Your Passport Photo Is Doing More Talking Than You Think

You’re standing at a hotel reception desk in Barcelona. The clerk asks for your passport. You hand it over, they disappear behind a printer, and come back with your original plus a crisp A4 photocopy. Everything on it — your full name, date of birth, nationality, passport number, photo, signature, and two lines of machine-readable gibberish at the bottom.

That copy now lives in a filing cabinet. Or a shared drive. Or the inbox of whoever handles guest records. Maybe for years.

You just gave a stranger a high-resolution copy of everything needed to impersonate you. And you probably didn’t think twice about it.

This isn’t hypothetical

In August 2025, a hacker group called “mydocs” broke into the booking systems of at least ten Italian hotels and stole 90,600 passport and ID scans. High-resolution. Ready to use. They sold them on the dark web in batches for $1,000–$10,000. (Source: Malwarebytes)

According to NordVPN research, a scanned passport sells for as little as $10 on the dark web. A verified EU passport? Over $5,000. With a passport scan and a deepfake selfie, criminals can pass identity verification on most online platforms.

Ten dollars. That’s what your identity is worth to someone in a dark forum.

The part everyone forgets: the MRZ

See those two lines of text at the bottom of your passport’s data page? They look like a printer error — a jumble of letters, numbers, and chevrons. That’s the Machine-Readable Zone (MRZ), and it’s basically a cheat code for your entire identity.

The MRZ contains: your full name, nationality, date of birth, passport number, sex, and expiry date. All in a format that any machine (or criminal with a basic script) can parse in milliseconds.

Here’s the kicker: even if you black out your passport number in the main section, the MRZ still has it. Most people who try to redact their own documents miss this completely. They carefully draw a rectangle over the passport number field, feel good about themselves, and send a copy where the same number is sitting right there at the bottom in plaintext.

What you should actually redact

At a minimum:

• Passport or document number — in the main data section AND the MRZ
• Machine-readable zone — both lines, the whole thing
• Signature — if visible
• BSN, SSN, or national ID number — depending on your country
• Anything the recipient doesn’t specifically need — most people only need your name and photo for verification

And here’s something most people don’t do but absolutely should:

Add a purpose watermark

Stamp your copy with something like: “Copy for Hotel Barcelona check-in — March 2026.”

This does two things. First, if the copy ever leaks, it’s immediately traceable to the source. Second, it makes the copy useless for any other purpose — no one can use a passport copy stamped “for hotel check-in” to open a bank account.

The Dutch government actually mandates this. From government.nl: when making a copy of your ID, make your BSN unreadable (including in the MRZ), write that it is a copy, and specify the purpose. More countries should adopt this standard.

How to do it

You’ve got options:

• Your phone’s photo editor — draw black boxes over the sensitive fields. Free, but you’ll probably forget the MRZ. Everyone does.
• Preview on Mac — add solid rectangles. A bit tedious.
• CoverID Redact — built specifically for this. Scan the document, tap to redact fields, add a purpose banner, strip EXIF metadata, and export a safer copy. (Full disclosure: I built this app, because I got tired of doing it the hard way.)
• Any PDF editor with redaction support.

Whatever method you use, the principle is simple: never share a full, unredacted copy of your ID unless you’re legally required to. The landlord checking your identity doesn’t need your passport number. The hotel doesn’t need your date of birth. Give them what they need, hide the rest.

Your passport photo is already doing plenty of talking. Make sure it’s only saying what you want it to say.