Historical development of ID cards in Spain (1944–2008)

Spain has counted on a compulsory ID card since more than 60 years.

Previous ID cards

The first Spanish National Identity Document (Documento Nacional de Identidad) was created via a Decree issued by General Franco in March 1944 for the official purpose of “creating an unquestionable individual identity” The ID card was modified several times since its initials. The initial document included personal data (datos de filiación), profession and economic statusFootnote 1 of the citizen. In addition, it was also compulsory for foreigners living in Spain. From 1962 onwards, the ID card added to the above mentioned data the marital status and blood type, but left out the sex of the individual. The reform of 1962 converted the ID card in an exclusive document for Spanish citizens.Footnote 2 In 1965 another renewal took place that lasted until 1980. On the eve of the new Constitution, a new ID was launched in 1981 which removed the economic categories and included a constitutional coat of arms as printed background. As of 1985Footnote 3 nobility titles were not allowed to be printed anymore in the ID card. During the nineties fingerprints were removed from the physical ID card and new technologies were applied to its production. However, they were still kept in the files of the DG Police. All the people who applied for the ID card during the nineties for the first time had to give their fingerprints to the Police. The only difference with past periods of time was that the fingerprints were no longer printed in the actual card. With the the new eID card – the seventh version of the Spanish ID –, the fingerprints are not printed on the physical card either, but included in the chip of the eID card. It is important to note that the zone of the chip that contains the fingerprint information can only be accessed by the DG Police which has them on file in a central database anyway and therefore is not considered to be a radical change.

All theses changes experienced by the Spanish ID card during these decades responded to two types of needs. During the 50s, 60s and 70s it was modified in order to adapt to a fast-changing society and to fit the demands of the political regime. From 1978 onwards (the year in which the Spanish Constitution was approved), several modifications were needed in order to match the ID card with the Constitution and the new provisions on data protection. By the nineties, these goals had been accomplished, no further modifications happened during this decade. The next and currently last changes were due to the objective in aligning the ID to opportunities offered by the new technologies in improving the security measures as well as in fostering the Information Society. The current eID card which was launched in 2006 is the result of this long history in identity management in Spain and a complex project carried out for this aim.

The Spanish ID card works with a Single Identification Number system. It allocates a number of eight digits plus a letter to each citizen, which is not reallocated to any other citizen when the citizen that held it for the fist time dies. Numbers range from 00.000.001 to the 99.999.999 and are distributed in sets to the Delivering Offices.Footnote 4 As a consequence, and in comparison to other European identification systems, the eight-digit number has neither a meaning in itself nor is an indicator (to externals) of the date at which the citizen applied for the ID for the first time. The letter associated to the number is given automatically by the system which follows a pre-established algorithm. The letter is the result of dividing the eight-digit number over 23, which accounts for the number of letters in the Spanish alphabet, once the “i, o, u, ñ” are excluded) and checking the letter-equivalence of the remainder (which is always between 0 and 22) in a pre-established equivalence table (Table 1).

Table 1  
Full size table

The single identification number system conferred powerful identification features on the ID card, which today serves as an authentication means for 90% of the Spanish databases run by both public and private bodies. In September 1990 the ID number plus the letter became the fiscal identification number of all Spanish citizens.Footnote 5 As a consequence and over the years, the ID card has been adopted for many transactions in everyday life, e.g.. buying an airplane ticket or making reservation of a table in a restaurant beyond the coercive purposes for which it had been created.

Two Fundamental Laws have drawn the most essential basis for the legal framework of the eID card and eID function which had come into force long before the introduction of the eID. No new legislation or amendments were needed, as they cover the general guidelines that rule the existence of a national ID card in Spain.

  • ■ The Fundamental Law 1/1992 Footnote 6 in its section III established the duty and the right of all Spanish citizens above the age of 14 to receive and hold an ID card. It is also stated that the ID card may not include data regarding the race, religion, opinion, ideology and political affiliation.

  • ■ The Fundamental Law 15/1999 Footnote 7 established the basis for data protection in Spain. The law provides definitions of the core elements in the field of data protection, develops citizens’ rights and establishes the grounds for the Spanish Data Protection Authority. According to this law, none of the data included in the Spanish ID deserves additional protection other than the general regime, i.e. all personal data included in the eID is, from a legal perspective, low-protection data. The DG Police simply holds the general accountability derived from its activity as database manager with no envisage of further protection. In short, provisions regarding Data Protection do not impose any conflict in relation to the ID card.

