Esta Pia

Privacy Impact Assessment Update
for the

Electronic System for Travel
Authorization (ESTA)
DHS/CBP/PIA-007(e)
February 4, 2016
Contact Point
Suzanne Shepherd
Director - ESTA
U.S. Customs and Border Protection
(202) 344-3710
Reviewing Official
Karen L. Neuman
Chief Privacy Officer
Department of Homeland Security
(202) 343-1717

Privacy Impact Assessment Update
DHS/CBP/PIA-007(e) ESTA
Page 1

Abstract
The Electronic System for Travel Authorization (ESTA) is a web-based application and
screening system used to determine whether certain foreign nationals are eligible to travel to the
United States under the Visa Waiver Program (VWP). The U.S. Department of Homeland
Security (DHS), U.S. Customs and Border Protection (CBP) is publishing this update to the
Privacy Impact Assessment (PIA) for ESTA, last updated on November 3, 2014, to provide
notice and privacy risk analysis of enhancements to the ESTA application questionnaire and
expansion of the ESTA application data elements in accordance with the requirements of the
Visa Waiver Program Improvement and Terrorist Travel Prevention Act of 2015.

Overview
In the wake of the terrorist attack on the Nation on September 11, 2001, Congress
enacted the Implementing Recommendations of the 9/11 Commission Act of 2007. 1 Section 711
of that Act sought to address the security vulnerabilities associated with Visa Waiver Program
(VWP) travelers who are not subject to the same degree of screening as other international
visitors to the United States. As a result, section 711 required CBP to develop and implement a
fully automated electronic travel authorization system to collect biographic and other
information necessary to evaluate the security risks and eligibility of an applicant to travel to the
United States under the VWP. The VWP is a travel facilitation program with robust security
standards designed to prevent terrorists and other criminal actors from exploiting the VWP to
enter the country.
ESTA is a web-based system designed to determine foreign nationals’ eligibility to travel
to the United States under the VWP. Applicants use the ESTA website to submit biographic
information and respond to questions related to an applicant’s eligibility to travel under the
VWP. ESTA information is necessary to issue a travel authorization, consistent with the
requirements of the Form I-94W. 2 A VWP traveler who intends to arrive at a U.S. air or sea port
of entry must obtain an approved travel authorization via the ESTA website prior to boarding a
carrier bound for the United States. The ESTA program allows CBP to eliminate the requirement
that VWP travelers complete a Form I-94W prior to being admitted to the United States via an
air or sea port of entry because the ESTA application electronically captures duplicate
biographical and travel data elements collected on the paper Form I-94W.

1

Pub. L. 110-53, codified at 8 U.S.C. § 1187(a)(11), (h)(3), available at, http://www.gpo.gov/fdsys/pkg/PLAW110publ53/html/PLAW-110publ53.htm.
2
See 8 CFR § 217.5(c). The Form I-94W must be completed by all nonimmigrant visitors not in possession of a
visitor’s visa, who are nationals of one of the VWP countries enumerated in 8 CFR § 217.

Privacy Impact Assessment Update
DHS/CBP/PIA-007(e) ESTA
Page 2

Reason for the PIA Update
In accordance with the requirements of the Visa Waiver Program Improvement and
Terrorist Travel Prevention Act of 2015, 3 CBP is addressing the new eligibility requirements
established by the Act and strengthening the security of the VWP to appropriately meet the
current threat environment. The Act generally makes certain nationals of VWP countries
ineligible (with some exceptions) from traveling to the United States under the VWP if the
applicant is also a national of, or at any time on or after March 1, 2011, has been present in Iraq,
Syria, a designated state sponsor of terrorism (currently Iran, Sudan, and Syria), or any other
country or area of concern as designated by the Secretary of Homeland Security. CBP has
determined that the ESTA application and Form I-94W enhancements will help the Department
remain compliant with its legal requirements. Furthermore, the enhancements will allow the
VWP to adapt to the heightened threat environment due to the continued increase in the number
of foreign fighters from VWP countries participating in the Syria and Iraq conflicts. Specifically,
CBP is amending the ESTA application to include questions related to an individual’s ability to
travel under the VWP for all new and renewal ESTA applications beginning February 23, 2016. 4
This additional information will permit CBP to determine whether travelers are eligible to travel
under the VWP consistent with the new legal restrictions found in section 217(a)(12). Requiring
ESTA applicants to provide additional information also enhances CBP’s ability to identify those
applicants who pose a potential security threat to the United States, including known or
suspected terrorists.
Under the new law, 5 the Secretary of Homeland Security may waive certain VWP travel
restrictions if the Secretary determines that such a waiver is in the law enforcement or national
security interests of the United States. Whether ESTA applicants will receive a waiver will be
determined on a case-by-case basis, in accordance with policy and operations guidance.

