Last week, the Wall Street Journal reported on how a little-known government agency—the National Counterterrorism Center (NCTC)—got the keys to government databases full of detailed, personal information of millions of innocent Americans. Using the Freedom of Information Act and interviews with officials, the Journal obtained emails and other information detailing how the massive new spying program, which the Attorney General signed off on in March, was approved by the White House in secret—over strenuous objections from government privacy lawyers.

As EFF first warned months ago, despite the “terrorism” justification, the new rules affect every single American. The Journal explained:

Now, NCTC can copy entire government databases—flight records, casino-employee lists, the names of Americans hosting foreign-exchange students and many others. The agency has new authority to keep data about innocent U.S. citizens for up to five years, and to analyze it for suspicious patterns of behavior. Previously, both were prohibited. Data about Americans "reasonably believed to constitute terrorism information" may be permanently retained.

Journalist Marcy Wheeler summed the new guidelines up nicely in March, saying, “So…the data the government keeps to track our travel, our taxes, our benefits, our identity? It just got transformed from bureaucratic data into national security intelligence.”

Ironically, this civil liberties debacle apparently was a response to the attempted 2009 Christmas “underwear” bombing by Umar Farouk Abdulmutallab. As the ACLU observed, however, “Abdulmutallab wasn’t a U.S. citizen, and collecting information on him wasn’t a problem. Instead, his own father had identified him to the U.S. government as a potential terrorist. In short, an attack by a known foreign terror suspect was used to justify changes to rules about collecting information on U.S. citizens.”

The Privacy Act is supposed to limit the ability of the U.S. government to collect and maintain detailed data about ordinary citizens. Among other restrictions, it prohibits agencies from maintaining personal information unless it is “relevant and necessary” for a specific purpose. But thanks to a loophole in the law, federal agencies can issue public notices to the Federal Register, and attempt to skirt those rules entirely, thereby opening the door to arbitrary and unnecessary data collection.

As Mary Ellen Callahan, the chief privacy officer of the Department of Homeland Security unsuccessfully argued at the time, "This is a sea change in the way that the government interacts with the general public." Another former senior White House official called the program “breathtaking” in scope.

According to the Journal’s investigation, the debate over the program’s potential privacy violations sparked a “heated” and “testy” debate in the Justice Department, Department of Homeland Security, and the White House. A DHS lawyer complained via email that the advocates of the program were providing "complete non-sequiturs" and "non-responsive" examples. Ultimately, privacy lost.

Of course, it’s unclear whether the data-mining operation even works:

At the Department of Justice, Chief Privacy Officer Nancy Libin raised concerns about whether the guidelines could unfairly target innocent people, these people said. Some research suggests that, statistically speaking, there are too few terror attacks for predictive patterns to emerge. The risk, then, is that innocent behavior gets misunderstood—say, a man buying chemicals (for a child's science fair) and a timer (for the sprinkler) sets off false alarms.

Just like EFF did in March, the Journal compared the new NCTC program to the notorious “Total Information Awareness” surveillance program proposed by Admiral John Poindexter in 2002. As the New York Times explained, Poindexter “proposed fusing vast archives of electronic records — like travel records, credit card transactions, phone calls and more — and searching for patterns of a hidden terrorist cell.” Congress was so alarmed by the potential invasion to innocent Americans’ privacy that they defunded it in 2003.

What the Journal did not mention, however, is that even the NCTC’s best-known database—the Terrorist Identities Datamart Environment, or TIDE—is already fraught with problems. “TIDE contains more than 500,000 identities suspected of terror links,” explained the Journal. “TIDE files are important because they are used by the Federal Bureau of Investigation to compile terrorist ‘watchlists.’”

But according to an unusually blunt Senate investigation of so-called “fusion centers” released last month, the TIDE database is also full of information of innocent people that have nothing to do with terrorism. The report gave examples of: a TIDE profile of a person whom the FBI had already cleared of any connection to terrorism, a TIDE profile of a two-year old-boy, and even a TIDE profile of Ford Motor Company.

Indeed, the data-mining expansion seems like a horrible, self-fulfilling prophecy. As the Journal noted, the underwear bomber incident led President Obama to order agencies to send all their leads to NCTC, and to order NCTC to "pursue thoroughly and exhaustively terrorism threat threads." Predictably, NCTC was flooded with terror tips, creating a huge backlog that NCTC couldn’t process within the original time limits. NCTC then predictably sought to retain more data longer.

Congress needs to stop this vicious cycle. It should investigate the new NCTC guidelines and the government’s overall data-collection and data-mining practices. And it should take a look at closing loopholes in the Privacy Act, too.