This government’s “neither confirm nor deny” mantra over the extent of its surveillance powers has been replaced with a new one: “Never apologise, never explain.” On Monday, the tribunal tasked with hearing complaints against our intelligence agencies found that for more than a decade our intelligence agencies had been unlawfully amassing, in bulk, vast amounts of our personal data.

The official public response from the government didn’t touch on the 17 years of unlawful practice, but merely declared it was “pleased the tribunal has confirmed the current lawfulness of the existing bulk communications data and bulk personal dataset regimes”. While underplaying the significance of this ruling, the government is ebullient about how Theresa May’s investigatory powers bill – more commonly known as the snooper’s charter – will usher in a new era of transparency, honesty and rigorous oversight.

So if you are one the many people concerned about following the rules and how the public’s personal data is being protected, what is the government doing to reassure you? Very little.

Instead, the unwillingness to confront the government’s past mistakes reinforces the dangers inherent when parliament is asked to grapple with legislation such as the investigatory powers bill that would enshrine far-reaching, highly advanced and deeply intrusive surveillance powers. Rather than drawing a line under bad practice and forging a new era of transparent, clearly avowed and properly authorised and regulated surveillance, the bill is so byzantine and complex that it could lead to another 17 years of creative interpretation of the rules. This ruling should be a warning to all of us that when we give the government an inch, it will take a mile.

Let us be clear about what it has done when it says it has been collecting “bulk communications data”. Rather than seek the creation of transparent and democratically approved laws, it instead spent 17 years using an archaic, obscure, vague clause from a pre-internet piece of legislation – section 94 of the Telecommunications Act 1984 – to obtain regular feeds of bulk communications data from telecommunications companies.

In short, the government has been collecting your personal data from your phone and email provider – who you’ve been communicating with, when you communicated with them, where you were at the time. This data provides a detailed picture of who you are, your friendships and family relationships, your interests and movements, including your political views, your sexuality and who knows what else. And the government has been taking it all in for over a decade. Without you knowing about it. Without even parliament knowing about it.

The first official, independent review of these section 94 directions came out only in July this year. Sir Stanley Burnton, the interception of communications commissioner, who conducted the review, commented somewhat understatedly that there were “difficulties when statutes are operated in secret and where there is a lack of statutory codified procedures”.

“Difficulties” is one way to put it. The potential for abuse, misuse and skirting the rule of law is another. What we have seen emerge from disclosed documents is that the cloak of secrecy resulted in massive troves of our personal data becoming a kind of Facebook for spies. Staff had to be repeatedly warned not to search for or access information about other members of staff, neighbours, friends, acquaintances, family members and public figures.

Other independent experts have revealed further abuses. David Anderson QC, the independent reviewer of terrorism legislation, noted at para 5.42 of his review of bulk powers that a “very serious incident” took place in 2014. Burnton noted “230 errors” by the security service between January 2015 and July 2016.

Missing from the narrative is what happened to the victims. With no provisions for notification, we will never know if our data was misused, however egregious the incident. The investigatory powers bill takes a tiny step in the right direction by allowing for error reporting in limited, discretionary circumstances. But that is not nearly enough. Error reporting should be mandatory to give us effective rights to seek redress.

Of even greater concern than abuse, however, is the threat to a democratic society created when we normalise that idea of putting us all under surveillance. But neither the government nor parliament has fully confronted the main consequence of the bill, which enshrines in law the powers of bulk surveillance that led to the collection of all our data. Parliament has been hobbled by the many layers of this enormous, complex mostly unfathomable piece of legislation, accompanied by hundreds of pages of equally opaque codes of practice. It is true that we have moved on from an era of a vacuum in law. But what we have got instead is a new era of legal labyrinthian complexity.

So, with the investigatory powers bill just weeks from becoming law, we find ourselves at the precipice of the post-Snowden surveillance settlement. Rather than rolling back the mass surveillance practices that have been exposed in the aftermath of Edward Snowden blowing the whistle, some of which Monday’s judgment finally found to be unlawful, May’s bill is hurtling forward like a freight train. If it fails to change course, we may again find ourselves in court challenging the state’s mass surveillance practices. While it is the 11th hour, it is not too late for parliament to stop this vicious cycle of unlawfulness that thrives on rules that no one understands.