ESTA Enhancement Data Elements
Effective February 23, 2016, the following data elements will be added to the online
ESTA form for all new and renewal ESTA applications:
•
3

Previous Countries of Travel;

See Visa Waiver Program Improvement and Terrorist Travel Prevention Act of 2015, Pub. L. No. 114-113,
Division O, Title II.
4
Approved ESTA applications are valid for a maximum of two years (depending on the VWP country), or until the
passport expires, whichever comes first. Approved ESTA applications support multiple trips a traveler may make to
the United States without having to re-apply for another ESTA. See “About the Electronic System for Travel
Authorization (ESTA,)” for more general ESTA information, available at http://www.cbp.gov/travel/internationalvisitors/esta.
5
See Visa Waiver Program Improvement and Terrorist Travel Prevention Act of 2015, Pub. L. No. 114-113,
Division O, Title II.

Privacy Impact Assessment Update
DHS/CBP/PIA-007(e) ESTA
Page 3

•

Dates of Previous Travel;

•

Countries of Previous Citizenship;

•

Other Current or Previous Passports; and

•

Identity Card Numbers.

Eligibility Questions
This PIA addresses the new questions mandated by the Visa Waiver Program
Improvement and Terrorist Travel Prevention Act of 2015, and an updated version of a question
found on the current application. 6
New Eligibility Questions:
Have you traveled to, or been present in, Iraq, Syria, Iran, or Sudan on or after March 1,
2011? [Yes, No]
•

If Yes:
o Select Country (Iraq, Syria, Iran, Sudan)
o Date? (mm/yyyy to mm/yyyy)
o Primary Reason?

6



To travel as a tourist (vacation)



For personal travel or a family visit (including emergencies)



For commercial/business purposes



To carry out official duties as a full-time employee of the government of a
Visa Waiver Program country



To perform military service in the armed forces of a Visa Waiver Program
country



To conduct work as a journalist



To engage in humanitarian assistance on behalf of a humanitarian or
international non-governmental organization (NGO)



To carry out official duties on behalf of an international organization or
regional (multilateral or inter-governmental) organization

The existing question is being updated to reflect the list of diseases currently approved by OMB for use on the
ESTA application (and I-94W).

Privacy Impact Assessment Update
DHS/CBP/PIA-007(e) ESTA
Page 4

•



To carry out official duties on behalf of a sub-national government or
body of a VWP country



To attend an academic institution



To participate in a professional exchange or conference



To participate in a cultural exchange program



Other [Write-in field]

If travel to Iran for business purposes was primary reason for travel:
o Please identify the company or entity on behalf of which you traveled to Iran for
business purposes. [Write-in field]
o What was your official position/title with the company or entity identified?
[Write-in field]
o If different than your current employer, please provide contact information for the
company or entity identified, including primary address and telephone number.
[Write-in field]
o Please provide your Iranian Business Visa Number. [Write-in field]
o Please list all companies and entities in Iran with which you had business
dealings. [Write-in field]

•

If travel to Iraq for business purposes was primary reason for travel:
o Please identify the company or entity on behalf of which you traveled to Iraq for
business purposes. [Write-in field]
o What was your official position/title with the company or entity identified?
[Write-in field]
o If different than your current employer, please provide contact information for the
company or entity identified, including primary address and telephone number.
[Write-in field]
o Please provide your Iraqi Business Visa Number. [Write-in field]
o Please list all companies and entities in Iraq with which you had business
dealings. [Write-in field]

•

If to engage in humanitarian assistance on behalf of a humanitarian or international nongovernmental organization was primary reason for travel:
o Please identify the organization or entity on behalf of which you traveled to Iraq,
Syria, Iran, or Sudan for humanitarian purposes.

