Here’s a remarkably simple scam the US authorities have, characteristically, ignored. Travellers to the US are being ripped off by a web of sites taking money to register them for the Electronic System for Travel Authorization (ESTA).

ESTA registration is now required at least 72 hours before travelling to the US for every traveller (children included) from any country included in the long-standing visa waiver system, which also covers the UK.

Here’s the most important fact about ESTA - it’s currently free of charge. There is no need to pay to register.

The correct site can be found here, the existence of which hasn’t stopped a surprising number of sites asking for $50 and up per person to spring up straight from a Google search, including paid links for which Google is taking money, apparently no questions asked.

Stupid fact number one. Not only are people paying substantial sums of money for ESTA registration that is free, Google is taking money to advertise these providers. Don’t do evil indeed.  

Stupid fact number two. An unknown number of ESTA sites aren’t just milking people, they are outright frauds designed to harvest passport numbers and credit cards in order to commit further frauds. That is not Google’s fault per se, but I see little evidence that Google, other search providers, or the UK police, make much effort to block or investigate these domains.

Let's be clear, some ESTA sites are legitimate companies charging people unnecessarily. Others are straight frauds. Either way, the traveller loses out badly.

It looks likely that a charge of $10 per person will be levied by US authorities for ESTA later this year, which means that people will routinely be entering credit card data to visit the US, offering even more opportunities to engineer fraud.

Stupid fact number three. The US set up a web-based system for registering not only credit cards but passport details, which must have struck someone somewhere as a clear invitation for criminals, and yet they have done almost nothing to warn people about the risk posed by third-party sites.

The official position is that payment via these sites is unnecessary and people should visit only the correct site. This is bureaucratic complacency of the sort government are famous for and stuff what the lawyers tell them.

It is correct to say that some of the sites concerned might have no connection to criminality but the precedent they set is clear. People can apparently legitimately take passport and credit card data without any questions being asked let alone worry over data protection.

Stupid fact number four. This hands-off system creates considerable risks for the US itself if it aids identity theft that allows even a small number of shady characters to travel to the US by impersonating real citizens.

The worried among us might urge the US to formally outlaw sites for official registrations such as these. This would not stop such sites existing because many appear to be set up outside US borders, but it would at least signal that anyone running such a site was acting outside US law.