The introduction of the Spanish eID card

An electronic ID card became first an issue within the Directorate General of the Police, Ministry of Interior, back in 1998. The Informatics Department of the Directorate General of the Police started working on a civil servant’s card with cryptographic features. According to interviews with representatives of the DG Police, their aim was to develop a card with digital certificates which -on the one hand- control physical access to premises and -on the other hand- through the use of certificates would be useful to access (confidential) information within computers and internet which was a response to the need to deal with confidential data within their offices. The initial concept was not comparable to its final outcome, i.e. an eID card for the whole Spanish population. In 2006, the Spanish eID card was officially launched finalizing a step-by-step development approach which started in the end of 1999 when the Ministry of Science and TechnologyFootnote 8 requested a complete report on eGovernment initiatives undertaken by the DG Police, in which they made a reference to the possibility of creating an eID card.Footnote 9

By 2000 the eID card was for the first time included in the plan Info XXI InitiativeFootnote 10 and, thus, officially entered the agenda of the DG Police. Within the next two years the Informatics Department worked on the definitions and technological details of the project counting on the support and contribution of both the Spanish Data Protection Authority, which assured that citizens’ privacy was respected, and the National Cryptographic Centre, a body which belongs to the National Intelligence Center of the Ministry of Defense and sets the security requirements. Although the technical set-up was finished in 2002, the actual roll-out of the eID card had a delay of two years due to the debates among Ministries about the legal framework and budgetary implications.

In March 2004, after general elections and a change in government, the new Vice President, Maria Teresa Fernández de la Vega, very soon took political leadership and provided decisive impulses for the proceeding with the plan. In January 2005 the DG Police opened a call for tender for the provision of the technical equipment of the eID. Shortly after the Ministry of Interior and the Ministry of Industry, Tourism and Trade signed an Agreement of financial and technical cooperation outlining the contribution of each Ministry in order to finance the first phase of the project. The tender, amounting to a total of 11.982.000€, was awarded to a private consortium composed by Information, Communication and Telecommunication companies (Indra, Telefónica and Software AG) in July 2005.Footnote 11 By the end of the same year, a Royal Decree that rules the functioning of the eID card was approved.Footnote 12

As a next step of the road-map, the first eID card issuances were organized on 16 March 2006 with a pilot project carried out in Burgos. The experience in Burgos did not produce any major difficulties and after six months the actual roll-out of the eID card started in other regions. It is worth mentioning that the legislation in force at that time implied a renewal of the (e)ID card for reasons beyond the citizen’s control without any costs. With the arrival of the eID card, citizens’ enthusiasm for receiving it (especially because it was free of charge!) has caused a misuse of this clause. As a consequence, the Law 11/2007 introduced a modification according to which a fee had to be paid for the eID in all circumstances with the only exception of changes of the data contained in the card. Figure 1 illustrates the development of the Spanish ID card into an eID card from 1999–2010.

Fig. 1
figure 1

Development of the Spanish ID into an eID (card) from 1999–2010. Source: Own elaboration

Full size image

The legal framework

There are two different blocks that build the legal framework of the eID card and the eID function. In the first place, two Fundamental Laws ruling Citizen Security and Data ProtectionFootnote 13 that came into force long before the introduction of the eID card. In addition, there is a range of legal texts approved in 2003 that have built a comprehensive legal framework for the introduction of an electronic ID. These Laws and Royal DecreesFootnote 14 range from provisions about the implementation of eGovernment in public administrations to the obligation for big utilities to provide services through telecommunication means as well as detailed regulation of the issuance of the eID card.Footnote 15

There was a common understanding among all actors in this process that the existing legal framework covered all relevant aspects related to the eID and that no further legislation was needed. According to the interviews carried out, the only potential weakness of the current legal framework relates to the application of the eID function in administrative procedures which cannot be offered without modification of their specific regulatory provisions. Each time a new administrative procedure is being offered through online, prior to its launch the legal text that contains the regulation of the procedure must be modified so to enable its implementation. An umbrella legislation that ruled the adaptation of (all) administrative procedures to the Internet would help sparing resources that are currently used to regulate separately the adaptation of every single procedure. In general terms, the requirement of modifying legislation for every procedure is meant to ensure citizens rights and strengthen an overall situation of legal certainty. However, it looses relevance if it is taken into account that the possibility to access a procedure through the Internet is a right of the citizen and does not imply any change in the content, conditions or guarantees of the original procedure.

Map of actors and other electronic authentication methods

State level policies, by definition, involve a broad range of actors. The case of the eID initiative is not an exception. Among all actors, three of them are playing the lead acting role: the Ministry of Interior, the Ministry of Industry, Tourism and Trade and the Ministry of Public Administrations.

