In a February 9 submission, the Cybersecurity Coalition and FIDO Alliance raise concerns about the Department of Homeland Security’s proposed new data collection from travelers in the visa waiver program – to include five years of social media and multiple other new data elements, including DNA, iris scans, personal and business telephone numbers and emails from the past five years, and extensive details about family members. 

Both the Cybersecurity Coalition and FIDO Alliance strongly support the underlying goal of robust screening and vetting to protect against national security and public security risks. But they warn that the proposed collections are excessive and overbroad, raise significant cybersecurity and related privacy concerns, and risk harming American competitiveness. The Coalition and the FIDO Alliance urge Customs and Border Protection to remove these requirements or, at a minimum, reevaluate the proposal to fully account for the significant burdens and risks imposed on American companies.

Cybersecurity Concerns

The proposed new collections include significant amounts of sensitive personal data, without any corresponding accounting for how that data will be stored, secured, or used. Of particular concern, the visa waiver program is a reciprocal program – requiring significant engagement with foreign partners to ensure they meet the specified criteria, to include the granting of “reciprocal privileges to citizens and nationals of the United States.”

There is a meaningful risk that, were the U.S. to move forward with the proposed new collections, partner countries would require equivalent reporting by U.S. citizens as a prerequisite to visa-free business and tourism travel. If adopted broadly, millions of Americans would be required to disclose what has, in the Department of Justice Rule on Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons, been defined as “sensitive personal data,” and thus subject to a series of restrictions and prohibitions on international transfer, in order to protect against the “unacceptable risk to U.S. national security” that such data might be accessed by foreign countries and persons of concern.

Of particular concern, there is no guarantee that countries would store such data securely, place appropriate limits on its dissemination, and otherwise protect Americans from the significant surveillance concerns, misuse by cybercriminals for identity theft and other related crimes, and other security risks that could arise.

Moreover, even if foreign countries decline follow suit, the data being sought by the proposed collection will undoubtedly also include Americans’ data – including private communications on closed social media accounts, and data about any American family members’ phone numbers, residences, and places of birth. This is a treasure trove of information for cyber criminals and foreign adversaries alike. But there is nothing in the proposal that specifies how the U.S. would secure the sought-after data, protect it from unwarranted intrusion, or otherwise ensure the security and privacy of travelers and their families.

Business and Competitiveness Concerns

This proposal is almost certain to have a chilling effect on international business travel, with negative repercussions for an American tech industry that relies on foreign markets, business partners, and workers.

A survey of international travelers from visa waiver countries (Australia, EU, Japan, South Korea, UK) conducted by the World Travel & Tourism Council indicated that over one third of those surveyed would be less likely to visit the U.S. due to this policy change. Those still willing to travel may be unwilling to participate in the visa waiver program – and instead be routed into the more time-consuming and unpredictable process of obtaining a visa.

This will harm American companies’ ability to bring business partners and international workers to the U.S. for key meetings, roundtables, and trainings. It is also likely to hurt recruitment of top talent in foreign countries – talent that is essential for effective global engagement. And it risks making American tech companies less competitive as a result.

The Coalition and the FIDO Alliance urge CBP to reevaluate this proposal and instead consider more targeted screening and vetting measures that account for the full set of security and business interests at stake.

‍