For two weeks in May, it looked as though privacy advocates had scored a tenuous victory against the widespread surveillance practices exposed by Edward Snowden a year ago. Then came a resurgent intelligence community, armed with pens, and dry, legislative language.

During several protracted sessions in secure rooms in the Capitol, intelligence veterans, often backed by the congressional leadership, sparred with House aides to abridge privacy and transparency provisions contained in the first bill rolling back National Security Agency spying powers in more than three decades. The revisions took place in secret after two congressional committees had passed the bill. The NSA and its allies took creative advantage of a twilight legislative period permitting technical or cosmetic language changes.

The episode shows the lengths to which the architects and advocates of bulk surveillance have gone to preserve their authorities in the time since the Guardian, 12 months ago today, began disclosing the scope of NSA data collection. That resistance to change, aided by the power and trust enjoyed by the NSA on Capitol Hill, helps explain why most NSA powers remain intact a year after the largest leak in the agency's history.

"This is not how American democracy is supposed to work," said congresswoman Zoe Lofgren, a California Democrat who had supported the bill but ultimately voted against it.

Senior leaders at the agency say that Snowden thrust them into a new era. The NSA, adept at cultivating a low profile, is now globally infamous – so much so that even Snowden, in his recent NBC interview, cautioned against writing the agency off as a voracious privacy-killing monstrosity. James Clapper, the director of US national intelligence, said the intelligence agencies need to grant a greater degree of transparency or risk losing public confidence permanently.

But exactly one year on, the NSA’s greatest wound so far has been its PR difficulties. The agency, under public pressure, has divested itself of exactly one activity, the bulk collection of US phone data. Yet while the NSA will not itself continue to gather the data directly, the major post-Snowden legislative fix grants the agency wide berth in accessing and searching large volumes of phone records, and even wider latitude in collecting other kinds of data.

There are no other mandated reforms. President Obama in January added restrictions on the dissemination of non-Americans' "personal information", but that has not been codified in law. The coalition of large internet firms demanding greater safeguards around their customers’ email, browsing and search histories have received nothing from the government for their effort. A recent move to block the NSA from undermining commercial encryption and amassing a library of software vulnerabilities never received a legislative hearing. (Obama, in defiance of a government privacy board, permits the NSA to exploit some software flaws for national security purposes.)

Even Clapper’s transparency call is questionable after the director recently clamped down on intelligence officials’ ability to speak to the press without the approval of their public-affairs shops, even when not discussing classified material.

Some NSA critics look to the courts for a fuller tally of their victories in the wake of the Snowden disclosures. Judges have begun to permit defendants to see evidence gathered against them that had its origins in NSA email or call intercepts, which could disrupt prosecutions or invalidate convictions. At least one such defendant, in Colorado, is seeking the exclusion of such evidence, arguing that its use in court is illegal.

Still other cases challenging the surveillance efforts have gotten beyond the government’s longtime insistence that accusers cannot prove they were spied upon, as the Snowden trove demonstrated a dragnet that presumptively touched every American’s phone records. This week, an Idaho federal judge implored the supreme court to settle the question of the bulk surveillance's constitutionality.

"The litigation now is about the merits. It’s about the lawfulness of the surveillance program," said Jameel Jaffer, the ACLU’s deputy legal director.

There have also been significant commercial changes brought by companies that fear the revelations imperiling their businesses. Google's Gmail service broadened its use of encryption and the company will soon present end-to-end encryption for its Chrome browser. After the Washington Post revealed that the NSA intercepts data transiting between Google and Yahoo storage centers, Google expanded encryption for Gmail data flowing across the internet and Yahoo implemented default email encryption.

But perhaps the bitterest disappointment has been the diminished ambitions for surveillance reform contained in the USA Freedom Act. "That," Jaffer said, "was a very frustrating process for us."

California congresswoman Zoe Lofgren: 'This is not how American democracy is supposed to work.' Photograph: Carolyn Kaster/AP Photograph: Carolyn Kaster/AP

Scaling back

The price of moving the bill toward passage – still an incomplete task – has been the gradual loosening of its privacy and disclosure measures. Its original version, introduced in Congress in October, went beyond ending the bulk domestic phone records collection. It prevented the NSA from warrantlessly combing through its troves of ostensibly foreign-focused email and phone content for Americans' information; curbed the FBI's use of a kind of non-judicial subpoena called a National Security Letter; and created a permanent public advocate on the secret Fisa Court to push back against government surveillance demands.