The Ministry of Interior, through the DG of the Police, holds exclusive competences on identification of citizens and owns the database that contains all the information which is included in the eID plus any police dossier of a citizen. The DG Police plays –thus- a main role that spans from the physical production of the eID card to its delivery to the citizen. A multi-step approach has been designed for its implementation process and its security is guaranteed and designed by the National Authority of Security (Autoridad Nacional de Seguridad), which is the only public body with certification competences. Throughout the production process, security is assured through a framework that allows complete traceability. In essence, the role of the DG Police regards the design, production and delivery, i.e. the whole “product-cycle” of the eID card and the eID.

The second important pillar of the institutional eID set-up is the Ministry of Public Administrations ( MAP ). The Ministry of Public Administrations is in charge of coordinating the several existing eGovernment initiatives, either within the State’s General Administration or in cooperation with the several Autonomous Communities as well as with municipalities. It focuses its efforts to achieve high levels of interoperability, provide validation services for all public administrations and approach public administrations towards the citizens. As a first step towards achieving these goals, the inter-connections (e.g. sharing of data and resources) among public administrations were being enhanced. The creation of the already indicated SARA network as an intranet that connects local public administrations among themselves and with the central public administration contributes to this goal with specialized technological expertise made available to other public authorities. The Ministry of Public Administration has –in this context- a double function that consists of a political direction and guidance (that is materialized e.g. in Law 11/2007)Footnote 16 and at the same time offers the required technological solutions to public administrations to comply with. The philosophy behind this leadership is to provide the technology to all administrative levels at “zero costs” for their recipients. The only condition for its usage by other bodies is the fulfillment with the standards established by the Ministry. Hence all public administrations – even those who do not have their own technological resources – can benefit from the technological solutions offered and, at the same time, eGovernment at the different levels count on a significant degree of absolute interoperability.

The third pillar of the institutional structure is the Ministry of Industry, Tourism and Trade, which holds the responsibility to foster the information society and especially to strengthen its impact on the private sector. Its task is to monitor the take up and use of the eID among individuals and representatives of the private (business) sector. In the recent years, the Ministry of Industry had focused its activity, through the Plan Avanza and other programs, in releasing financial aid to both public and private entities so that they could afford the introduction of ICT in their operations. From February 2008 onwards, it has broadened its scope of activity by offering validation services for enterprises. The eID is expected to build social confidence on telematic transactions among the private sector. This is of utmost importance for SMEs which account for a large share of total enterprises in Spain and generally work with low levels of ICT despite the experts’ awareness that technologies would raise their productivity and decrease their costs. In this context, the Ministry of Industry, Tourism and Trade is a key promoter of the technological aspects in the society.

In addition to this driving e-triangle, there are other public bodies at central level that have significantly contributed to the implementation process of the eID card, obviously varying in degree and activities. Among these, the Royal Spanish Mint plays a relevant role. The Spanish Mint constituted a certification authority much before the creation of the actual eID. Its digital certificates—called CERES—were the first ones with a significant spreading (for instance, they represented –and still represent today– a notable share of all Spanish Income Tax declarations carried through the Internet). Via its monopoly at central level in issuing an eID mean in former times, it also developed a validation service. The Royal Spanish Mint’s role changed and now preserves its function to issue CERES certificates and provides universal validation servicesFootnote 17 (Figure 2).

Fig. 2
figure 2

Map of the principal public actors and its functions in relation to the eID card at Spanish central level. Source: Own elaboration

Full size image

Another important actor is the Ministry of Presidency which took over political leadership to overcome the numerous problems that prevented the eID card to succeed already back in 2002. The creation of a Coordination Committee and a Technical Committee allowed to pursuing the set goals in the Spanish eID card road-map. Without special mentioning, the Spanish Tax Agency, which belongs to the Ministry of Economy and Finances, is un-doubtfully the most visible and advanced e-actor in the Spanish system. Although they had no direct role to play with regard to the eID card and the design of the eID function, it is the largest provider of an online service and of digital certificate application with strong impact for citizens (i.e. electronic Income Tax Declarations).Footnote 18

Heterogeneity is the core among the Spanish regions, the Autonomous Communities, especially in those with strong powers and/or identity. This does not only affect its stage of development –some including are more advanced and with better e-services compared to the central administration- but its design structure, resource allocation and political leadership. This finding becomes a most clear example when it comes to the existence and creation of certification authorities and eID tools launched by various Autonomous Communities on the top of the state level ones.

For instance, in Catalonia the current strategy for the development of eGovernment is not directly linked to the spread of the Spanish eID card because of two reasons drawn from the interviews. The first reason is that traditional “window administration” did not require most times any identification from the person that was following a procedure and so, there is no reason to ask for an identification document when the same transaction is done through the Internet. The second reason is that the complete roll-out of the Spanish ID card is seen to be a mid-term event, which could introduce a reason for the delay in the effective implementation and use of telematic services.