Privacy Impact Assessment Update
DHS/CBP/PIA-007(e) ESTA
Page 5

o Does your organization have consultative status with UN ECOSOC? [Yes, No]
[Write-in Field]
o What was your official position/title with the organization or entity identified?
[Write-in Field]
o If different than your current employer, please provide contact information for the
organization or entity identified, including primary address and telephone
number. [Write-in field]
o Please provide your Iraqi, Syrian, Iranian, or Sudanese Visa Number related to
your humanitarian travel. [Write-in field]
o If your organization or entity has been recipient of U.S. government funding for
humanitarian assistance within the last five years, please provide most recent
grant number. [Write-in Field]
o Please provide us information about the type of work you were doing in country
during this time. [Write-in Field]
o Please include any information you are willing to share about other NGOs or
international, national, or state agencies with which you worked. [Write-in Field]
o Any additional comments. [Write-in Field]
•

If to carry out official duties on behalf of an international organization, or a sub-national
government for primary travel:
o Please identify the international (multilateral or intergovernmental) organization
or regional (multilateral or intergovernmental) organization, on behalf of which
you traveled to Iraq, Syria, Iran, or Sudan.
o Please identify the sub-national government or body of a VWP country on behalf
of which you traveled to Iraq, Syria, Iran, or Sudan. [Write-in Field]
o What was your official position/title with the organization or government
identified? [Write-in field]
o Please provide your Iraqi, Syrian, Iranian, or Sudanese Visa Number related to
your official travel on behalf of an international or regional organization, or
subnational government. [Write-in field]
o Have you ever been issued a G-Visa or A-Visa by a United States Embassy or
Consulate? [Yes, No]


If “Yes”, please provide your G-Visa or A-Visa number, if known [Writein Field]

Privacy Impact Assessment Update
DHS/CBP/PIA-007(e) ESTA
Page 6

o Have you ever been issued a United Nations Laissez-Passer?

•

If “Yes”, please provide your Laissez-Passer number

If Journalism was reason for primary travel:
o Please identify the company, entity, or organization on behalf of which you
traveled to Iraq, Syria, Iran, or Sudan to engage in journalism. [Write-in field]
o What is your official position with the company, entity, or organization
identified? [Write-in field]
o Have you ever been issued an I-Visa by a United States Embassy or Consulate?
[Yes, No]


•

If Yes, Please provide your I-Visa number (if known). [Write-in field]

Have you ever been issued a passport (or national identity card for travel) by any other
country? [Yes, No]
o If Yes, applicant must enter:

•



Country [Full Country List]



Most recent passport or national identity cards year of expiration [yyyy]



Passport Number/National Identity Card Number [Write-in Field]



Option to enter additional passports or national identity cards

Are you now a citizen or national of any other country? [Yes, No]
o If Yes:


Other countries of current citizenship or nationality [Full Country List]

o How did you acquire citizenship/nationality from this country?

•



By Birth?



Through Parents?



Naturalized?



Other [Write-in field]

Have you ever been a citizen or national of any other country? [Yes, No]
o If Yes, list other countries of previous citizenship or nationality [Full Country
List]

Privacy Impact Assessment Update
DHS/CBP/PIA-007(e) ESTA
Page 7

•

You have indicated that you are not a citizen or national of your country of birth. From
the list below, please select ALL statements that apply with respect to your country of
birth:
o Did not acquire citizenship at birth or have never held citizenship in birth country
o Renounced citizenship of birth country
o Have not lived or resided in birth country within the past five years
o Have not held a passport or national identity card from birth country within the
past five years
o None of the above
o

Other [Write-in field]

Updated ESTA Eligibility Questions 7
Do you have a physical or mental disorder, or are you a drug abuser or addict, or do you
currently have any of the following diseases (communicable diseases are specified pursuant to
section 361(b) of the Public Health Service Act):
•

Cholera;

•

Diphtheria;

•

Tuberculosis, infection;

•

Plague;

•

Smallpox;

•

Yellow Fever;

•

Viral Hemorrhagic Fevers, including Ebola, Lassa, Marburg, Crimean-Congo; and

•

Severe acute respiratory illnesses capable of transmission to other persons and likely to
cause mortality.

Privacy Impact Analysis
Authorities and Other Requirements
CBP will collect enhanced ESTA application information pursuant to Title IV of the
7

This existing question is being updated to reflect the list of diseases currently approved by OMB for use on the
ESTA application (and I-94W).

