Why you should never send photos of your ID: the safest alternative

Many procedures and product deliveries in Argentina require a photo of the holder's national identity document (DNI) . However, as privacy and personal data protection specialists warn, this is a terrible practice : this data can be exploited for various types of cybercrimes , from identity theft to obtain a personal loan to impersonating us to deceive our WhatsApp contacts in what is known as social engineering .

Although for many it may seem like something of little importance, it is important to remember that the DNI not only proves an identity, but also contains key personal data such as full name, document number, date of birth and address .

In the business of buying and selling personal data, which attackers are seeking for multiple reasons ( see ), document photos are valuable because they allow for the construction of complete profiles for frauds or "guided scams," where the victim is tricked into making transfers to scammers or handing over personal data. In fact, last year, an attacker managed to steal 6 million driver's license images .

Added to this is a second, and no less important, problem: many companies don't have adequate security measures in place , or even if they do, they are exposed to information theft and potential data breaches, which can affect users. And, unlike passwords, data breaches of this type are more difficult to reverse: a password can be changed; the address is much more complicated.

For this reason, " Datos argentinos " is a site that, using a tool called Safe ID, allows you to hide data from an ID card before sharing the image requested by a company or entity. It was created by Martín Aberastegue, an Argentine programmer and marketing specialist, who explains why it's a good idea to hide sensitive data before sharing documents, as well as how to do it.

“Obfuscation is essential because the Argentine DNI contains extremely sensitive information that can be used for identity theft, financial fraud, and unauthorized access to services. The document includes critical data such as the transaction number, the PDF417 code containing all personal information in digital format, and biometric data . In the wrong hands, this information allows for fraudulent transactions and the complete impersonation of the victim,” the specialist explained to Clarín . He has reported vulnerabilities to entities such as the AFIP (ARCA), telephone companies, and insurance companies.

For this reason, Aberastegue created an open source application that allows data to be obfuscated before sending it.

“Datos Argentinos is a platform focused on protecting personal DNI data, and is completely non-profit ,” he says. “Its main tool, Safe ID , allows you to securely share your ID document by processing all the information locally in the user's browser, without sending data to external servers. It works completely offline and can even be installed as an app on your phone. The platform offers features such as custom watermarks and obfuscation of sensitive data completely free of charge,” he adds.

There are some problems with this system on the business side: many complain when data is obfuscated.

“There are companies that outright reject documents with censored data , even though they aren't legally authorized to require the full document, and that ends up complicating the user's life. For example, with mobile phone companies, some accepted ID cards with a watermark and obfuscated data without a problem, while others rejected them, saying the watermark was too strong. I adjusted the intensity, and then they started accepting them, but the reality is that it depends a lot on the company and the person serving you,” he explains.

This is, after all, a culture that needs to begin to change.

In addition to the address and full name, an important piece of information on the DNI is the "procedure number."

“The transaction number is a fundamental key for online procedures and identity validation. With this information, criminals can perform government procedures online by impersonating someone, validate their identity on digital platforms, access basic banking services, and confirm personal data in systems that only require an ID and transaction number. It is particularly dangerous because it functions as a unique identifier complementary to the ID, and many online systems use it as an authentication factor, while the general public is unaware of its sensitivity and fails to adequately protect it,” explains the specialist.

When data leaks occur, the average citizen tends not to apply for a new ID, partly because it's a cumbersome process and because there's a lack of awareness about the scope of the problem.

"In the event of a data breach, very few people renew their ID to invalidate the exposed transaction number, so the risk persists over time. Safe ID helps minimize this risk by protecting data when it's not really necessary to share it," explains Aberastegue.

Finally, an important point is whether, when uploading the ID, the image is saved on a third-party server (which could be potentially dangerous). How does the system process the data?

This is explained on the site: "Safe ID uses a completely client-side architecture that makes storing your data technically impossible. Although the web application is downloaded from our server, all processing of your images occurs directly in your browser using the native FileReader and Canvas APIs , without ever sending your documents to external servers." The APIs are functions already included in the browser that allow you to manage files and images without the need for external programs or sending data to the internet.

“When you load an image, the browser reads it directly from your device and converts it into a digital representation that resides solely in RAM. Transformations such as cropping, obfuscation, and watermarking are performed using local mathematical operations on an HTML5 Canvas element. The final result is generated directly on your device without any data leaving it,” they add. For specialists, the Safe ID source code can be reviewed on GitHub .

“Furthermore, the project seeks to raise awareness and educate about the importance of protecting personal data. It includes sections with frequently asked questions, a protection guide for the Argentine National Identity Document (DNI), and a section with a chart of historical data breaches compiled by Marcela Pallero ,” she adds, referring to the personal data protection specialist who records a timeline of incidents suffered by Argentine public and private entities ( see ).

To use it, you can click this link . The more users obfuscate their data, the more companies and organizations will have to accept this type of practice, which, ultimately, not only protects citizens' privacy but also prevents the organization from getting into trouble if it suffers a data breach.