The differentiated model of eGovernment in Catalonia is supported by the Catalan Agency for Certification (Catcert), which holds a crucial role. On the one hand, it is a real Certification Authority that issues digital certificates for both Catalan civil servants and any citizen that requests them (including foreigners). On the other hand, it acts as Validation Authority, which makes possible for Catalan Public Administration to accept the broadest possible range of identification means. Finally, it provides common technological solutions for the implementation of eGovernment in Catalan local-level public administrations.

The penetration of ICT and eGovernment is also highly uneven among municipalities. Generally, the most populated municipalities have progressed faster but even among those the degree of ICT is still very variable. In addition, the Spanish municipal structure is made up of 85% of municipalities with less than 5000 inhabitants.Footnote 19 Most of these municipalities have little resources that are not enough for successfully implementing eGovernment initiatives (design of technological solutions, purchase of equipment, training of personnel, etc.). As a consequence, the introduction of local eGovernment is often led or supported by supra-municipal entities such as the association of municipalities belonging to a same Province or Autonomous Community or even more geographically-extensive bodies that look for economies of scale. Prominent example of municipalities’ association is the LOCALRET initiative, which consists of a public entity that gathers 800 Catalan municipalities (out of 952) and whose role is enhancing the spread and development of communication networks among local administrations. Following its goal, LOCALRET holds the 40% of the Consortium of Electronic Open Administration in Catalonia (Consorci d’Administració Oberta Electrònica de Catalunya), which in turn owns the Catalan Agency for Certification. Thus, the LOCALRET initiative provides not only technological solutions to municipalities but also defend their interests in the political fields where decisions related to ICT are taken.

In the same context, it is worth mentioning the work of the Ministry of Public Administrations with regard to the SARAFootnote 20 project. The SARA initiative consists of a system of networks and applications designed with the purpose of connecting public administrations at all levels. As of September 2008, 1008 Spanish municipalitiesFootnote 21 (out of a total of 8149) were connected to the SARA network. Through this network municipalities can access a broad range of services and resources (for instance, the @firma validation platform). Hence, they do not need to create their own technological solutions, thus are prevented to bear its investment and the maintenance costs.

Technical aspects of the eID card

Features of the current eID card

The possession of the ID card is compulsory for all Spanish citizens above the age of fourteen. The physical card contains printed personal data, a chip mandatory with biometrical data and the eID. On the front-side of the card, there are the surnames and (pile) name(s), sex, nationality, date of birth, series number of the card, expiry date, identity number plus a letter, the cryptographic chip, a photograph and a changing laser-printed image consisting of three letters (first consonants of both surnames and pile name) and the issuance date of the eID card (format dd/mm/yy). On its back, there are the birth place, province and country (referring to birth place), the (pile) names of the parents, the address, province and the code of the delivering office (i.e. Police Station that issued the card) and a set of printed information so that the card can be read according to the ICAOFootnote 22 requirements regarding travel documents.Footnote 23

The chip contains the same personal data that is physically printed on the card plus an image of the fingerprints. As a consequence, the eID card can be used both for physical inspection and online authentication (Figure 3).

Fig. 3
figure 3

Image of the new eID Card; Source: DG Police

Full size image

Technical background

The eID consists of a polycarbonate card of size 85.60 × 53.98 mm that contains an embedded cryptographic chip. The chip is ST19WL34Footnote 24 and has a capacity of 32 K. The information contained in the chip is structured in three areas whose access has different security levels. The first one can be accessed (only for reading purposes) without restraints and consists of the certificate of component and the Diffie-Hellman keys. The second one, namely the private zone, contains the Digital Signature certificate and the Content Commitment certificate. Both of them have a pair of RSA keys. This area can be only accessed for reading purposes by the citizen through the use of his/her PIN. Finally, the third area – the one with highest security level – contains all the personal data of the citizen as well as an image of his/her photo and manuscript signature. This part of the information can be only accessed by citizens in the so called “Updating Points of the eID”,Footnote 25 which are eID reader devices that can verify the matching between fingerprints and the eID of the citizen and are located in Delivering Offices (within Police Stations).

The chip contains three digital certificates: the component certificate, the digital signature certificate and the content commitment certificate. The purpose of the certificate of component is the authentication of the ID card (as a device, not the identity of the holder) through a mutual authentication protocol.Footnote 26 If the authentication is successful, then the certificate permits the establishment of an encrypted communication channel between the card and the drivers. The certificate of component will not be directly accessible to cryptographic modules (i.e. standard interfaces). The digital signature certificate’s mission is giving proof of the citizen’s identity as well as establishing confidential communication channels between citizens and service providers. However, service providers will not obtain any guarantee of citizens’ commitment regarding any signed content through that certificate. In order to obtain that confirmation, there is the third certificate: the content commitment certificate, which is used to sign documents and has the same value as a manual signature.Footnote 27

The use of the eID by the citizen requires that he/she equips himself/herself with a personal computer and a card reader. The card reader, in order to be compatible, must fulfil the requirements of the ISO 7816 standard, support minimum communication speeds of 9600 bps and asynchronous cards based on T = 0 and T = 1 protocols. Usually, the installation of reader devices for smart cards requires a driver, which can be obtained along with the card reader.

As it regards software equipment, the eID card works with several operating systems (Microsoft Windows XP and 2000, Linux, Unix and Mac OSX) and browsers (Microsoft Internet Explorer, Mozilla Firefox, Netscape). Besides, the personal computer must count on a cryptographic module, which in the case of Microsoft Windows is called “Cryptographic Service Provider” and for Linux, Unix and Mac is called “PKCS#11”. Both modules are available and can be downloaded from the official eID website.Footnote 28

Budgetary aspects of the eID card implementation in Spain

The introduction of the eID card has been possible as a result of a great release of public funds. The heavy decentralisation of the physical and logical printing and delivery of the eID card has implied to purchase equipment for all Police Stations and to train a significant group of civil servants. Therefore budget expenses have risen dramatically during this period and for this purpose. The Ministry of Interior has contributed with the largest share of the funds, followed by the Ministry of Industry, Tourism and Trade. The first (official) calculations of the magnitude of investment needed to carry out the technical project was issued within the Financial and Technical Agreement between the Ministry of Interior and the Ministry of Industry, Tourism and Trade, which amounted to 149,292,000 € for the period 2005–2008. However, the project of the eID covered much more than the technical development and production of the card and required additional substantial funds for the implementation of validation services and revocation lists, the development of services that make use of the advantages of the eID and the set of activities aimed at providing technical assistance and general information to citizens (24 hours-a-day telephone assistance, maintenance and update of the eID website, establishment of a pre-scheduled appointment system, etc.). The overall cost of implementing these actions was estimated at 314 million € for the period 2005–2008,Footnote 29 although the real total expenses were never published nor could they be identified during the interviews (see in Table 2 an approximation based on the different amounts facilitated for the various actions). The calculated internal cost per card according to the estimate of the Police was slightly above 12 €. Only the polycarbonate card itself costs 11.50 € per unit. Consequently, the public fee of 6.80 € for the year 2008 does not cover the real cost of it.

Table 2 Illustration of the financial means for the implementation of the eID card project; Source: Data from the Collaboration Agreement between the Ministry of Interior and the Ministry of Industry, Tourism and Trade (2005); Plan Avanza Official Publication; Presentation of the eID, DG Police (own elaboration)
Full size table

The eID card production, issuance and distribution support

The Spanish eID card is issued in the 256 delivering offices located in Police Stations all over the country. In order to apply for first time for a Spanish (e)ID card, the citizen himself/herself has to approach the delivering office and will be required to submit a certification of his/her birth registration in the Civil Registry. The validity of these certifications expires within three months after its issuance. Thus, the citizen has to apply for the eID card within three months after obtaining the Civil Registry certification. Once the Civil Registry has issued the certification, the person cannot request it again. As a consequence, one or more persons cannot obtain a Spanish ID from a single (already used) certification of birth registration. Such a mechanism was meant to increase security levels and had its roots in the original organizational system in where both the Ministry of Interior’s Database and the Civil Registry were not yet computerized. Although both entities have been computerized, this mechanism has been maintained as an extra measure of security. Besides the abovementioned certification, the citizen has also to submit two coloured photographs of his/her face (size 32 × 26 mm) with a plain background, totally uncovered head and no garment that could make difficult the identification of the citizen. Finally, each citizen is requested to submit a certification of his/her municipality census, which must not be issued more than three months in advance prior to the application for the eID card. There is a public fee (6.80 € as of 2008, revised every year) payable for every citizen for this proof.

The validity of the eID card depends on the age of the holder. For those citizens under the age of 30, the eID card expires every 5 years. For those between the age of 30 and 70, the validity of the eID card is 10 years. Finally, for those older than 70 years, the eID card does not expire anymore. However, the digital certificates are valid for a period of 30 months starting from their issuance.

In case of a renewal, the citizen himself/herself has to approach the Delivering Office, pay the mentioned fee and submit two photos of the same characteristics as described above and the former (e)ID card. Moreover, if the citizen has changed his/her home address, then he/she has to submit the new certification of his/her municipality census. Similarly, if there has been any modification of the personal data (name, surname, date and place of birth, parents’ names and sex), the citizen will have to submit a certification of the Civil Registry that gives proof of it. The Delivering Office will check that the historical biometrical data matches the present biometrical data of the citizen and, if so, will proceed to renew the eID card.

In order to ensure a smooth handling of this decentralized service system, the DG Police has implemented a system of pre-scheduled appointments so that citizens do not have to cue. The average time needed for renewing the eID card is 15 minutes, aimed at being reduced to 12 minutes per applicant.

Due to this new organizational system (Fig. 4) the citizens has gained large benefits in terms of time savings. In the previous system with the traditional ID card, the citizen, once he/she had requested his/her ID, had to wait on average of two to three weeks until the ID card could be picked. Now electronic machines in each police station allow for an immediate issuance in site (Fig. 5) When asked about security concerns in the interview representatives of the DG police answered that there is no place with higher security than a Spanish police station.

Fig. 4
figure 4

Work-flow from citizen’s requests till issuance of the eID card; Source: Own elaboration

Full size image
Fig. 5
figure 5

Image of a supporting device for citizens to get the new eID Card at the decentralized police delivery stations; Source: DG Police

Full size image

Other digital authentication services in Spain

Before the introduction of the new eID card, there were already 13 suppliers of identification and certification services in Spain. As it regards the ones issued by public entities, it is worth mentioning the digital certificates issued by the Royal Spanish Mint within its program CERES. The CERES certificates were created in 1996 with the aim of covering public needs derived from the increasing role of the Internet and the arrival of the Information Society. They are issued in software format and therefore their users do not need to install a card reader. All citizens can request a digital certificate and they were given it for free. It is structured in such a way that the Royal Mint earns from the validation services provided to public administrations that accept the CERES certificate for their transactions. In July 2008, there were approx. 1.727.990 CERES certificates in operation.

In addition, several Autonomous Communities have developed their own digital certificates. This is the case of Valencia, Catalonia and the Basque Country, where the regional initiatives produce a multiplicity of certification authorities that do not favour the immediate penetration of the Spanish eID card into the society. Other regions such as Andalusia and Galicia have decided to follow the national approach and thus become registration authorities of the national certification authority CERES.

In the private sector, there are a broad range of additional certificates. The common feature of these certificates is that they give proof of much more than mere identity since they all include further attributes of the holder. One of them is Camerfirma S.A., which is the certification authority for Chambers of Commerce. It offers several services that can be obtained in software or hardware format: certificates of firm membership, which allow a natural person to identify himself as a worker of a concrete firm; certificates of representation, which enable an individual to act on behalf of the firm he/she works for; certificates for e-Invoices etc. Other certification authorities are Firmaprofesional S.A., which provides e-Identity to associations representing professionals such as Doctors, Architects or Engineers; the Law Certification Authority; the Notary Agency of Certification; the Certification Service of the Property Registry Officers; etc. The main difference between these certificates and the eID card is that they do not only provide digital identity but also evidence of their professional status (we can refer to it as “identity with attributes/features”). Without such evidence of professional status, the holders of the e-Identity Card would not be able to exercise through telematic means the rights derived from their profession.

eID card penetration and eID take-up

Because of the decentralized production and issuance, the roll out of the new eID card had followed a gradual approach with a territorial criterion as not all 256 police stations could be equipped with the new machines at the same time.. For the first six months (starting from March 2006), the eID card was only issued as part of a pilot project in the city of Burgos. During this period, the demand for eID cards in the local Police Station that delivered the eID doubled. In total, 7000 eID cards were issued during the pilot project. In July 2006, the first phase of implementing the cards in the rest of the territory started and lasted until June 2007. The goal was to extend the provision of cards to other provinces and Autonomous Communities while increasing the number of Police Stations that issued the card within each province (see Fig. 6 for the geographical roll-out of the card).

Fig. 6
figure 6

Geographical/Territorial Role-out of the eID card from May 2006–June 2007; Source: Data from Press Releases of the Police DG – Own elaboration

Full size image

The second phase of the territorial implementation – without any specific geographical order - started in June 2007 and ended in March 2008 with the availability of the ID issuance to the whole territory. The number of ID card issuances per day has increased as more Police Stations started issuing the eID card. In February 2008 an average of 23,000 eID cards were issued per day, which implies almost 500,000 new eID cards per month. In terms of delivered ID cards, by the beginning of March 2008 there were already 3,000,000 citizens with an ID card, at the end of the year 2008 there were around 8,000,000 eID cards in citizens ownership which illustrates the very smooth roll-out, i.e. high delivery rate in a short period of time (see Fig. 7 below).Footnote 30 Latest figures (in December 2009)Footnote 31 show a total of 13,000,000 cards in circulation. The first expirations of the cards will occur in 2010 which is according to the public sources the date for its first assessment.

Fig. 7
figure 7

Graphical illustration of the start of eID card roll-out and its exceptional increase in a very short period of time until January 2009; Source: Data from Press Releases of the Police DG – Own elaboration.

Full size image

Although there are no comprehensive assessments of the take-up rate of the ID card, some empirical observations show a low – but slightly increasing – trend of use. The field that historically has good results –“killer application”- in terms of use of digital means is the payment of taxes. The Spanish Tax Agency has always been a pioneer in the field of on-line transactions, both at national and European level.Footnote 32 Citizens could submit their Income Tax Declaration through electronically since 2001. At that time, the certificates of the Royal Mint (CERES) were clearly predominant (they had appeared in 1999) and most certificates shown in the table below (e.g. the eID card) did not exist yet (Table 3).

Table 3 Total income declarations vs. electronic income declarations (general) vs. income declaration with eID card per annum; Source: Data from “Memoria 2006”, “Memoria 2007” and “Memoria 2008” by Spanish Tax Agency
Full size table

Table 4 shows the predominance of CERES certificates throughout the years, which is still increasing while the eID has been offered as a more secure alternative for authentication However, the number of Income Tax Declarations submitted with the eID card in 2008 with respect to 2007 is increasing to a much higher degree and may allows forecasting that the share of the eID will become more popular. Whether it will become the most popular certificate for submitting the Income Tax Declaration online will be seen when the CERES certificates expire and will have to be renewed. It may well be that people then do not renew their software certificates but acquire a card reader and employ their eID card.

Table 4 The number of on-line income tax declarations broken down by the various electronic means (Period 2005–2008); Source: Spanish Tax Agency (slightly adapted)
Full size table

For other applications the use of the eID functions is not higher. This low take up may be due to three factors:

  1. (1)

    The number and sophistication of e-public transaction services provided and for which an eID card is necessary;

  2. (2)

    Technological difficulties (e.g. installation of the reader, down-load of specific software etc.) for using the eID card; and

  3. (3)

    To a lesser extent- the degree of digital illiteracy among Spanish population.

Services for which the eID card is required as a means of authentication can either be provided by public administrations or the private sector. Regarding public administrations, recent amendments to legislation oblige them actors to offer all of their services on-line by the end of 2009. This extended offering may lead to higher usage rates of eID cards by Spanish citizens. But the fact that services are available on-line does not automatically imply that they require the use of the eID for authentication. Prior to the introduction of ICT in public administration, several services did not require personal authentication of citizens. Empirical observation has shown that the introduction of authentication requirements for on-line service heavily decreased their use by the Spanish citizen. As a result, many services offered via internet according to the above mentioned legislation are expected not to require authentication with a digital certificate. Therefore, the subsequent impulse on the take-up rate of the eID will depend on whether services that do require the eID are high-impact ones. In addition it has to be considered that Spanish central administration is generally offering fewer transaction services with citizens than the regional and local governments. Unsurprisingly, the degree of penetration of online services at these levels is highly uneven and, as mentioned above, many of them have their own regional methods of authentication.

On this background big hope is laid on the private sector. For example, big utilities (i.e. the enterprises related to the supply of electricity, water, gas, telephony, etc.) will have the obligation to offer their services through internet channels. However, so far they employ a user/password system or software certificates for authentication, which are free for citizens for citizens and which do not require installment of a card reader. It is thus to the discretion of the companies to use or not the new device eID.

Within this scenario, the banking sector appears to play a key role. The Spanish banking system is generally known for its solidness and treats security features with absolute priority. In addition, certain restrictions in opening hours and a good offer of technological advanced services may mean a quantum leap in the take-up and usage rate of the eID (card). The eID card provides an identification document with high security standards and is “costless” for both banks and customers. Several of the big banks (e.g. Bankinter, Caja Madrid, Banco Sabadell) have already adopted the eID card in their daily operations. Since the eID card complies and actually exceeds the security standards of many banking systems, it offers the opportunity for instance- to directly withdraw money from the cashier/teller machine or purchase tickets for museums and theatres. So far, banks have made use of the eID for authentication matters. When a user enters a system through an authentication mechanism with the eID (card), the signature of his/her transactions will be a digital signature. In an interview with a representative of Bankinter, it was confirmed that the system will apply for both private and business customers and for all services offered by the bank (e.g. withdrawal of money, order a bank transfer, request a credit card, modify personal data, etc.).

