Displayed personal data can be used for data harvesting. If the purpose is to show a qualification, e.g., immunisation, then data that can be harvested should be removed.
This is valid for (US) CDC vaccination cards, NHS vaccination cards and Israeli Vaccination Certicates, but should work for any such documents. This is not the same as a fully authenticating app or QR code.
This is fairly easy, although there is a second step necessary if the sharing is via social media. (More under "social media".)
This is different from image backup.
You may want to save a full image of the document (e.g., vaccination card) on your phone. If you regularly backup your data, that image will be captured in your backup. This full image will of course have the key front-side information.
The image for display, e.g., for access to events, should have harvestable data redacted, and be easy to retrieve.
Steps for phone "wallet" image
- Take a digital photo of the face of your card or certificate>
- Open a graphics, imaging or photoshop program.
... whichever you typically use is best. Try searching for <paint> to see if a program by that name is included in your operating system. Powerpoint and MS have imaging programs. MS Paint for Windows is generally available for free on the web if not included in the native Windows installation.
- Open the image of the card and save it as a new file.
- Use the imaging program's "box" "block" or simiar program to block out:
- middle of last name
- most of last name
It's possible to keep multiple "display" cards, for example one with only the birthdate redacted and one with parts of the name also redacted.
It's possible to remove the location data and a digit from the vaccine lot number, but that is pretty much unnessary. The reason is that, for data harvesting purposes, that data is already pretty much munged by people getting their jabs at statistically random locations. In other words, the data is useless for automated data harvesting.
For "show for admission" purposes, that should be enough. The sanitized version is good enough to authenticate. If a venue insists on collecting full datasets, assume they want it for reasons beyond idle curiousity.
Further steps for social media or electronic databases
If a digital image file is shared, there is a risk that the redaction can be "peeled back" by recipients. It is necessary to prevent the transmission of a digital image file which may digitally retain the hidden information.
This applies of course to social media, but also applies to any electronic database which could be leaked, "shared" or hacked.
If the image is a photograph with physical correction tape, then there is no hidden information in the digital file. What you see is what the recipient can see.
If the data is hidden using digital means (a photo imaging program), then...
- Render the digital image on a computer, with the information blocked.
- Use a screenshot tool to save the image as a (partial) screen grab or screenshot. In other words, don't save the same image with the image reader, but rather "grab" the image from the screen.
The screenshot tool takes the pixel image and not the original digital file.
For most Windows programs, the easiest tool is "Windows Snipping Tool", identified by an icon of a scissors over an oval.
- Display the card with the information redacted (including redaction of most of your name), using any suitable program.
- Open the <start> menu and enter <snipping>. (You can save it for future use as an icon by dragging it to the taskbar or "start" menu.)
- Use the snipping tool to select the image of the card.
- Save the "snipped" image as a separate file to share on the web.
Since the "snipped" image is a recreation of the displayed pixels and not the original digital file, it should not include hidden artifacts.
The typical location of snipping tool is%windir%\system32\SnippingTool.exe
Alternatively, use temporary (or Post-It (3M)) correction tape to redact the data, and photograph the card with the tape covering personal information (birthdate; enough of the name to prevent automated data harvesting).
Well, first, that is not likely. Employees checking IDs and the like do not care about data harvesting, and are only looking for what they say they're looking for - evidence of immunization. If it's a CDC card, it's a felony to forge a Federal document, and pretty much the only people who would go that far are going to refuse to show a card anyway.
But to answer the question (and this may come up if the employee wants to know why??)...
- Tell them they do not need "fully-harvestable" data for checking vaccination status. Sanitized and un-redacted cards come from the same sources.
- "No, because I see you're scanning that data."
- "It looks like you're scanning that data. You can look at a card at an unredacted card if you want, but I don't want my HIPAA-protected / GDPR data scanned."
- Tell them it's "the mark of The Beast" described in The Book of Revelations (Revelations is part of the Christian bible - you'd have to look it up.) That should work even better if you're obviously not Christian.
Do not expect fully authenticating apps to appear in the US for at least 3 reasons:
originally posted 25-Oct-21 rev 25-Oct-21 Stan Protigal