Privacy Impact Assessment Update
DHS/CBP/PIA-007(e) ESTA
Page 8

Homeland Security Act of 2002; 8 and the Immigration and Nationality Act (INA), as amended. 9
These statutes authorize the Secretary of Homeland Security, in consultation with the Secretary
of State, to “develop and implement a fully automated electronic travel authorization system to
collect such biographical and other information as the Secretary of Homeland Security
determines necessary to determine, in advance of travel, the eligibility of, and whether there
exists a law enforcement or security risk in permitting, the alien to travel to the United States.” 10
On December 18, 2015, the President signed into law the Visa Waiver Program
Improvement and Terrorist Travel Prevention Act of 2015 as part of the Consolidated
Appropriations Act of 2016. To meet the requirements of this new act, DHS is strengthening the
security of the VWP through enhancements to the ESTA application and to the Nonimmigrant
Visa Waiver Arrival/Departure Record (Form I-94W) form. Many of the provisions of the new
law became effective on the date of enactment of the Visa Waiver Program Improvement and
Terrorist Travel Prevention Act of 2015. The Act generally makes certain nationals of VWP
countries ineligible (with some exceptions) from traveling to the United States under the VWP if
the applicant is also a national of, or at any time on or after March 1, 2011, was present in Iraq,
Syria, a designated state sponsor of terrorism (currently Iran, Sudan, and Syria), 11 or any other
country or area of concern as designated by the Secretary of Homeland Security. 12
Under the Visa Waiver Program Improvement and Terrorist Travel Prevention Act of
2015, the Secretary of Homeland Security may waive these new VWP travel restrictions if the
Secretary determines that such a waiver is in the law enforcement or national security interests of
the United States. Whether ESTA applicants will receive a waiver will be determined on a caseby-case basis, in accordance with policy and operations guidance. DHS is currently planning to
consider waivers to applicants only through the ESTA process and does not plan to make these
waivers available to those who apply for admission under the VWP at land border ports of entry.
The combined totality of existing and newly proposed ESTA data elements will help
CBP meet the requirements of the VWP Improvement and Terrorist Travel Prevention Act of
2015, mitigate the foreign fighter threat, and facilitate lawful travel under the VWP.

8

6 U.S.C. § 201, et seq.
8 U.S.C. § 1187(h)(3)(A).
10
Implementing regulations for ESTA are contained in Part 217, title 8, Code of Federal Regulations.
11
Countries determined by the Secretary of State to have repeatedly provided support for acts of international
terrorism are generally designated pursuant to three laws: section 6(j) of the Export Administration Act of 1979 (50
U.S.C. § 2405); section 40 of the Arms Export Control Act (22 U.S.C. § 2780); and section 620A of the Foreign
Assistance Act of 1961 (22 U.S.C. § 2371).
12
The Act establishes exceptions to the bar for travel to Iraq, Syria, Iran, and Sudan since March 1, 2011 for
individuals determined by the Secretary of Homeland Security to have been present in these countries, “(i) in order
to perform military service in the armed forces of a [VWP] program country; or (ii) in order to carry out official
duties as a full time employee of the government of a [VWP] program country.” 8 U.S.C. § 1187(a)(12)(B).
9

Privacy Impact Assessment Update
DHS/CBP/PIA-007(e) ESTA
Page 9

Characterization of the Information
CBP is expanding the data elements collected as part of the ESTA application to issue a
travel authorization and to assess the potential risks each applicant poses with regard to the law
enforcement or national security interests of the United States.
Mandatory Data Elements
With the publication of this PIA, CBP is notifying the public of new data elements added
to the ESTA application and to the Form I-94W. The mandatory data elements that an applicant
must now complete are indicated by a red asterisk on the ESTA website 13 and listed below. The
new data elements are indicated by an (*):
•

Family name;

•

First (given) name;

•

Birth date (day, month, and year);

•

Country of birth;

•

Sex (male or female);

•

Country of citizenship;

•

Country where you live;

•

Passport number;

•

Passport issuing country;

•

Passport issuance date (day, month, and year);

•

Passport expiration date (day, month, and year);

•

Other Names or Aliases;

•

Other Country of Citizenship;
o If yes, passport number on additional citizenship passport;

13

•

City of Birth;

•

Home Address;

•

Parents’ Names;

•

Email;

•

Telephone Number;

https://esta.cbp.dhs.gov/esta/application.html?execution=e1s1.

