Many moons ago, shortly after Edward Snowden’s revelations about the NSA first appeared, I wrote a column which began, “Repeat after me: Edward Snowden is not the story”. I was infuriated by the way the mainstream media was focusing not on the import of what he had revealed, but on the trivia: Snowden’s personality, facial hair (or absence thereof), whereabouts, family background, girlfriend, etc. The usual crap, in other words. It was like having a chap tell us that the government was poisoning the water supply and concentrating instead on whom he had friended on Facebook.

Mercifully, we have moved on a bit since then. The important thing now, it seems to me, is to consider a new question: given what we now know, what should we do about it? What could we realistically do? Will we, in fact, do anything? And if the latter, where are we heading as democracies?

I tried to put some of these questions to Snowden at the Observer Ideas festival last Sunday via a Skype link that proved comically dysfunctional. The comedy in using a technology to which the NSA has a backdoor was not lost on the (large) audience — or on Snowden, who coped gracefully with it. But it was a bit like trying to have a philosophical discussion using smoke signals. So let’s have another go.

First, what could we do to curb comprehensive surveillance of the net? The internet engineering community seems determined to do something about it. In its current form, the network is wide open to snooping, because most of its operations are not encrypted. At the Vancouver 2013 meeting of the Internet Engineering Task Force there were discussions about ways of inserting so much cryptographic treacle into the network’s operations that the NSA would have to work much harder to surveil it, thereby forcing snoopers to adopt more targeted approaches that would be amenable to credible legal oversight. This won’t be easy to do, but there’s enough technical ingenuity in the community to pull it off.

Even if they did, however, that wouldn’t be the end of the matter, because lots of unsavoury things go on in cyberspace, and it would be unthinkable not to allow access to communications for law enforcement and national security purposes. Which means that democracies need oversight regimes that are effective, technically competent and enjoy public trust. The fallout from Snowden suggests that the oversight regimes in most democracies currently lack some or all of these properties. Fixing that requires political action, and therein lies our biggest problem.

The most depressing thing about the political response to the revelations is how crass and simplistic they have been. First we had the yah-boo phase: Snowden was a traitor; the revelations dramatically undermined “national security”; anyone who applauds what he did is a naive idiot; if you have nothing to hide then you have nothing to fear, etc. These are the philosophical equivalent of the debates that go on in bars after Premier League matches.

The good news is that we have moved on a bit from such inanities. The political debate is now framed in terms of a “balance” to be struck between security and privacy, as if it were a matter of piling fruit on both sides of weighing scales and seeing which way the needle points. But security and privacy are very different concepts. Security is a function of two things: the scale of a possible harm and the probability that it will happen. Some possible dangers are so great that even if their probability is low then extreme measures are justified. Other potential harms are smaller but more probable. In thinking about surveillance and counter-terrorism we need some way of reaching collectively agreed judgments about how the “balance” should be struck.

Likewise privacy has a value for both individuals and for society as a whole; it is also culturally and domain-dependent (we have different expectations of privacy in different locations). And the standard official line on privacy at the moment – that “people obviously don’t care much about it, otherwise they wouldn’t be on Facebook” – won’t wash, because people give their consent to Facebook, whereas none of us clicked “agree” to the hoovering up of our communications data.

Finally, there’s the question that is never discussed. Is this bulk surveillance actually effective? Is there credible evidence – as distinct from bland assurances by officials – that it actually works? Why, despite all the snooping, for example, did our intelligence services not pick up the Islamic State threat? And how cost-effective is it? The US currently spends over $100bn a year on counter-terrorism. God alone knows how much the UK spends. Are we getting real value for all this taxpayers’ money? I’d like to know. Wouldn’t you?