Despite implementation of the Electronic System for Travel Authorization (ESTA) and other enhancements to the Visa Waiver Program (VWP), recent reviews of the program have identified areas of weakness that poseU.S. law enforcement or other security risks.
The VWP was developed as a way to promote travel to the U.S. The program allows business and leisure travelers from approved member countries to enter to the U.S. without a visa for up to 90 days if they do not have a criminal or terrorist background.
In 2007, Congress mandated that the Department of Homeland Security (DHS) implement an automated electronic travel authorization system as part of VWP.  ESTA is an automated system that determines a person’s eligibility to travel to the U.S. prior to boarding a U.S.-bound airplane or vessel.
ESTA adds a layer of protection that allows DHS to know an individual’s eligibility to enter the U.S. without visas under the VWP in advance of travel. In 2010, airlines verified ESTA approved travelers nearly 98 percent of the time.  However, the remaining 2 percent—roughly 364,000 travelers—did not have their security verified.
This is one source of risk associated with the program. Other areas of risk are related to additional program requirements in place with VWP. These include:

  1. A mandated by Congress that DHS review the security risks posed by each VWP country’s participation in the program at least every 2 years
  2. Agreements by member nations to exchange passenger information with the U.S. on whether travelers from that country represent a security threat
  3. Prompt reporting by member countries of lost and/or stolen passports

In a recent review of DHS’s status on biennial reports, 18 of the 36 VWP countries were not completed on time, and of the reports that are late, half of them are more than 1 year overdue. For two member countries, these reports are more than 4 years overdue. Incomplete reviews means that the DHS does not know to what extent these countries pose a risk to the program.
To date, only half of member countries have written agreements in place to share information on known or suspected terrorists and to provide access to biographical, biometric, and criminal history data.  By contrast, more than half of the 36 VWP countries have agreed to report lost and stolen passports in a timely fashion. However, the remaining countries do not have agreements in place.
Based on this information, the Government Accountability Office (GAO) has advised DHS to put a compliance schedule in place that requires VWP countries to finalize these agreements by June 2012.  Countries that do not fulfill the information-sharing agreements may lose their status in the VWP program.
While DHS is able to match most VWP travelers against terrorist and criminal databases, and other mandates are in place to create added layers of security for the U.S., there are enough areas of risk to conclude that terrorists and other individuals can and will continue to find and exploit vulnerabilities in the U.S. visa system.