The National Police has announced in a post on X (Twitter) that a new Public Key Infrastructure (PKI) has been implemented of the DNI with new encryption algorithms. Thus, the new system goes from being an RSA 2048 to the so-called Elliptic Curve 384 system.
The change is interesting on the one hand. The RSA system is already a classic for data encryption, but it has some disadvantages: it uses large public keys, operations are slower (especially when signing) and it consumes more CPU and bandwidth.
With Elliptic Curve 384 bits (ECCusually P-384) allows you to provide a lot of security in small keys. Signatures are much faster, for example, and consume much less CPU and battery, in addition to providing a very high level of security. It is a system with much more future projectionand seems a suitable alternative for the “ID 4.0“of which the National Police speaks.
What does this cryptography protect our DNI? These private keys inside the DNIe chip never leave it, and various types of operations are carried out with them:
- Authentication: prove that you are you, and that it allows you, for example, to connect to the Tax Agency
- Electronic signature: when we present official procedures or electronic contracts, the DNI “signs” as if it were our physical signature
- Key exchange: reinforces, for example, the TLS security of secure protocols when browsing if we need that additional layer
This new cryptographic system mitigates impersonation even if passwords are stolen in certain scenarios (such as trying to use it for official procedures) because the attacker would need not only “a photo” of the DNI, but the physical DNI, the PIN, and break the ECC 384 encryption, which is practically impossible today.
So, the measure is positive, but that is not the problem.
The problem is how the DNI is used in Spain.
The weakest link
These measures are aimed at protecting the data on our ID, but the problem is how this document has become inherently vulnerable because of the way it handles itself in the real world.
In fact, the DNI has become a document that we transfer with extraordinary ease. Hotels have been asking for and photocopying our ID for years when checking in.. They cannot and should not do so. The AEPD published a note in June 2025 in which it discussed this issue and concluded that “a copy of the identity document should not be requested.”
This document is also usually photocopied or scanned in procedures before a notaryFor example. In this case, the arguments are usually put forward that they have to provide reliable documentation because the money laundering law. The AEPD in fact sanctioned the General Council of Notaries (CGN) for this type of requests last summer of 2025.
However and how explained in X cybersecurity expert Román Ramírez, it is another question of “they do not want to commit themselves by attesting that the document you show is the real one. It is a way of “washing your hands,” he explains, because if something happens it is no longer your word against theirs.
In fact, we have long recommended that if you have to send a photo of your DNI for any online procedure, it should be done with a watermark. Tools like SafeLayer They facilitate this task but in some cases the entities or companies that request this document object to the shipment with a watermark or do not accept it at all.
The curious thing is that the legislation theoretically prevents this type of mass registration of DNIs in cases such as administrative procedures. He Royal Decree 522/2006 of April 28eliminates the obligation to present photocopies of the DNI in the administrative procedures of the General Administration of the State and its dependent organizations.
This rule obliges administrations to verify identity data internally, prohibiting requiring physical copies unless expressly opposed by the citizen or specific regulations. This rule does not apply directly to the examples of hotels or notaries, but there the AEPD has also made it clear that the exhibition is enough of the document.
No matter what they tell you, do not send your ID as is
We should never simply send photos of the ID. Neither by email, nor by WhatsApp, nor through dubious forms, even if the message seems to come from a real company.
In fact, if a company asks for your DNI after a theoretical data leak or theft, the best thing we can do is verify it on our own, informing us on its website or calling a legitimate customer service number to find out what is really happening and if this procedure is necessary.
The DNI It’s “gold” for scammersbecause it allows:
- Open fraudulent accounts
- Request credits or microloans
- Validate identities in online services
- Reinforce scams with messages such as “we have your ID, we are from this company or bank.”
In fact, this document is a treasure if other data such as contact or telephone number is added to it, because thanks to this information it is possible to carry out much more effective identity theft attacks that can lead to truly dangerous scams and frauds.
The DNI has another peculiar problem: it is used as a kind of “universal identifier” in Spain. If it leaks once—if someone steals it or a photo of it ends up in the wrong hands— You can no longer change it like someone changes a password.. You can only renew it, but even then the “old” one is still extremely useful for those phishing attacks.
That is why it is important to limit as much as possible where we upload the ID, who has it, and in what format: we should never upload the complete photo unless it is absolutely essential.
In Xataka | How to share your ID online safely to avoid dangers
GIPHY App Key not set. Please check settings