Safely copy vaccination card to phone and social media

What this is

Displayed personal data can be used for data harvesting. If the purpose is to show a qualification, e.g., immunisation, then data that can be harvested should be removed.

This is valid for (US) CDC vaccination cards, NHS vaccination cards and Israeli Vaccination Certicates, but should work for any such documents. This is not the same as a fully authenticating app or QR code.

This is fairly easy, although there is a second step necessary if the sharing is via social media. (More under "social media".)

Image display on a phone

This is different from image backup.

You may want to save a full image of the document (e.g., vaccination card) on your phone. If you regularly backup your data, that image will be captured in your backup. This full image will of course have the key front-side information.

The image for display, e.g., for access to events, should have harvestable data redacted, and be easy to retrieve.

Steps for phone "wallet" image

  1. Take a digital photo of the face of your card or certificate>
  2. Open a graphics, imaging or photoshop program.

    ... whichever you typically use is best. Try searching for <paint> to see if a program by that name is included in your operating system. Powerpoint and MS  have imaging programs. MS Paint for Windows is generally available for free on the web if not included in the native Windows installation.

  3. Open the image of the card and save it as a new file.
  4. Use the imaging program's "box" "block" or simiar program to block out:
    1. birthdate
    2. middle of last name
    3. most of last name

    It's possible to keep multiple "display" cards, for example one with only the birthdate redacted and one with parts of the name also redacted.

    It's possible to remove the location data and a digit from the vaccine lot number, but that is pretty much unnessary. The reason is that, for data harvesting purposes, that data is already pretty much munged by people getting their jabs at statistically random locations. In other words, the data is useless for automated data harvesting.

    For "show for admission" purposes, that should be enough. The sanitized version is good enough to authenticate. If a venue insists on collecting full datasets, assume they want it for reasons beyond idle curiousity.

    Further steps for social media or electronic databases

      If a digital image file is shared, there is a risk that the redaction can be "peeled back" by recipients. It is necessary to prevent the transmission of a digital image file which may digitally retain the hidden information.

      This applies of course to social media, but also applies to any electronic database which could be leaked, "shared" or hacked.

      If the image is a photograph with physical correction tape, then there is no hidden information in the digital file. What you see is what the recipient can see.

      If the data is hidden using digital means (a photo imaging program), then...

    1. Render the digital image on a computer, with the information blocked.
    2. Use a screenshot tool to save the image as a (partial) screen grab or screenshot. In other words, don't save the same image with the image reader, but rather "grab" the image from the screen.

    The screenshot tool takes the pixel image and not the original digital file.

    For most Windows programs, the easiest tool is "Windows Snipping Tool", identified by an icon of a scissors over an oval.

    1. Display the card with the information redacted (including redaction of most of your name), using any suitable program.
    2. Open the <start> menu and enter <snipping>

      . (You can save it for future use as an icon by dragging it to the taskbar or "start" menu.)
    3. Use the snipping tool to select the image of the card.

    4. Save the "snipped" image as a separate file to share on the web.

    Since the "snipped" image is a recreation of the displayed pixels and not the original digital file, it should not include hidden artifacts.

    The typical location of snipping tool is


    Alternatively, use temporary (or Post-It (3M)) correction tape to redact the data, and photograph the card with the tape covering personal information (birthdate; enough of the name to prevent automated data harvesting).

If asked for the full data

Well, first, that is not likely. Employees checking IDs and the like do not care about data harvesting, and are only looking for what they say they're looking for - evidence of immunization. If it's a CDC card, it's a felony to forge a Federal document, and pretty much the only people who would go that far are going to refuse to show a card anyway.

But to answer the question (and this may come up if the employee wants to know why??)...

  1. Tell them they do not need "fully-harvestable" data for checking vaccination status. Sanitized and un-redacted cards come from the same sources.
  2. "No, because I see you're scanning that data."
  3. "It looks like you're scanning that data. You can look at a card at an unredacted card if you want, but I don't want my HIPAA-protected / GDPR data scanned."


  4. Tell them it's "the mark of The Beast" described in The Book of Revelations (Revelations is part of the Christian bible - you'd have to look it up.) That should work even better if you're obviously not Christian.

"Vaccine passports"

Do not expect fully authenticating apps to appear in the US for at least 3 reasons:

  1. There will not be widespread acceptance of fully authenticated "vaccine passports" in the US.
  2. Each state (each state that even implements a "vaccine passport" system) will likely have a different, incompatible system. Most states will not have this. For example, New York tried to introduce their IBM/Excelsor app, but a significant number of people who participate in activities in New York are out-of-state residents. Five states and two provinces surround New York. Oops!
  3. Many states have multiple databases which are not compatible with each other. This is either from a change in the vaccine tracking system or vaccine distribution through third-party providers. Some states have systems that differ across jurisdictions within the state.

    This is being cleaned up, but in many places, vaccine tourism precludes in-state data collection. For example, Alexandria, VA (US) has the highest vaccination rate at about 97%-99%, but as of August-2021, the CDC showed 35%. (CDC has since increased it to ~70%, which is still far below the actual rate, and the State also shows Alexandria below the state average, which is also clearly wrong.) People who couldn't get their jabs when they were hard to come by simply went to rural areas or places like Zip Code 33126, in Miami, FL. (The vaccination rate for Miami, FL 33126 is 2700%. Miami 33126 has one major entity.)

    So basically, there will be no accurate collection of this data despite efforts to do so.

Comments about this site: email me

originally posted 25-Oct-21   rev 25-Oct-21 Stan Protigal