BrianKrebsJan 26

We knew this was coming, but now the clock is running. From Privacy International:

"Yesterday the Trump Administration announced a proposed change in policy for travellers to the U.S. It applies to the powers of data collection by the Customs and Border Police (CBP)."

"If the proposed changes are adopted after the 60-day consultation, then millions of travellers to the U.S. will be forced to use a U.S. government mobile phone app, submit their social media from the last five years and email addresses used in the last ten years, including of family members. They’re also proposing the collection of DNA."

PI linked to and summarized a Federal Register entry describing the proposed requirements:

-All visitors must submit ‘their social media from the last 5 years’

-ESTA (Electronic System for Travel Authorization) applications will include ‘high value data fields’, ‘when feasible’
‘telephone numbers used in the last five years’
-‘email addresses used in the last ten years’
-‘family number telephone numbers (sic) used in the last five years’
-biometrics – face, fingerprint, DNA, and iris
-business telephone numbers used in the last five years
-business email addresses used in the last ten years.

https://www.privacyinternational.org/news-analysis/5713/trump-administration-wants-your-dna-and-social-media

The Federal Register entry says comments are encouraged and
must be submitted (no later than February 9, 2026) to be assured of consideration.

Federal Register entry: https://www.govinfo.gov/content/pkg/FR-2025-12-10/pdf/2025-22461.pdf

Show threadOliver Jensen

@briankrebs

as someone who has been using unique email addresses for every service, I look forward to submitting several hundred addresses.

Jan 26 at 5:14pmWeb
Show threadDerick RethansJan 26
@ojensen @briankrebs Do you even remember them all? I certainly don't.
Show threadOliver JensenJan 26
@derickr @briankrebs most of them, since they're in a big list in my email provider. Doubtless there's a few that I've deleted, though, so to be safe I'll need to add a bunch of maybes to the list.
Show threadEric PhelpsJan 26

@derickr @ojensen @briankrebs Password managers! They can hold unique email addresses as well as the expected passwords and user names. Every account should have all three of those unique.

Gmail, firefox, duck, and pretty much all commercial email providers let you generate more email addresses than you'll ever need. Having hundreds of active email addresses is a normal thing. I tell myself that 😏.

Show threadRob BosJan 26
@ericphelps
Tagged email addresses accomplish much the same thing!
Show threadEric PhelpsJan 26

@rbos I pre-generated a thousand email addresses, registered them with my email provider, and loaded them into my password manager. They're ready to go for new accounts with a simple rename.

The whole "tagging" thing with Gmail is one of those theoretical things I know about but have never done.

Show threadRob BosJan 26

@ericphelps
That is a delightfully over-engineered solution and it definitely works well. Tagged addresses are going to be inferior but much simpler. Also spammers would be looking for tagged addresses.

As to how, just add +string to the username of a Gmail address. It'll go to your main box. Easy to filter if needed.

Many email servers support that syntax. Others like qmail use -string.

Show threadJonathan McKeownFeb 9
@rbos @ericphelps Interesting: I could have sworn that once upon a time, if there was a mailbox name corresponding to the part after the +, Google would deliver mail into that mailbox. Experiment says no. Maybe I'm confusing it with email setups I tended to in my sysadmin days, where I made sure that worked.
Show threadRob BosFeb 9

@thetruejona I just sent a test email to [email protected] and it worked, forwarded the email just fine to my regular address.

edit: Oh, unless you meant like, a sub-folder in gmail with that name. Never tried that.

Show threadJonathan McKeownFeb 9
@rbos Oh it works to the extent that adding a plus part has no effect on delivery to the inbox (I also tested). What I remember (and what I certainly set up when I was adminning email) was that [email protected] would look for a mail folder belonging to user and called foo, and deliver direct into that mail folder if it existed.
Show threadRob BosFeb 9
@thetruejona I guess you'd have to set up a filter for that matching against To. That does sound like a useful feature to have by default without special setup.
Show threadJonathan McKeownFeb 9
@rbos Yes. I'm going back a ways, but I first implemented it on a sendmail and Cyrus IMAP setup. It involved a couple of minor changes on the sendmail side (essentially ignoring the plus part during incoming address rewriting and then adding it back to the final delivery address); and a permission change, adding the p permission to mail folders to allow delivery on the Cyrus side. I'm fairly sure we did it at my next employer too, with exim and Cyrus. It Just Worked for every user
Show threadꜰʟᴏʀᴀ Jan 27
@ericphelps @derickr @ojensen @briankrebs Then you won't be allowed in the country.
Show threadthe hatterFeb 9
@ericphelps @derickr @ojensen @briankrebs Password managers are also a good place to store your date of birth - if, somehow, different sites seem to think you have different DoBs
Show threadSamyJan 26
@ojensen @briankrebs
That’s what I thought!
Show threadBernard SheppardJan 26
@briankrebs @ojensen as someone who has no intention of entering the US under the current administration or any semblance of it, I too look forward to... checks notes... submitting 658 active email addresses
Show threadBernard SheppardJan 26
@briankrebs @ojensen and that is not counting duck duck go email addresses, of course...
Show threadAlun JonesJan 26
@ojensen @briankrebs my website generates time-limited email addresses. The key for generating them is the time to millisecond accuracy i.e. I'm accumulating 1,000 new addresses every second. About 4 billion since I put this system in place.