The new architecture of American entry screening

The U.S. is poised to become one of the most demanding Western democracies for entry screening, setting a new standard for governmental reach into the private digital lives of foreign nationals.

That is the unmistakable trajectory of a proposed Customs and Border Protection (CBP) information collection rule that would transform routine travel authorization into a sweeping personal data intake system, combining biometrics, social media histories, geolocation, device metadata, and detailed family-network information into a consolidated federal risk assessment pipeline.

Framed by CBP as a modernization effort, the notice instead marks one of the most consequential expansions of federal travel surveillance since the aftermath of 9/11, redrawing the line between border control and digital interrogation.

The proposal, published in the Federal Register, centers on a multistage overhaul of both the I-94 arrival and departure process and the Electronic System for Travel Authorization (ESTA), the mechanism used by millions of travelers from visa waiver countries each year.

On its surface, CBP casts the proposal as a routine update that is needed to strengthen identity verification and reduce fraud. But in practice, the changes will create a biometric-verified, device-linked analytical portrait of travelers before they ever set foot on U.S. soil.

The rules emerge from a pair of structural shifts underway inside the Department of Homeland Security (DHS): the migration of identity checks from documents to smartphones, and the incorporation of social, familial, and digital metadata into risk classification.

These shifts, taken together, represent a decisive turn toward treating every traveler as a data node in an expanding security graph.

Under the proposed information collection, ESTA applicants will no longer be able to apply through the long-standing web portal. CBP plans to decommission the website entirely and force migrants, tourists, and business travelers alike into the mobile app ecosystem where the agency will have standardized access to device-level information already embedded in modern identity verification tools.

The move is presented as a response to website-based photo uploads that have repeatedly defeated automated facial comparison checks, either because of poor image quality or deliberate manipulation.

CBP said it “continues to struggle with fraudulent third-party websites,” noting that “third-party fraudulent websites charge travelers exorbitant fees to process an application, where many of these applications may never be processed by CBP, resulting in a traveler being unable to board a U.S. bound plane.”

CBP also said “the ESTA website is unable to validate the authenticity of the passport through the certificates embedded on the electronic chip,” and that “bad actors exploit this vulnerability to apply for an ESTA.”

The agency said there have been “hundreds of fraudulent ESTAs created by facilitators to support visa applications. These facilitators uploaded fraudulent passport bio pages to obtain approved ESTAs. travelers then presented official ESTA printouts, falsely claiming the ESTA holder was a spouse, to strengthen their visa applications.”

Mobile applications, CBP argues, provide “superior identity verification” by extracting the passport photo directly from the NFC-enabled electronic chip, performing liveness detection through a live selfie and validating the passport’s cryptographic signatures.

These tools are not merely anti-fraud measures, they shift the traveler’s smartphone into a direct interface with DHS, reducing opportunities to bypass or game the system while vastly expanding the biometric and metadata signals available to CBP.

The transition also reconfigures the geography of risk screening. ESTA has traditionally been a pre-travel administrative form, but with the mobile only approach, CBP effectively enlists travelers into a remote biometric capture program.

A fingerprint, iris scan, selfie, or device authenticated passport read no longer occurs exclusively at a port of entry. Instead, CBP is constructing a distributed, transnational biometric border.

By the time a traveler arrives at a U.S. airport, the government may have already processed their face, cross-checked it against existing holdings, linked it to device data, validated their passport chip, and correlated their email history, phone identifiers, and social-media footprint.

The most controversial of the changes is the introduction of mandatory social media disclosure for ESTA applicants, accompanied by a suite of expanded “high-value data fields” that CBP seeks under the January 2025 executive order on foreign terrorist threats.

Social media identifiers for the past five years will be required, along with up to a decade of email addresses and a five-year history of telephone numbers. That dataset alone will give CBP the raw material to reconstruct long-range identity trajectories, relationship histories, and behavioral patterns.

But the rule goes further. It requests an extensive map of family relationships, including parents, spouses, siblings, and children, along with their birthdates, places of residence, and their own contact data histories.

Though framed as a security enhancement, the effect is unmistakable. CBP is transforming ESTA into an instrument for building social graphs that will enable analysts to infer risk through proximity, networks, and associations.

For foreign nationals who have grown accustomed to the relatively light pre-travel requirements of visa waiver programs in Europe, East Asia, and Oceania, the U.S. proposal is striking.

The rule has been described as a “digital dragnet” and a “sweeping intrusion” into personal life, with some calling it a backdoor vetting system modeled on the most invasive elements of visa issuance.

Privacy advocates argue that this marks a qualitative break from earlier attempts to collect social media information, which were typically applied only to visa applicants who expected a more involved screening process.

Applying such requirements to short-term travelers from trusted nations crosses a line many civil liberties organizations say should never have been approached.

What makes the new data fields particularly contentious is not simply their breadth, but their analytic potential. IP addresses from photo submissions reveal location traces and device-level connections.

Email histories allow DHS to reconstruct digital identities that predate or outlast specific passports or phone numbers. Family networks provide a basis for relational risk scoring, a capability increasingly central to counterterror and transnational crime models.

DNA, fingerprints, and iris scans – listed in the notice as biometrics to be collected “when feasible” – open the door to multimodal biometric profiling for categories of travelers who historically have never been asked for more than a passport number.

The scope of collection surpasses anything implemented by European border agencies, and privacy groups warn that it is edging toward security-state practices long criticized in authoritarian contexts.

The rule arrives at a moment when DHS is accelerating its shift toward automated, contactless, and AI-assisted traveler screening. The agency’s Voluntary Self-Reported Exit pilot, another element of the proposed changes, illustrates this evolution.

Under the pilot, a traveler leaving the U.S. can open the CBP Home mobile app, submit a live selfie, provide passport details, and enable geolocation services to confirm that they have departed. The data is matched against DHS holdings, and the system records a biometrically confirmed exit in the Arrival and Departure Information System.

This closes a long-standing gap in exit records at land borders, but it also normalizes the idea that travelers should document their movements to the government through their phones even after they have left U.S. territory.

CBP frames the feature as voluntary, but travelers who fail to generate a confirmed exit could complicate future entries, making the “optional” designation increasingly theoretical.

Civil rights group’s have been swift to challenge the proposal’s assumptions. The Electronic Frontier Foundation warns that forcing travelers to disclose social media histories risks chilling speech and incentivizing self-censorship, especially on political issues.

When enacted, the rule will cement a new identity paradigm for entering the United States. Travel authorization will no longer resemble a simple eligibility check; instead, it will become a gateway into a deep, federated evaluation of a traveler’s digital life, social relationships, and biometric signatures.

Article Topics

background checks  |  biometric identification  |  biometric liveness detection  |  biometric matching  |  border security  |  CBP  |  face biometrics  |  selfie biometrics  |  U.S. Government