Coming to America: The Government Wants to See Your Emails

This post is part of a running blog series on surveillance and data protection risks that non-U.S. citizens face when visiting or engaging with the United States. It is intended to clearly explain risks and identify invasive government practices.

At a time when foreign travelers to the United States are already (understandably) nervous about the government’s treatment of non-citizens, a new surveillance initiative is likely to raise even more alarms for travelers. On December 10, 2025, U.S. Customs and Border Protection (CBP) published a notice for comment regarding changes to the Electronic System for Travel Authorization (ESTA). The changes to the ESTA form were prompted by Executive Order 14161 that calls for enhanced vetting and screening of foreigners coming to America as well as foreigners already in America. Now CBP is looking to collect years of email addresses and phone numbers from applicants, which may just seem like an annoying and tedious task but in reality, is disturbingly intrusive.

The Electronic System for Travel Authorization is an application that CBP uses to determine if someone is eligible to travel to the United States for tourism or business purposes under the Visa Waiver Program (VWP). Under the VWP, citizens of certain countries can travel to the U.S. without obtaining a Visa, but to do so the potential traveler must complete a travel authorization form and have it approved by Customs and Border Protection. The eligible countries for the VWP include the following countries at the time of this writing:

In addition to border authorities now requiring applicants to provide five years of social media history, the agency is also adding “high value data elements” that it will collect in the travel authorization form. These include personal, business, and family member telephone numbers the applicant has used in the past five years as well as personal and business email addresses the applicant has used in the past ten years. This is not only a major headache and hassle for travelers seeking to visit the U.S. but could expose them to more invasive surveillance.

To understand how potentially intrusive collecting emails and phone numbers going back years could be, you must understand Section 702 of Foreign Intelligence Surveillance Act (FISA) and the changes that were made the last time it was reauthorized in 2024. Section 702 of FISA was added through the FISA Amendments Act of 2008. It allows the Attorney General and the Director of National Intelligence to authorize together “the targeting of non-U.S. persons reasonably believed to be located outside the United States to acquire foreign intelligence information.”[1]

Under section 702 of FISA, the U.S. Government conducts wide-scale collection of communications from abroad to come through phone, emails, and other records.  Although the Foreign Intelligence Surveillance Court (FISC) oversees Section 702 surveillance, the court does not approve individual targets. Instead, the Attorney General and Director of National Intelligence jointly submit an annual “certification” to the FISC attesting that the substantial purpose of the surveillance is to acquire foreign intelligence information and that acquisition of this intelligence complies with statutory limitations.

The Court’s approval of the certification allows the Government to collect communications data from internet and telephone providers based on phone numbers, emails, and other identifiers. Additionally, the FISC is provided with the targeting and minimization procedures. The targeting procedures detail how the government determines a target is a non-U.S. person outside the U.S. with foreign intelligence value and that targeting this person will produce foreign intelligence. The minimization procedures outline how agencies use, retain, and disseminate the information acquired through Section 702 surveillance.

FISC approval of these procedures allows the government to compel cooperation from U.S. service providers like AT&T and Verizon in acquiring communications and task these providers with collecting communications for selectors like emails and phone numbers. To understand just how broad section 702 surveillance can be, it important to understand that although the targets of the surveillance are “persons” that is not necessarily referencing individuals. When the government targets a “person” under Section 702 that could mean not only an individual but “any group, entity, association, corporation, or foreign power.” Consequently, if the target is a foreign corporation, for example, the selectors could be all the emails and phone numbers that corporation uses. Larger targets like corporations or a foreign government increase the chances that communications from ESTA applicants are caught up in 702 surveillance.

Section 702 surveillance collects vast amounts of communications and the reauthorization of Section 702 by Congress in 2024 with the passage of the Reforming Intelligence and Securing America Act (RISAA) expanded how the government can use that data. Specifically, section 702 data can now be used to vet “all non-United States persons who are being processed for travel to the United States using terms that do not qualify as United States person query terms under the Act.” In other words, the U.S. Government can search the vast amounts of private communications it collects under Section 702 for the communications of ESTA applicants using the provided phone numbers and email addresses as the search queries.

This is an extremely invasive and should be of concern to anyone trying to travel to the U.S. Especially since the Executive Order that prompted this change to ESTA calls for screening for the poorly defined phrases like “hateful ideology” and “hostile attitudes” which have been used to go after people for their political views. Rumeysa Ozturk, a Tufts University student, had her student visa revoked and was arrested last year for opinion piece she co-authored criticizing Tufts University’s response to Tufts student body senate resolutions to, among other things, recognize the genocide in Gaza. Mahmoud Khalil, a pro-Palestinian activist, had his green card revoked and was arrested by the Trump administration for deportation after leading Gaza solidarity protests.

It is unfortunately completely reasonable to wonder if the current administration will use similar political speech it finds in communications collected under Section 702 as a basis to deny ESTA applications even if that communication has no bearing on whether the applicant poses a law enforcement or security risk.

---

[1] 50 U.S.C. § 1881a(a).