Thursday, March 05, 2009

Electronic System for Travel Authorization (ESTA) FAIL!

Since the beginning of this year the US government has required people visiting the USA to preregister their intent to travel via the Electronic System for Travel Authorization (ESTA). This is a website. This does not need to be done once per trip, but once every two years or so. I often travel to the USA at short notice so reminded by a facebook status I decided to give registering a go. So the first thing I did was to use trusty google to search for ESTA. Here is a screenshot of the results:
Question: Which link is the right one? Think carefully. It is obviously not the last one, but most people would probably go for the first sponsored link, and would get it wrong. It is in fact the fourth result (ignoring the sponsored links). The one titled welcome, with a domain of I missed it completely. It looks amateurish and as a result my brain passed it over. The page title did not say ESTA. Come on DHS, you could at least have the page title be Welcome to the Electronic System for Travel Authorization, maybe include the DHS abbreviation in there. FAIL number one. Now look very carefully at the url, note the HTTPS at the front. This shows they are taking security seriously, which is good, but I tried accessing using http, and instead of being redirected to https I got no response back. Most people typing the address in wont put HTTPS at the beginning, so I call this FAIL number two (note I am only suggesting point to, not any subpage). FAIL number three though is amazing. When accessing the page I get the following javascript pop up:
I suggest you read it closely. It says two things:

  1. The data you are submitting, don't expect us to keep it private. You give us the right to do what we wont, don't expect data protection you weird European types.
  2. If you access this system and you are not allowed to expect the FBI (or similar) to appear at your door with an arrest warrant.
The first I do not really have a problem with. I don't expect the data I hand over on the green I-94W to be private, and this is really no different.

The second is alarming. How do I know if I am authorized or not? This is FAIL number three. I get told I need authorization, but no one has told me whether I have authorization or not. I found a public website on the Internet, the official ESTA system, which I need to use to enter the USA, so I am probably authorized, but they have this big scary warning and often ignorance is no defence in a court of law. In fact given the info you provide them when using this site it would be very easy for them to pick you up if you are not authorized.

I wonder if I'm being too paranoid.

No comments: