How to Redact a Passport — MRZ Codes Explained

Q: Can someone steal my identity with just a passport copy?

A passport copy provides enough information to attempt identity fraud. The MRZ makes this worse because it provides all key data in a machine-extractable format.

Q: Is it safe to email a passport copy?

Not without redaction. Email is not end-to-end encrypted by default. Your passport copy may be stored on multiple servers indefinitely.

Q: What if a hotel asks for my passport at check-in?

Hotels in many countries are legally required to register guests. Ask if they need a physical copy or just the data. In the EU, GDPR requires hotels to delete copies after a defined period.

Q: My visa agent wants a full unredacted copy. Should I send it?

If they are a licensed agency with a secure upload portal, yes. If they want you to email or WhatsApp a passport photo, that is a red flag.

Q: What is the difference between redacting a passport and a drivers license?

The main difference is the MRZ. Passports have the MRZ directly on the data page, visible in any copy. Drivers licenses have a barcode on the back that you can avoid sharing.

Most guides tell you to "redact the passport number." That's correct — but incomplete. The real vulnerability on a passport copy isn't the number printed on the top right. It's the two lines of gibberish at the bottom of the page that most people ignore entirely.

Those two lines are the Machine Readable Zone (MRZ), and they contain your passport number, date of birth, nationality, gender, and document expiry — all encoded in a standardized format that any $0 app on any phone can decode in under two seconds.

If you redact your passport number on the top of the page but leave the MRZ visible, you've accomplished nothing.

$600–$4K

Price of stolen passport data on dark web markets

PrivacyAffairs Dark Web Price Index

40,000+

Passport fraud reports received by State Dept. in 2023

U.S. State Department Annual Report

What the MRZ Actually Contains

The MRZ follows the ICAO Document 9303 specification — an international standard used by every country that issues machine-readable travel documents:

P<GBRSMITH<<JANE<MARIE<<<<<<<<<<<<<<<<<<<<<
5765432101GBR8501015F2601015<<<<<<<<<<<<<<02

Characters	Data Encoded	Example Value
1–9	Passport number	576543210
10	Check digit (passport #)	1
11–13	Nationality (ISO code)	GBR
14–19	Date of birth (YYMMDD)	850101 → Jan 1, 1985
21	Gender	F
22–27	Expiry date (YYMMDD)	260101 → Jan 1, 2026
29–42	Personal number	Varies by country

This isn't encrypted. It's a direct encoding following a published standard. Anyone who photographs the bottom of your passport data page can extract your passport number, DOB, nationality, and gender using a free app in under two seconds.

Real-World Exploitation

Passports are the most valuable identity document on dark web markets because they're accepted internationally. A compromised passport enables:

Fraudulent travel documents — counterfeit passports using your real data pass electronic checks because the MRZ data matches airline and border systems
International financial account creation — offshore banks and crypto exchanges accept passport scans for KYC verification
Identity package assembly — your passport data + a utility bill creates a complete "fullz" identity package
Synthetic identity creation — your real passport number with a slightly altered name creates an identity that's extremely difficult to detect

What a Properly Redacted Passport Looks Like

After Redaction

United Kingdom

Passport

Surname

SMITH

Given Names

JANE MARIE

Passport No.

576543210

Nationality

BRITISH CITIZEN

Date of Birth

01 JAN 1985

Expiry Date

01 JAN 2026

Place of Birth

LONDON

Signature

J. Smith

P<GBRSMITH<<JANE<MARIE<<<<<<<<<<<<<<<<<<<<<
5765432101GBR8501015F2601015<<<<<<<<<<<<<<02

What to Redact — Complete Guide

🔴 Always Redact

✕Machine Readable Zone — both lines, completely
✕Passport number (show last 4 if partial needed)
✕Signature — biometric identifier, enables forgery
✕Place of birth — can be used to obtain birth certificates

🟢 Keep Visible

✓Full name — needed for identity matching
✓Photo — confirms document belongs to you
✓Date of birth — typically required for verification
✓Nationality — needed for eligibility checks
✓Expiry date — confirms document is still valid

What to Redact by Situation

Employers verifying your right to work need to see the original in person for I-9 purposes. If they're asking for a copy for their files:

Redact: Passport number (last 4 visible), MRZ, signature
Keep: Name, photo, nationality, expiry date

💡

For official I-9 verification, employers must examine the original document — not a copy. Any copies kept afterward are optional and should be redacted.

