The US Visitor and Immigrant Status Indicator Technology (US-VISIT) database program has not yet completed a security review, a year into its implementation.
A Homeland Security report also revealed the controversial border control program had not yet met targets set before implementation.
"The US-VISIT program has developed a security plan that provides an overview of system security requirements," the report said. "However, a security risk assessment of the program has not been completed, and the plan does not include a date for the assessment's completion. The assessment does not satisfy all aspects of OMB (The White House's Office of Management and Budget) guidance for such an assessment, such as fully addressing privacy issues in relevant system documentation."
Data privacy and security campaigners have reacted angrily to the news.
"The success of the program depends on its security," said Marcia Hofmann, director of the Open Government Project at campaign group Electronic Privacy Information Center (Epic). "There is a vast amount of information held on millions of people, arriving from numerous sources. Not to conduct a continual review of security is dangerous."
The program aims to compile details about the millions of foreigners who enter the US every year. Its initial creation was intended for use by border control police and as an anti-terrorism measure. But Hofmann insists its use is already being extended.
"The purposes are already expanding. Law enforcement entities other than border control are already gaining access to information," she said. "People from outside the US have much less privacy protection than US citizens. So this has to be a concern."