To which extent technical requirements and the usability of the installment of the ID (card readers, client software etc) combined with an apparently insufficient average technological level of (e-)skills in the Spanish society build up potential barriers for a quicker take-up of the eID function is not evident and more research is required, but it may certainly condition the Spanish eID diffusion and overall its acceptance. It became clear in the interviews that when criteria such as security, user friendliness, ergonomics and costs are considered, one realize that the card is very secure but it is not so user-friendly nor its distribution is easy (one has to send it to the client, give him/her the drivers, etc.). In terms of ergonomics, it does not score high either. If one changes the personal computer, it does not work anymore. Moreover, it is apparently still considered as rather expensive.

Conclusive reflections

The case of Spain may be summarized as a process with a smooth development and well conducted introduction of the new eID card but with a rather slow take-up and low acceptance and usage of the eID function for online authentication The first aspect may be explained by a high degree of path continuity, the second one with the particular actor constellation.

Referring to the differentiation of three paths as introduced by Kubicek in the introduction to this Special Issue we may conclude that the most important success factor in Spain is the long historical background of the national ID card, which goes back more than 60 years ago. The existence of a compulsory ID card in Spain, including a single identification number for citizens, and its entire social acceptance provided sufficient fundaments for a smooth preparation and transition to a new electronic ID card.

In this context, the “birth” of the eID card is perceived as a natural evolution of the former one: a new technical application, but with the same organizational and institutional features. This finding is of great relevance, since both the constitutional legal framework and the data protection laws were already compatible with the existent compulsory ID card. In addition, all aspects regarding the introduction of a chip containing digital certificates could be adopted without the Spanish Parliament’s explicit intervention and approval. In particular the already existing legislation concerning digital signatures had established a legal framework for eSignature in line with the European Directive 1999/93/EC which included the use of certificates for authentication purposes. A path creation was undertaken with regard to the application of the eID within eGovernment. The legacy of the traditional ID card in terms of its constitutional alignment and data protection compatibility has allowed for a smooth process of the eID availability. But usage of eIDs cannot be commanded by legislation.

The organizational path shows a hundred percent continuation which lead to a unique way of producing and distributing ID cards and eIDs, i.e. locally on the police stations. This is a rather expensive way, which required the purchase of new equipment for 256 Delivering Offices located inside the police stations across the country, the training of the civil servants, the design of new security measures etc. This decentralized mode just continued the infrastructure established for the old paper-based ID cards, therefore was rapid and highly successful. No central production organization had to be established, no new processes of ordering and distributing cards has to be created. To set up a new infrastructure seemed to become more complicated or according to the interviews conducted has never been considered as an alternative.

With respect to its technological path all technical features adhered to widely used standards. Digital certificates have been used already before the introduction of the eID.

After some delays in the early stage, the political leadership by the current Spanish Vice President (Ms Fernández de la Vega) from 2004 onwards turned out to be the decisive driver for finalizing the preparatory measures for the new ID card and its actual launch. The guidance of the Vice President with the creation of an inter-ministerial coordination committee whose aim was to accelerate the tasks required for such a process supported clearly the change over.

A second important factor in this regard is the confluence of most of the competences and responsibilities in a single body, i.e. the Directorate General of the Police within the Ministry of Interior, along with clearly defined, but decentralized roles for the other actors contributed much to the progress of the project. A centralized decision-making set-up, combined with coordination and communication efforts and with actors on the other tiers of public administration, has provided for the efficiency and swiftness of the project and has prevented any discussions or disagreements among public bodies in the administration.

But this success factor for the diffusion of the new ID card at the same time can be considered a barrier for the usage of the eID function on the supply and the demand side.

Some opinions in the interviews that were conducted indicated that optimal security levels do not always correspond to highest security levels and argued that the centralization of the decision-making in the police department has led to a design that stresses security and not necessarily implies a clear functionality trade-off for its users, i.e. citizens. The DG Police was mostly interested in the pure introduction of the new card, but they apparently had less interest in its subsequent eGovernment usage. The entities in charge of implementing the eGovernment strategy or strengthening eCommerce have thus just to adopt the eID as an additional tool and instrument to reach their respective objectives.

As outlined in the previous section, recent amendments to legislation oblige public sector actors to offer their services on-line by the end of 2009 what may lead to higher take-up rates by Spanish citizens, owning an eID card. In this context, the Ministry of Public Administration motivates other ministries and their affiliate organizations to make authentication by the eID exclusive and mandatory, but so far has not been very successful, as the above mentioned tax declarations example has shown. Future development will depend on the political weight of eGovernment as a policy field and the power of the respective ministry(ies) or presidency.

In conclusion, these actions and once the users (citizens) see more the advantages and benefits of the card and its user friendliness is endorsed (incl. an awareness campaigning) by the different service providers -both public and private-, there is no doubt among the different parties (interviewed) that the eID will become a universal mean and its usage fully exploited.