Privacy Impact Assessment Update
DHS/CBP/PIA-007(e) ESTA
Page 10

•

National Identification Number;

•

Current Job Title;

•

Current or Previous Employer Name;

•

Current or Previous Employer Address;

•

Current or Previous Employer Telephone Number;

•

Emergency Point of Contact Information Name;

•

Emergency Point of Contact Information Phone;

•

Emergency Point of Contact Information Email;

•

U.S. Point of Contact Name;

•

U.S. Point of Contact Address; and

•

U.S. Point of Contact Telephone Number.

•

Previous Countries of Travel*

•

Dates of Previous Travel*

•

Countries of Previous Citizenship*

•

Other Current or Previous Passports*

•

Visa Numbers*

•

Laissez-Passer Numbers*

•

Identity Card Numbers*

Voluntary Data Elements
In addition to the new mandatory information and eligibility questions, applicants have
the option of providing additional voluntary data elements to complete their application.

Privacy Impact Analysis: Characterization of Information
Privacy Risk: There is a risk that the new eligibility questions collect more information
than necessary to meet the statutory requirements of ESTA.
Mitigation: The new eligibility questions are narrowly tailored toward those individuals
who have traveled to four countries specified in the statute, thereby mitigating the risk of overcollection. These questions inquire about past travel to particular countries or regions,

Privacy Impact Assessment Update
DHS/CBP/PIA-007(e) ESTA
Page 11

specifically since March 1, 2011. These questions also seek contextual information about the
nature of the travel, which may identify travel partners or affiliations (organizations or entities
providing sponsorship). These questions improve the ability of CBP to identify persons requiring
additional screening or consideration prior to travel to the United States, and will help inform the
Secretary of Homeland Security on whether a waiver of VWP travel restrictions for any
individual is in the law enforcement or national security interests of the United States.
Privacy Risk: There is a risk that CBP will make determinations about travel
applications based on inaccurate information.
Mitigation: Because information is collected directly from applicants, CBP presumes
this information is accurate. If an individual is denied travel via ESTA, they are still eligible to
apply for a visa from the U.S. Department of State.

Uses of the System and the Information
CBP’s use of the information in the traveler’s ESTA application has not changed. CBP
will continue to use the information submitted as part of an ESTA application to determine the
eligibility of a foreign national to travel to the United States and to determine whether the visitor
poses a law enforcement or security risk to the United States. 12 CBP will continue to vet the
ESTA applicant information against selected security and law enforcement databases at DHS,
including but not limited to TECS 13 (not an acronym) and the Automated Targeting System 14
(ATS). ATS also retains a copy of ESTA application data to identify potential high-risk ESTA
applicants. CBP may also vet ESTA application information against other federal security and
law enforcement databases to enhance CBP’s ability to determine whether the applicant poses a
security risk to the United States or is eligible to travel to and enter the United States under the
VWP.
Privacy Risk: None.

Retention
The CBP retention period for ESTA has not changed. CBP retains ESTA application data
for no more than three years in an active database (one year beyond the ESTA authorization
expiration date) and twelve years in archive status.

12

See 8 U.S.C. § 1187(h)(3).
DHS/CBP-011 U.S. Customs and Border Protection TECS (73 Fed. Reg. 77778, December 19, 2008).
14
DHS/CBP-006 Automated Targeting System (77 Fed. Reg. 30297, May 22, 2012).
13

Privacy Impact Assessment Update
DHS/CBP/PIA-007(e) ESTA
Page 12

Internal Sharing and Disclosure
No changes have been made to internal sharing and disclosure.

External Sharing and Disclosure
No changes have been made to external sharing and disclosure. CBP will continue to
share ESTA information in bulk with other federal counterterrorism partners (e.g., the National
Counterterrorism Center), and CBP may share ESTA on case-by-case basis to appropriate state,
local, tribal, territorial, foreign, or international government agencies. Existing external
information sharing and access agreements will continue and will now include the expanded
categories of records noted above. 15

