

  • Multiple collection points (device → CBP servers → federal databases)- Each transmission point is potential breach location- No end-to-end encryption requirements specified- Interstate and international data transfer risks

Database Integration:

  • Data flows to multiple federal systems- Integration with existing biometric databases- Sharing with “law enforcement agencies” (undefined scope)- No architectural security requirements

Insider Threat Scenarios

With millions of profiles containing sensitive biometric and personal data:

  • Corrupt officials could access data for personal gain- Harassment campaigns targeting specific individuals- Identity theft using complete biometric profiles- Blackmail using social media and family network information

CBP employee data was compromised in the 2025 FEMA/CBP breach, demonstrating that even those managing sensitive systems are not adequately protected.

Integration with Domestic Surveillance: The biometric data collected at borders doesn’t stay at borders. ICE’s Mobile Fortify app already allows agents to identify anyone domestically by pointing a smartphone at them, accessing the same CBP databases that will contain ESTA traveler biometrics. Border surveillance infrastructure inevitably becomes domestic surveillance infrastructure.

AI and Algorithmic Bias

The proposal implies use of automated systems for:

  • Social media content analysis- Risk assessment algorithms- Facial recognition matching- Behavioral pattern detection

These systems are known to have:

  • Higher error rates for people of color- Gender recognition biases- False positive problems- Unexplainable decision-making processes

Travelers may be denied entry based on opaque algorithmic assessments of their social media content, travel patterns, or family connections with no meaningful appeal process.

What This Means for You

If You’re Planning U.S. Travel

If these changes are implemented, you’ll need to:

  1. Conduct Digital Hygiene:
  • Review 5 years of social media posts for potentially problematic content- Document all email addresses used in past 10 years- List all phone numbers from past 5 years- Prepare family member information and contact histories2. Assess Your Risk:
  • Political activism or controversial posts may trigger denial- Family connections to certain countries may raise flags- Professional associations or travel history may be scrutinized- Social media content will be permanently associated with your biometric profile3. Consider Alternatives:
  • Choose destinations with less invasive requirements- Factor additional processing time into travel plans- Prepare for potential denial and lack of recourse- Evaluate if U.S. travel is worth the permanent surveillance record

If You’re a U.S. Citizen

Even if you’re not subject to ESTA requirements, this proposal affects you:

Mission Creep Concerns:

  • Today’s foreign visitor requirements become tomorrow’s domestic mandates- Surveillance infrastructure built for borders gets repurposed for internal use- Data collected on foreign visitors includes their U.S. contacts and associates- Your social connections to ESTA travelers create indirect surveillance

The Pattern of Expanding Surveillance: As documented in our analysis of global age verification systems, governments consistently expand surveillance measures beyond their stated purpose. What begins as “protecting children” or “border security” inevitably becomes comprehensive population monitoring. The UK’s Online Safety Act initially targeted age verification but now requires government IDs or biometric scans for vast categories of content.

Precedent Setting:

  • DNA collection normalization for government services- Mandatory social media disclosure as standard practice- Mobile device requirements for government interaction- Biometric identification as default authentication method

The Public Comment Period

CBP is accepting public comments until February 9, 2026. This 60-day period is your opportunity to influence the final rule.

How to Submit Comments

Email: CBP_PRA@cbp.dhs.gov Subject Line: OMB Control Number 1651-0111 Requirements: Comments must be submitted in English

Effective Comment Content

Strong comments should:

  • Reference specific privacy concerns with legal basis- Cite constitutional issues (Fourth Amendment search concerns, First Amendment chilling effects)- Provide technical security analysis of proposed system- Document potential for abuse or misuse- Suggest alternative approaches that achieve security without surveillance- Include expert testimony or research citations- Explain personal impact and harm

What Happens After Comments

After the comment period closes:

  1. CBP reviews public comments2. Office of Management and Budget (OMB) approval required3. Final rule publication (if approved)4. Implementation timeline announced

Public pressure during the comment period can result in:

  • Modification of most invasive requirements- Addition of privacy safeguards- Narrowing of data collection scope- Complete withdrawal of proposal