Consulates and embassies typically require unredacted passport copies. The MRZ is needed for electronic processing.

⚠️

Do not redact for official government visa applications. However, if a third-party visa service asks for your passport copy via email, ask why they need the full number. Legitimate agencies have secure upload portals.

Some landlords request passport copies from non-citizens as proof of identity.

Redact: Passport number, MRZ, signature
Keep: Name, photo, nationality, expiry date

Your passport number is irrelevant to a rental application. Most landlords only need to confirm you are who you claim to be.

Banks performing KYC verification under the Bank Secrecy Act typically require unredacted identification.

If doing this online, use only the bank's secure upload portal — never email. For in-person verification, they'll examine the original and return it.

Hotels and travel operators booking international travel may need passport details.

Redact: Passport number (show last 4), MRZ, signature
Keep: Name, photo, nationality, expiry date

Better yet: provide details as text (name, number, DOB, expiry) rather than sending a full copy.

The MRZ: Why It's the Real Danger

⚠️

Always redact the entire MRZ. Not partially — even a partial MRZ can sometimes be reconstructed using the check digits. Cover both lines completely with a solid black bar spanning the full width of the data page.

Scam Warning Signs

Be suspicious if someone:

Asks for your passport copy via email, text, or messaging apps
Won't explain why they need the full passport number
Requests both the data page and additional pages
Is an individual rather than an established organization
Pressures you to send immediately
Doesn't have a secure document upload system

⚠️

Scam Alert: Employment scams, rental scams, and romance scams frequently request passport copies. Legitimate organizations have secure document submission processes — they don't ask you to text photos of your passport.

Don't Share the Back Pages

If your passport has visa stamps or entry/exit stamps, these reveal your complete travel history. Unless specifically requested for a visa application, don't share pages beyond the data page.

How to Redact a Passport With SafeRedact

Upload

Scan or photograph your passport data page. Drop the file into SafeRedact — it accepts PDFs, PNGs, and JPEGs. Your file stays in your browser. Only extracted text is sent AES-256 encrypted for AI detection.

AI Detection

SafeRedact's AI (powered by Claude Haiku) scans the document and automatically flags the passport number, addresses, dates of birth, and other PII patterns.

Add MRZ Redaction

Draw a redaction box over the entire MRZ (both lines) and your signature. Click and drag — takes 5 seconds. The AI catches structured PII; you handle document-specific elements.

Apply & Download

Pixel-burn redaction permanently destroys the data. The passport number, MRZ, and signature are gone — not hidden behind a removable black box, but physically absent from the file.

Your Passport Never Leaves Your Browser

Pixel-burn redaction that permanently destroys passport numbers, MRZ data, and signatures. Not hidden — gone.

Start Redacting Free

Frequently Asked Questions

Can someone steal my identity with just a passport copy?

A passport copy provides enough information — name, DOB, passport number, nationality, and photo — to attempt identity fraud in many contexts. Combined with other commonly available information (address, email), it creates a high-risk identity package. The MRZ makes this worse because it provides all key data in a machine-extractable format.

Is it safe to email a passport copy?

Not without redaction. Email is not end-to-end encrypted by default. Your passport copy may be stored on multiple servers — sender's outbox, recipient's inbox, email provider's servers, backup systems — indefinitely. If any are breached, your unredacted passport is exposed.

What if a hotel asks for my passport at check-in?

Hotels in many countries are legally required to register guests and may need to see or copy your passport. Ask if they need a physical copy or just the data. If they copy it, ask about their data retention policy. In the EU, GDPR requires hotels to delete copies after a defined period.

My visa agent wants a full unredacted copy. Should I send it?

If they're a licensed, reputable visa processing agency with a secure upload portal — yes, this is normal. If they want you to email or WhatsApp a passport photo, that's a red flag. Legitimate agencies invest in secure document handling because they're liable for the data they collect.

What's the difference between redacting a passport and a driver's license?

The main difference is the MRZ. Driver's licenses have a barcode on the back that serves a similar function, but passports have the MRZ directly on the data page — meaning it's visible in any copy of the front. With a driver's license, you can mitigate the risk by not sharing the back. With a passport, the MRZ is on the same page as your photo.

How to Redact a Passport Copy — The MRZ Is the Real Danger