Even as the Supreme Court hears challenges to the constitutional validity of Aadhaar, news about the various weaknesses of the Indian government’s project to give every Indian a 12-digit biometrics-linked unique identity continues to surface. Over the past week alone, there has been a disturbing case of stolen biometrics being used to steal rations, an admission that the government tried to file a criminal case against those who reveal vulnerabilities, and a belated request for people not to give away the very demographic data that has been leaked by official websites.

It is hard to keep track of all that has happened, so here is a quick wrap of developments from just the last week.

1. Stolen biometrics

The Unique Identification Authority of India, the body that manages Aadhaar, has insisted all along that its biometric databases are secure, even if state websites have been leaking demographic Aadhaar data for some time now. Last week, news reports revealed that two fair shop price owners had been arrested in Gujarat for siphoning rations using stolen biometric data. This is, of course, exactly what Aadhaar was built to prevent, with the belief being that a biometric-linked ID would prevent such leakages. UIDAI’s response was to point out that the biometrics had not been stolen from the Aadhaar database, but from a local repository.

This is not a breach of Aadhaar security. According to news report itself Surat police too has confirmed this. It appears a case of local collection of biometrics by the state PDS department, not biometric collection by UIDAI or Authentication by Aadhaar system. — Aadhaar (@UIDAI) February 4, 2018

As many have pointed out, though, this technicality offers little solace. After all, the fingerprints in the Aadhaar database and the one in the state repository will be one and the same. Cracking the state database is equivalent to getting Aadhaar data, because it is not like the individual can change their fingerprints. As many have reported, there are many other state databases around the country through which biometric data can be procured and, because of how much demographic data has been easily leaked on government websites, matching these becomes quite easy.

Replay of stolen biometrics is no different from forging somebody’s signature. The law will deal with such case in the same manner. 2/2 — Aadhaar (@UIDAI) February 4, 2018

The UIDAI’s response to this? “Replay of stolen biometrics is no different from forging somebody’s signature.” If biometrics are no different from a signature, what makes Aadhaar any better than the old system?

2. Fraudulent cases

In a response to a question in the Rajya Sabha, Minister of State for Finance Shiv Pratap Shukla admitted on Tuesday that money to the tune of nearly Rs 1.5 crores had been fraudulently withdrawn from Public Sector Bank accounts using customers’ Aadhaar numbers. The response in Parliament details how this has happened, with cases seeing Aadhaar numbers fraudulently mapped against bank accounts, sometimes by banking correspondents themselves. Shukla’s reply says the government has taken steps to prevent such cases from recurring. But considering how often people find that their Aadhaar numbers have already been linked to certain bank accounts, and how massive the job of having to link every account to a unique ID is going to be, it is evident that this is only the tip of the iceberg.

3. FIR against whistleblowers

After a report by The Tribune newspaper in early January in which it was revealed that demographic details for every single Aadhaar number were available for just a small cost, and that spending a little more money would let you print out anyone’s Aadhaar card as well, the government denied the story and UIDAI asked for a First Information Report against the reporter as well as those named in the story. When a number of people criticised the government for attacking the press when all it was doing was simply reporting on official vulnerabilities, Union Minister Ravi Shankar Prasad said he has “suggested” that UIDAI request the newspaper and its journalist help the police in investigating the case. The FIR, when it was registered, simply named “unknown persons”. In response to a query in the Rajya Sabha last week, however, when asked whether UIDAI has filed an FIR against the whistle blowers, Prasad’s answer was “Yes, sir.”

4. Laminated cards

On Tuesday, the UIDAI released a statement saying printing Aadhaar cards on plastic sheets makes it unusable and prone to data theft. The authority said that plastic or PVC Aadhaar “smart cards” often make the QR codes dysfunctional. It also added that people should be “watchful for the protection of their privacy and recommended not to share their Aadhaar number or personal details to unauthorised agencies for getting it laminated, or printed on plastic card”.

This seems broadly like a good warning, except that it is also horribly belated: Aadhaar smart cards are all over the country and moreover, it seems as if the UIDAI has only just discovered that the sharing of Aadhaar numbers and other demographic data is dangerous. It said earlier in the year that it would be introducing a new system by which people can get Aadhaar authentication without having to share their UID numbers. But Aadhaar numbers have been shared for years now, not least by more than 210 government websites, and UIDAI has itself tried to insist that leaked Aadhaar numbers are not a problem. This new level of caution seems like a good thing, but what use is it if the horse has already bolted?

5. More exclusion

Although it is impossible keep track of all the ways Aadhaar is believed to have ended up becoming a tool for exclusion, some news stories stand out because of their severity. This week, activists in Jharkhand said there had been another starvation death, which they suspected was linked to a 30-year-old woman being denied rations since October because the Aadhaar-enabled machine at the local ration shop did not authenticate her biometrics. This is only the latest in a number of cases where people are believed to have died because of exclusion from the system as a result of Aadhaar.