This week, media and travellers are reacting to a new US proposal that would greatly expand the data the US collects from applicants under the ESTA Visa waiver program. In this post, I delve into what it means for those of us who use visa‑waiver travel to go to the USA. It is important to note that at this stage, it is still only a draft, and nothing has changed for actual travel yet.
When I first went to the USA in the “olden days” I needed a visa.
In those young backpacking years, there were no calls home! I had cash and travellers’ cheques, paper airline tickets, and bought postcards! No social media, no email, no mobile phones.
Now I feel old!
My Shift from Visas to ESTA
In 1996, the USA formally added Australia to the Visa Waiver (then “Visa Waiver Pilot”) Program, meaning that as an Australian citizen, I have been able to visit the US for business or tourism for up to 90 days without obtaining a visitor visa first. From 2009, the requirement to get an online ESTA approval before boarding a flight (or cruise) to the US was added. I have had a few ESTAs in my life now. Each ESTA lasts for 2 years (or until my passport expires) and allows me to make multiple trips to the US, as long as each stay is no longer than 90 days.
A Quick Explanation of Visas, Visa Waivers etc
Let me divert here with some brief background. A traditional visa is formal permission placed in a passport after an application to a consulate, sometimes with an interview and supporting documents. This year I visited Brazil and last year Chile and had to apply for visas for both.
Some countries require a visa but make it easy to get one on arrival. When I travel to Indonesia or Laos, I can get a visa at the air or land border. A “visa‑free” or visa‑waiver arrangement lets eligible passport‑holders visit without that consular visa. Finally, an e‑visa is simply a visa you apply for and receive online before travel, instead of as a sticker in your passport or at the border.
As an Australian I can enter around 140 countries without a visa. I also have access to around 56 e-visas and 18 visas on arrival. I need a visa for 33 countries.
The new US Government proposal
Under the draft filed by US Customs and Border Protection (CBP) and the Department of Homeland Security, there are four major changes:
1. ESTA applications to be via mobile app
CBP plans to shut down the ESTA web application and require all new ESTA applications to be submitted only through the ESTA Mobile app. The website will remain for information and status checks but not for filing applications.
2. Upload a live selfie and have the app read your passport’s chip
The mobile app process will require a live selfie and use the phone to read the e‑passport chip, allowing facial recognition, and chip‑certificate checks. The CBP says these are needed because static photo uploads on the website have been exploited with poor‑quality or fraudulent images.
3. Provide 5 years of Social Media Handles
ESTA applicants will have to list all social media identifiers used in the five years prior to application (usernames/handles on platforms such as Facebook, Instagram, X/Twitter, TikTok, LinkedIn, etc.)
4. Collection of “High‑value” data and risk scoring
In the Federal Register notice, CBP also lists a set of “high‑value data fields” it wants to add to ESTA, n stages as they become feasible, including:
- a. Telephone numbers used in the last five years;
- b. Email addresses used in the last ten years;
- c. IP addresses and metadata from electronically submitted photos;
- d. Family member names (parents, spouse, siblings, children);
- e. Family member telephone numbers used in the last five years;
- f. Family member dates of birth;
- g. Family member places of birth;
- h. Family member residencies;
- i. Biometrics—face, fingerprint, DNA, and iris;
- j. Business telephone numbers used in the last five years;
- k. Business email addresses used in the last ten years.
I notice that most coverage has focused on items a and b, with much less discussion of points c. through k.
Artificial Intelligence (AI systems) will scan the social media handles, phone numbers, and email addresses to compare them against watchlists and databases. They will check for warning indications, such as posts saying someone is looking for a job in the U.S., or has links to extremist or criminal activities. A more thorough manual examination will be done on those identified by the AI to be high risk.
The Department of Homeland Security (DHS) and U.S. Customs and Border Protection (CBP) say that the extra information will help confirm identities, find false information (such as differences in historical contact details), and “recognise potential security concerns.”
NB image on the right generated by AI
Which countries will be affected
There are 42–43 countries allowed access to the ESTA program including most European nations plus Australia, New Zealand, Japan, South Korea, Singapore, Israel, Chile and Qatar. One other change is that Romania has been removed from the Visa Waiver Program (VWP).
Travellers who need a regular US visa already undergo separate data collection via consulates. It is likely they will need to provide similar information.
Process and timeline
The notice has been published in the US Federal Register as a proposed revision to the existing ESTA information collection. This automatically triggers a public comment period for submissions from the public, advocacy groups etc. There is 60‑day window from 10 December 2025 until 9 February 2026 to submit comments.
After the comment period, CBP will review submissions and then decide whether to proceed, amend or drop the proposal. The consensus is that it will progress. If/when adopted, implementation would likely start from around April/May 2026 with an expected effective date of mid‑2026. Until that happens, ESTA questions and requirements remain as they are today.
What happens to current ESTA holders
The proposal talks about changing the application data fields going forward, not retroactively. The assumption is that travellers with a currently valid ESTA issued before the effective date would not be forced to log back in and add historic social‑media, phone or email information during the remaining validity. Instead, the new mandatory fields would appear when someone next applies (for example, when their existing ESTA expires or if they need to re‑apply because of a new passport). As always, travellers must still comply with any new rules that are in force on the date they submit a fresh application
Responses so far
Many civil liberties and privacy groups warn that the proposal effectively creates long‑term “travel dossiers” on millions of ordinary tourists by tying years of social‑media history to highly granular personal and technical data such as past phone numbers, email accounts and family contacts.
The U.S. Travel Association warned in a December 11 statement that requiring social-media disclosures could drive high-spending European and Australian tourists to competing destinations.
Implications
To my mind, this latest US proposal moves ESTA from a relatively light pre‑travel check toward deeper background and association screening, making it feel far more “visa‑like” for ordinary tourists, even though the underlying legal classification and 90‑day short‑stay limits would technically stay the same. This is part of a broader trend: my passport allows me visa‑free entry to many countries, but increasingly I am filling out more and more forms that are getting more and more detailed.
What do travellers to the US need to do?
If you expect to travel in the next two years, the suggestion is to applying or renewing ESTA before any new requirements start, because approvals issued under the old form should remain valid for their normal two‑year life.
If you have strong views either way, you can take now submit a public comment or suggestion in English on the Federal Register notice before the 9 February 2026 deadline via an email to: CBP_PRA@cbp.dhs.gov with “OMB Control Number 1651‑0111 – U.S. Customs and Border Protection (CBP)” in the subject line.
Leave a Reply