Just over four months ago, the Internet at large became significantly more acquainted with the National Security Agency (NSA).

It's all thanks to Edward Snowden, a former NSA contractor (and longtime Ars reader) with access to an unprecedented volume of documents. Snowden's leaks detailed for the first time the vast scale of American international telecommunications surveillance. While many people may have speculated or even "known" about such capabilities, Snowden’s disclosures provided internal proof previously unavailable to the general public.

Ars has done its best to cover the day-by-day updates that have unfolded as a result of Snowden’s actions, both in terms of what we’ve learned of the government’s capabilities and what has changed since then. With most of the Ars staff at our annual two-day conference this week, we’ve decided to take some time to breathe and recap what we’ve learned so far. We've narrowed the revelations down to five, so this list is hardly exhaustive—but feel free to tell us what we’ve missed.

What we’ve learned:

American telcos are compelled to routinely hand over metadata to the government

Digital surveillance programs capture vast amounts of data: PRISM and XKeyscore

US companies have done little to resist government pressure

NSA's sister organization, GCHQ, does what the NSA can’t

NSA analysts even used capabilities to spy on their exes

What has happened since:

As a way to prevent future leaks, the NSA fired nearly all its sysadmins

Privacy-minded e-mail providers shut themselves down under pressure

The Foreign Intelligence Surveillance Court (FISC) opened up and published docket and opinions

Patriot Act author said that NSA’s interpretation is overbroad

Congressional reforms introduced, remain slow-moving

Ain’t no party like a third party

The entire saga kicked off on June 5, 2013 when The Guardian first published a secret order issued by the FISC that required Verizon to hand over vast metadata to the NSA. The order specified that Verizon was required to share the information on an “ongoing, daily basis” and encompassed the phone records pertaining to all of Verizon's American customers, whether the communications were between US-based callers or between a US caller and an international caller.

While the Verizon order was the only one officially published to date, it’s been a working assumption that other American telcos have been served with similar FISC orders. Roughly six weeks after this first disclosure, the FISC renewed that order.

The government relies on a well-established (but increasingly challenged) part of American case law known as the “third-party doctrine.” This notion says that when a person has voluntarily disclosed information to a third party—in this case, the telco—the customer no longer has a reasonable expectation of privacy over the numbers dialed or call duration. Therefore, this doctrine argues, such metadata can be accessed by law enforcement with essentially no problem.

The following day, Glenn Greenwald, The Guardian journalist who first broke the story, revealed another bombshell. On June 6, 2013, he introduced the world to PRISM, a massive NSA spying program that involved data sharing through various household-name tech giants, including Facebook, Google, Microsoft, and others.

In connection to the PRISM news, Facebook published a blog post soon after, writing that it has “been in discussions with US national security authorities urging them to allow more transparency and flexibility around national security-related orders we are required to comply with.”

Facebook continued: “We’re pleased that as a result of our discussions, we can now include in a transparency report all US national security-related requests (including Foreign Intelligence Surveillance Act [FISA] as well as National Security Letters)—which until now no company has been permitted to do.”

Despite the positive tone, Facebook (and other companies) cannot disclose how many of the requests for user data that it received were from federal, state, or local authorities. The companies can't detail whether any federal letters were from the NSA, a FISA court, the FBI, or some other entity. Facebook said that overall, it received between 9,000 and 10,000 requests from authorities in the second half of 2012, pertaining to between 18,000 and 19,000 individual Facebook accounts. (Other companies have subsequently also argued to the government that they should be allowed to break out how many aggregate requests it receives, but many have been rebuffed so far.)

A special relationship

Within two months of the PRISM revelations, Greenwald published another codenamed program: XKeyscore.

This NSA spy program captures vast swaths of unencrypted HTTP traffic at secret sites that span the entire world. However, due to storage limitations, it seems that it can only keep that data for relatively short periods of time. As Ars previously described, it would be nearly impossible for the NSA to store all that data for an extended time. One published slide says that for a single 30-day period in 2012, the data included “at least 41 billion total records.”

By the end of July 2013, we learned directly from an FISC judge that no corporation ever served with a “business record” court order under the Patriot Act has ever challenged one. This is despite the fact that the law provides them a means to do so. In other words, when the government asked Verizon to hand over call records and other metadata to the NSA, the company did so without so much as a peep.

In an 11-page letter from FISC Presiding Judge Reggie B. Walton to Sen. Patrick Leahy (D-VT), the judge wrote, “To date no recipient of a production order has opted to invoke this section of the statute.”

As the summer went on, it appeared that at least some of the Snowden trove was being shared by additional media outlets, including The Washington Post and a few foreign outlets, particularly in Brazil and Germany. Some of those publications soon reported that there was also extensive spying by the NSA’s British sister spy agency, the Government Communications Headquarters (GCHQ).

"It's not just a US problem. The UK has a huge dog in this fight," Snowden told The Guardian. "They [GCHQ] are worse than the US."

The Guardian also reported that Snowden’s documents showed that the NSA paid around $152 million to the GCHQ since 2010. "GCHQ must pull its weight and be seen to pull its weight," a GCHQ strategy briefing reportedly said.

Later, Süddeutsche Zeitung (Google Translate) and German public broadcaster NDR (Google Translate) published not only the names of the companies but also their GCHQ nicknames: "Verizon ('Dacron'), BT ('Remedy'), Vodafone Cable ('Gerontic'), Global Crossing ('Pinnage'), Level 3 ('Little'), Viatel ('Vitreous'), and Interoute ('Streetcar')."

The German newspaper cited an internal GCHQ presentation slide as its source. It also slammed the GCHQ, saying that the organization had “lost all sense of proportion.”

Under Britain's Regulatory and Investigatory Powers Act (RIPA) of 2000, the government does have broad powers to conduct digital surveillance. However, many believe that this wholesale data sharing is outside the scope of targeted warrants as described under RIPA. In July 2013, Privacy International, a London-based advocacy group, sued the British government for alleged abuses under the law.

Even with all those wrinkles, probably the most memorable (and darkly humorous) episode came from the disclosure of LOVEINT.

In August 2013, the Wall Street Journal introduced the world to an internal term that NSA analysts have come up with to describe the act of spying on one’s ex-partner: LOVEINT. The word is reminiscent of existing spycraft parlance, like HUMINT (human intelligence) or SIGINT (signals intelligence). (As you'd expect, LOVEINT spawned endless Twitter jokes.)

Needless to say, many Americans, including Sen. Chuck Grassley (R-IA) were not exactly thrilled with the idea that NSA employees could put America’s vast surveillance capability to use spying on ex-boyfriends and ex-girlfriends. He immediately fired off a letter to the NSA Office of the Inspector General (OIG).

By late September 2013, the OIG’s September 11, 2013 response to Sen. Grassley was published on the senator’s website. Inspector General Dr. George Ellard wrote that the NSA had “two open investigations into alleged misuse of SIGINT and is reviewing one allegation for possible investigation.”

In each of these cases, NSA employees were either docked in pay or punished administratively. Some even left the agency before any further action could be taken. Ultimately, no criminal charges were brought against any of these subjects. Worse still, most of these instances appeared to largely be the result of reactive reporting by the “subject” (the person who conducted the LOVEINT abuse), not the result of proactive internal measures at the NSA.