President Obama's NSA review panel makes it clear that many of the things NSA has been doing are bad from a policy perspective. But the real question we should be asking is: are they legal?

Early leaks about the review panel suggested it had found all the NSA's (and other agencies they imply, such as FBI) activities to be legal. That's based, in part, on this statement:

Significantly, and in stark contrast to the pre-Fisa era, the Review Group found no evidence of illegality or other abuse of authority for the purpose of targeting domestic political activity. This is of central importance, because one of the greatest dangers of government surveillance is the potential to use what is learned to undermine democratic governance. On the other hand, as discussed later in this report, there have been serious and persistent instances of noncompliance in the Intelligence Community's implementation of its authorities. Even if unintentional, these instances of noncompliance raise serious concerns about the Intelligence Community's capacity to manage its authorities in an effective and lawful manner.

But notice that statement did not say the panel had found everything to be legal. On the contrary, it applied that judgment only to illegality or abuse "for the purposes of targeting domestic political activity". That leaves open a whole slew of potential abuse, even illegal activities, targeting Americans for reasons outside of politics.

That's what the report should have tackled, but it didn't. Instead, we have tame sounding "policy recommendations" as if this is all just a matter of political disagreement over the budget or farm bill.

A later statement on the phone dragnet is equally ambiguous:

We have not uncovered any official efforts to suppress dissent or any intent to intrude into people's private lives without legal justification.

Fine, but this leaves the possibility of unofficial efforts to suppress dissent or intruding into people's lives with dodgy legal justification.

Perhaps one signal the report won't comment on legality is it is conspicuously silent about President George Bush's "presidential" wiretap program, which top Department of Justice officials refused to authorize as lawful in 2004, in its section on legal issues. Later in the report, it briefly notes that Bush's program operated outside Fisa. Funny, that's the same thing some of President Obama's programs currently do.

Beyond the emphasis on the "serious and persistent instances of noncompliance", there are other moments where the report points to issues of concern.

For example, the report emphasizes that EO 12333 – the executive order used both to authorize Bush's illegal surveillance program and much of the dragnet currently – only governs "foreign intelligence activities not governed by Fisa". Yet the administration appears to have continued internet metadata collection more broadly under EO 12333. Furthermore, according to a Washington Post report, the NSA has taken data (that is governed by Section 702 of Fisa) from Google and Yahoo cables overseas. The report stresses the limits of EO 12333, but another way to read into that is that it suggests the executive branch continues to overstep it authority.

Then there are places where the report airs questions about the legal interpretations the executive branch (and the Fisa court) adopted – noting that critics argue the phone dragnet rulings have done "violence" to the meaning of the word "relevant" – but then insisting that the review's "charge is not to resolve these questions, but to offer guidance from the perspective of sound public policy as we look to the future". Yet elsewhere, the report states the 2005-06 Patriot Act standard, "leaves too little authority in the FISC to define the appropriate parameters of section 215 orders".

For these reasons, some of the areas where the report remains silent are the most intriguing. One example: when the report discusses the kinds of things, in addition to phone metadata, the government can collect under Section 215, it lists some possibilities, including bank records, credit card records, medical records, travel records, internet search records, and email records. It claims, "the government has expressly disclaimed any interest in such mass collection of personal information under section 215". Yet we know the government has used section 215 to collect purchase records of explosives precursors. And we know the Fisc has imposed minimization procedures on more and more of the government's 215 orders in recent years – doing so for 176 orders last year – which is the hallmark of some kind of bulk program. The report may say the government doesn't collect these items, but it's collecting something – probably a lot of somethings – in bulk, and the report warns the president that such bulk collections "seem both unrealistic and unsound as a matter of public policy".

The same applies even more with the report's recommendation that "governments should abstain from penetrating the systems of financial institutions and changing the amounts held in accounts there". Huh? There have not yet been any allegations from the Snowden reporting that the NSA has done this (though it has hacked into financial data to collect it). And the recommendation is presented as a kind of best practices that all governments should adhere to, not something that would apply solely to the US. But it does raise questions about whether the review panel knows that such activities have been going on. (It's not at all clear this would be illegal; just unwise.)

There are hints like this in a number of places the report, all presented as a discussion of policy. That, of course, permits the president to accept or reject these recommendations, as a matter of policy. But underneath it all, there's a warning that the dragnets and the president's EO 12333 activities may be wrong both on policy and on legal grounds.

• Editor's note: the author updated the paragraph on Bush's wiretap program on 19 December 2013.