Notice
The System of Records Notice (SORN) for ESTA, last published on November 3, 2014,
is being updated concurrently with this PIA to reflect the ESTA enhancements, including the
new eligibility questions and additional data elements on the ESTA application.
Due to the sensitive national security concerns necessitating the expanded information
collection required by the Visa Waiver Program Improvement and Terrorist Travel Prevention
Act of 2015, CBP has determined that the updated ESTA SORN will become effective upon
publication, without a prior comment period. Despite the exigent circumstances requiring
immediate publication and implementation of this new information collection, members of the
public are still encouraged to submit comments on the updated SORN. CBP will evaluate these
comments to determine if any future changes should be made.
Privacy Impact Analysis: Notice
Privacy Risk: There is a risk that associates or affiliates of the ESTA applicant will not
be aware of their inclusion on the ESTA application or their exposure to CBP vetting of the
ESTA application.
Mitigation: This risk is partially mitigated for these associates and affiliates. As stated
above, the publication of the updated ESTA SORN in the Federal Register will provide general
notice that this information may be collected. Additionally, the publication of this PIA expands
the notice regarding the possibility of this information collection; however, these third party
15

This sharing takes place after CBP determines that the recipient has a need to know the information to carry out
functions consistent with the exceptions under the Privacy Act of 1974, 5 U.S.C. § 552a(b), and the routine uses set
forth in the ESTA SORN. Additionally, for ongoing, systematic sharing, CBP completes an information sharing and
access agreement with federal partners to establish the terms and conditions of the sharing, including documenting
the need to know, authorized users and uses, and the privacy protections for the data.

Privacy Impact Assessment Update
DHS/CBP/PIA-007(e) ESTA
Page 13

individuals will not receive direct notice of the collection in a manner similar to the ESTA
applicant.

Individual Access, Redress, and Correction
The ESTA enhancements will result in CBP denying some individuals eligibility for a
travel authorization under the VWP. Applicants denied a travel authorization to the United States
via ESTA may still apply for a visa from the U.S. Department of State. General complaints about
treatment can be made to the DHS Traveler Redress Inquiry Program (TRIP), 601 South 12th
Street, TSA-901, Arlington, VA 22202-4220 or online at www.dhs.gov/trip. Generally, if a
traveler believes that CBP actions are the result of incorrect or inaccurate information, then
inquiries should be directed to:
CBP INFO Center
OPA - CSC - Rosslyn
U.S. Customs and Border Protection
1300 Pennsylvania Ave, NW
Washington, D.C. 20229
In addition, CBP has updated the address to which individuals should submit their
requests for access and correction. Under the Privacy Act and the Freedom of Information Act
(FOIA), individuals may request access to the information they provide which is maintained in
the applicable CBP system of record. Proper written requests under the Privacy Act and FOIA
should be addressed to:
CBP FOIA Headquarters Office
U.S. Customs and Border Protection
FOIA Division
90 K Street NE, 9th Floor
Washington, D.C. 20002
Requests for access should conform to the requirements of 6 CFR Part 5, which provides
the rules for requesting access to Privacy Act records maintained by CBP. The envelope and
letter should be clearly marked “Privacy Act Access Request.” The request should include a
general description of the records sought and must include the requester’s full name, current
address, and date and place of birth. The request must be signed and either notarized or
submitted under penalty of perjury.
Privacy Impact Analysis: Individual Access, Redress, and Correction
Privacy Risk: There is a risk that individuals will not have a means to contest ESTA
denials or revocations.

Privacy Impact Assessment Update
DHS/CBP/PIA-007(e) ESTA
Page 14

Mitigation: Individuals who are denied an ESTA travel authorization may still apply for
a visa at a U.S. embassy or consulate. In addition, the Secretary of Homeland Security has
discretion to grant a waiver of VWP travel restrictions for some individuals if in the law
enforcement or national security interests of the United States.
If an individual believes that he or she has been improperly denied an ESTA, he or she is
still eligible to apply for a visa from the U.S. Department of State. 16

Technical Access and Security
No changes have been made to technical access or security.

Technology
No changes have been made to the existing technology.

Responsible Officials
Suzanne Shepard, Director ESTA
U.S. Customs and Border Protection
Department of Homeland Security
John Connors, CBP Privacy Officer
U.S. Customs and Border Protection
Department of Homeland Security

Approval Signature
Original signed copy on file with DHS Privacy Office.

________________________________
Karen L. Neuman
Chief Privacy Officer
Department of Homeland Security
16

The law does not permit an appeal for ESTA denial or revocations. See 8 CFR § 217(g) (“In the case of an alien
denied a waiver under the program by reason of a ground of admissibility . . . that is discovered at the time of the
application for the waiver or through [ESTA], the alien may apply for a visa . . . There shall be no other means of
administrative or judicial review of such a denial, and no court or person otherwise shall have jurisdiction to
consider any claim attacking the validity of such a denial.”)