With the passage of the USA Freedom Act in June, Americans may think that the sprawling and unchecked surveillance apparatus that was secretly erected after 9/11 has finally been reined in. But the fight over government surveillance is far from over. For all the late-night filibusters and political brinkmanship that ultimately produced the USA Freedom Act, the legislation barely touched on many of the government’s most troubling spying programs—the ones aimed at the Internet.

Two years ago, the whistleblower Edward Snowden, then a government contractor, exposed the National Security Agency’s bulk collection of Americans’ phone records. That program is now being wound down, but phone records were just the tip of the surveillance iceberg. More and more, our daily communications take place over the Internet—and there the NSA’s dragnet surveillance continues unabated. Putting an end to what some have called “the golden age of surveillance” requires protecting our online communications from government spying, too.

Over the past 15 years, the NSA has embedded itself in the infrastructure of the Internet, often by secretly collaborating with telecommunications companies that operate the Internet “backbone.” This backbone is the global network of high-capacity cables and routers that carries communications across countries and between continents. From outposts both inside and outside the United States, the NSA continuously monitors vast streams of Internet traffic as they flow past the agency’s surveillance devices. The NSA uses those devices to siphon off huge quantities of communications, often in bulk, copying them and then searching their contents for information of interest.

This is the new surveillance paradigm. It is one in which the government examines everyone’s e-mails, browsing activities, and online chats in real time, not just the communications of suspected spies and criminals. The old paradigm, in which surveillance had to be targeted to be technically and economically feasible, is being supplanted by population-level surveillance, where everyone’s communications and metadata are fair game. This new paradigm animated the NSA’s bulk collection of Americans’ call records, and it continues to animate its pervasive monitoring of Internet traffic. The breadth of this surveillance allows intelligence agencies to use “big data” techniques—such as sophisticated algorithms and analytic tools—to mine the flow of private communications and store large chunks of that data for later use. In short, today’s surveillance system is set up to search and collect as much data as possible now, so that intelligence agencies can figure out how to exploit it later.

The NSA uses surveillance supposedly directed at foreigners as a backdoor into Americans’ private communications.

There are two key legal authorities that govern the NSA’s warrantless surveillance of our Internet communications. Inside the United States, this surveillance is conducted under Section 702 of the Foreign Intelligence Surveillance Act (better known as FISA), and it principally affects Americans’ international communications. Outside the United States, the surveillance is carried out under Executive Order 12,333—a Reagan-era spying regulation written for the pre-Internet era. This order is even more permissive than Section 702 and lacks judicial review of any kind, not to mention meaningful congressional oversight. John Napier Tye, a whistleblower and former State Department official, has warned that the collection and storage of communications under Executive Order 12,333 is staggering in its scope and far broader than the surveillance programs that have thus far come to public attention.

Last March, I was part of a team of lawyers at the American Civil Liberties Union who sued the government to stop Internet backbone surveillance conducted under Section 702. The ACLU’s clients in the case—Wikimedia Foundation, Human Rights Watch, the Rutherford Institute, and six other civil society organizations—argue that this warrantless surveillance violates the Fourth Amendment, which provides core safeguards against unreasonable searches and seizures, the First Amendment, and the text of Section 702 itself. In searching through virtually all international communications entering or leaving the United States, the NSA invades the plaintiffs’ privacy and harms their ability to engage in speech, advocacy, and other activities essential to their work. Public disclosures over the past two years—including new revelations about the NSA’s monitoring of Internet backbone traffic with the help of AT&T and Verizon—substantiate the plaintiffs’ claims. The Electronic Frontier Foundation is currently pursuing a similar, long-running challenge, which the government has sought to have the courts dismiss on the grounds of state secrets.

Because intelligence officials often claim that these programs are directed only at foreigners abroad (as though mass surveillance of the rest of the world is justified), many Americans believe that they aren’t vulnerable to the NSA’s dragnet spying. But the reality is far different.

Phone records were just the tip of the surveillance iceberg. More and more, our daily communications take place over the Internet—and there the NSA’s dragnet surveillance continues unabated.

For one thing, the NSA’s rules permit it to hold on to the communications of Americans that it intercepts “incidentally.” That word conceals an enormous loophole. As long as the NSA is pursuing the communications of foreigners overseas, whether individually or en masse, it believes it is entitled to copy, review, and retain communications involving Americans without ever having to obtain a warrant. In other words, it uses surveillance supposedly directed at foreigners as a back door into Americans’ private communications. Intelligence officials admitted in a 2006 hearing before the U.S. Senate Judiciary Committee that obtaining Americans’ international e-mails and phone calls was one of their core goals in seeking broader surveillance authority, calling those communications the ones “most important to us.” And subsequent reports have warned that the NSA is indeed collecting Americans’ communications in large quantities under Section 702 and Executive Order 12,333. For example, the Review Group on Intelligence and Communications Technologies, an oversight body created by U.S. President Barack Obama in the summer of 2013, found that Americans’ communications were “significantly more likely” to be acquired under Section 702 than through surveillance predicated on a warrant.