Long-Term Implications

The Surveillance Infrastructure

This proposal isn’t just about collecting more data—it’s about building permanent surveillance infrastructure:

Technical Capabilities:

  • Real-time biometric verification systems- Comprehensive social media analysis platforms- Family network mapping and relationship graphs- Device-level tracking and monitoring- Integrated federal biometric databases

Institutional Power:

  • Normalized expectations of digital interrogation- Accepted precedent for invasive government data collection- Established legal frameworks for mandatory disclosure- Reduced privacy protections for travelers and citizens

The Ratchet Effect

Surveillance powers rarely contract—they only expand:

  • Today: Visa-free travelers- Tomorrow: All visa applicants- Eventually: Domestic travelers, government services, private sector requirements

Each expansion builds on the infrastructure, legal precedents, and normalized expectations of the previous expansion. Once DNA collection becomes standard for international travelers, the political and technical barriers to expanding it to other contexts fall away.

Technical Recommendations

For Individuals

If you must travel under this system:

Before Application:

  • Export and review all social media content from past 5 years- Document all email accounts and phone numbers- Prepare family member information- Screenshot account information for reference- Consider privacy-focused communication platforms for future

During Application:

  • Understand that submitted data is permanent- Assume all information will be shared broadly- Recognize no meaningful privacy protections exist- Document the application process- Keep copies of all submitted information

After Travel:

  • Assume permanent surveillance of your digital activities- Practice ongoing social media hygiene- Monitor for identity theft using biometric data- Document any unusual incidents at borders

For Organizations

Companies and organizations should:

Risk Assessment:

  • Evaluate necessity of U.S. travel for employees- Consider alternative meeting locations- Assess data exposure risks for key personnel- Factor surveillance implications into travel policies

Employee Protection:

  • Provide guidance on application requirements- Support employees uncomfortable with disclosure requirements- Offer alternatives to U.S. travel when possible- Document and report any retaliation or discrimination

Advocacy:

  • Submit organizational comments to CBP- Engage trade associations for collective response- Support privacy legislation efforts- Publicize privacy concerns to customers and stakeholders

Conclusion: The Choice Before Us

CBP’s proposal represents a fundamental choice about the kind of society we want to be:

Option 1: Accept that international travel requires surrendering your genetic information, social media history, and family network to permanent government databases with no safeguards, no limits, and no recourse.

Option 2: Demand that border security measures respect constitutional rights, incorporate meaningful privacy protections, and maintain proportionality between security goals and individual liberty.

The threat is real. Your DNA will become state property. Your social media becomes pre-travel profiling material. Your family connections become permanent surveillance targets. And there are zero guaranteed safeguards against abuse, misuse, or catastrophic data breaches.

This isn’t security theater—it’s surveillance infrastructure. The difference matters.

Take Action

  1. Submit a Public Comment by February 9, 2026 to CBP_PRA@cbp.dhs.gov2. Contact Your Representatives and demand congressional oversight3. Support Privacy Organizations challenging overreach through legal action4. Spread Awareness about the scope and implications of this proposal5. Plan Accordingly for either compliance with or alternatives to U.S. travel

The 60-day comment period is not just procedural—it’s your opportunity to be heard before this becomes permanent reality.

Additional Resources

MyPrivacy.Blog Ecosystem:

Official Sources:

  • Federal Register Notice: FR Doc. 2025-22461 (December 10, 2025)- Executive Order 14161: “Protecting the United States From Foreign Terrorists and Other National Security and Public Safety Threats”- Georgetown Law Report: “Raiding the Genome: How the United States Government Is Abusing Its Immigration Powers to Amass DNA for Future Policing”- Privacy International: Analysis of border surveillance expansion- ACLU: Constitutional challenges to warrantless border searches- Electronic Frontier Foundation: Biometric surveillance concerns

Citations and Technical References

All claims in this article are based on:

  • Official Federal Register notices and CBP documentation- Court filings including Chavarria v. DHS- Congressional testimony and oversight letters- Privacy impact assessments from DHS- Academic research on biometric surveillance- Investigative journalism from 404 Media and other outlets- Privacy organization reports and legal analysis

This article reflects analysis current as of December 2025. Check official sources for the most recent developments.