The global structure of the Internet helps the NSA take advantage of the “incidental” loophole, by funneling Americans’ communications into the NSA’s net. Communications today are transmitted across the Internet with little regard for national boundaries. Thus, even when both the sender and the recipient of an e-mail are inside the United States, there are many ways that communication could end up outside of the country. Companies such as Google, Yahoo!, and Microsoft often shuttle huge amounts of customer data around the world in the course of storing backup copies, improving network access, or conducting basic tasks such as spam filtering. Internet communications rarely take the shortest route to their destination, and factors such as network congestion or contractual agreements may cause purely domestic communications to take an international route. Because of how the Internet is built, Americans have little control over the routing of their data. The fact that the NSA believes it can seize and search many of these communications without a warrant, simply because they happen to have crossed a border, is profoundly disturbing.

The government is storing copies of our private communications for years at a time, even if it has no reason to believe we’ve done anything wrong. It means that the government can search through those communications at its leisure, for a variety of investigative purposes, without ever having to go before a judge.

The shift to population-level surveillance has grave ramifications for our liberty. It means that the government is storing copies of our private communications for years at a time, even if it has no reason to believe we’ve done anything wrong. It means that the government can search through those communications at its leisure, for a variety of investigative purposes, without ever having to go before a judge. It means that the government has already built a surveillance architecture that could be used to stifle dissent, to profile people based on race or religion, and to impair the ability to travel, obtain work, and associate freely. This may seem far-fetched, but some of it is already happening today. Secret surveillance has helped funnel individuals onto terrorist watch lists—such as the “no fly” list, which is used to bar suspects from boarding flights to, from, or within the United States. Once on that list, individuals have no meaningful opportunity to challenge the surveillance or clear their names. More broadly, as a report issued last year by Human Rights Watch and the ACLU shows, the chilling effects of this surveillance on journalists, lawyers, and others are palpable. It makes sources unwilling to talk to journalists, even about topics that may be of tremendous public interest, and it undermines the ability of lawyers to communicate with their clients in confidence.

There are other corrosive effects, too. Today’s surveillance apparatus depends on a massive, secretive state bureaucracy, one that is often at odds with the core democratic principles of transparency, accountability, and popular consent. A secret court, created under FISA, exists solely to consider government surveillance requests. In the past decade, that court has repeatedly reinterpreted the country’s surveillance laws to authorize spying that is far broader than any member of the public could have known. At the same time, there is an epidemic of overclassification, which stifles citizens’ ability to hold their government accountable, especially when it comes to novel forms of surveillance.

Indeed, the government is deliberately standing in the way of an informed public debate about its spying programs. The NSA has refused to count, or even estimate, the number of Americans whose communications it retains each year under Section 702—yet that number is almost certainly enormous. Similarly, the FBI has refused to disclose how many times it conducts “backdoor searches” on Americans using its Section 702 database, a practice that converts warrantless spying into a tool for everyday law enforcement. Surveillance under Executive Order 12,333 is even more of a black box, despite warnings about its broad impact on the rights of Americans. One recent news report noted that even the U.S. Senate Select Committee on Intelligence, which is supposed to oversee the intelligence agencies, could not identify all the spying programs conducted under this authority.

An undated aerial handout photo shows the National Security Agency (NSA) headquarters building in Fort Meade, Maryland. Reuters

Although the recent public debate has focused less on the NSA’s Internet backbone surveillance than on its bulk collection of phone records, there are mounting calls for transparency and reform. In 2014, the U.S. House of Representatives voted by a wide margin to ban warrantless backdoor searches on Americans, although the U.S. Senate failed to pass equivalent legislation. This past May, Representative Bob Goodlatte (R-Va.), chairman of the House Judiciary Committee, promised to hold hearings on the use of Section 702 surveillance because of mounting pressure from his committee members to reform this law. The Review Group on Intelligence and Communications Technologies has recommended curtailing the government’s ability to exploit information about Americans—collected under Section 702 and Executive Order 12,333—by requiring the government to purge much of that information and banning its use altogether in criminal proceedings. And the Privacy and Civil Liberties Oversight Board, an independent and bipartisan agency within the executive branch, is currently conducting its own review of certain surveillance activities under Executive Order 12,333.

Having secretly secured a viselike grip on the Internet’s backbone, the intelligence agencies will no doubt resist such efforts. In a world where our digital trails increasingly follow us everywhere, the recent battle over bulk collection of phone records was only a prelude. Our public institutions must not give in to fearmongering, misinformation, and rampant secrecy, because the stakes for liberty and privacy are incredibly high.