All of that was scaled back significantly as part of a compromise in the House of Representatives to turn the Freedom Act into the sole legislative vehicle for surveillance reform. "Call data records" became what the NSA could no longer collect in bulk, leaving other records – potentially including internet data – insufficiently protected from mass collection.

Importantly, even the original bill never addressed other aspects of the Snowden disclosures that have riled the world. Its privacy protections have only ever applied to Americans, as US legislators have been consistently disinclined to abridge the NSA's ability to conduct foreign spying, even in bulk. It also left the NSA free to undermine encryption standards.

But civil libertarians, wary of an alternative bill with weaker privacy safeguards, continued to cautiously support the bill. It passed the House judiciary committee on May 7 unanimously, and the House intelligence committee, a hotbed of NSA support, the following day, also without dissent.

Then the lawyers and the negotiators got involved, seizing a parliamentary opportunity to make technical fixes to the bill between its committee passage and arrival on the House floor.

Major divisions

Over the next two weeks, according to sources familiar with the discussions, attorneys for the government presented legislative aides with a series of changes they desired the text of the Freedom Act to include. Negotiations took place in secured rooms in the Capitol basement, in the suite of majority leader Eric Cantor and especially over the phone. Taking point for the government delegation was Robert Litt, Clapper's combative senior lawyer.

No one who discussed the negotiations said the meetings became heated. Nor were voices said to have been raised. Even congressional staffers who sought to constrain NSA's powers were uninterested in antagonizing the agency, which they considered unproductive. Still, the relative conviviality concealed major divisions between the security agencies and their congressional overseers.

Litt, who would not comment for this piece, was not alone. Representatives for the NSA, FBI, the Justice Department, and the White House assisted. But it was the FBI's operations, not the NSA's, that Litt and others relied on to jar open the text of the bill. They expressed concern that the parameters of what the Freedom Act permitted the government to collect would inhibit the FBI's counter-terrorism and cybersecurity operations, an argument that NSA critics in the room were wary of rejecting.

The biggest sticking point, and perhaps the most consequential change, concerned the definition of what it is the government must specify to a judge it is interested in collecting, known as a specific selection term. The version of the bill passed by the two committees defined a specific selection term as "a term used to uniquely describe a person, entity, or account."

Litt and his allies argued that the term might inhibit the FBI in its hunt for potential terrorists. A judge might not permit, for instance, a search for hotel records in part of a major city during the early stages of an investigation. Congressional negotiators were simultaneously worried about introducing loopholes into their bulk-collection prohibitions and inadvertently over-restricting the FBI from pursuing legitimate investigations.

Litt's team wanted the selection-term definition to exclude restricting adjectives and adverbs like "uniquely" and "specifically." They wanted to add the words "facility" and "location".

Negotiations on the language outlasted discussions on all other subjects. It was not until May 20 that a deal was struck and the bill text published. Specific selection term now meant "a discrete term, such as a term specifically identifying a person, entity, account, address, or device, used by the government to limit the scope of the information or tangible things sought."

The Freedom Act ultimately sped to passage in the House on May 22 by a bipartisan 303-121 vote. NSA advocates who had blasted its earlier version as hazardous to national security dropped their objections – largely because they had no more reason.

Accordingly, the compromise language caused civil libertarians and technology groups not just to abandon the Freedom Act that they had long championed, but to question whether it actually banned bulk data collection. The government could acquire call-records data up to two degrees of separation from any "reasonable articulable suspicion" of wrongdoing, potentially representing hundreds or thousands of people on a single judicial order." That was not all.

Jim Sensenbrenner speaks the media after the House passed the bill. Photograph: Jim Lo Scalzo/EPA Photograph: Jim Lo Scalzo/EPA

'There has still been no real progress'

"As the bill stands today, it could still permit the collection of email records from everyone who uses a particular email service," warned a Google legislative action alert after the bill passed the House. In a recent statement, cloud-storage firm Tresorit lamented that "there still has been no real progress in achieving truly effective security for consumer and corporate information."

No one familiar with the negotiations alleges the NSA or its allies broke the law by amending the bill during the technical-fix period. But it is unusual for substantive changes to be introduced secretly after a bill has cleared committee and before its open debate by the full Senate or House.

"It is not out of order, but major changes in substance are rare, and appropriately so," said Norman Ornstein, an expert on congressional procedure at the American Enterprise Institute.

Steve Aftergood, an intelligence policy analyst at the Federation of American Scientists, said the rewrites to the bill were an "invitation to cynicism."

"There does seem to be a sort of gamesmanship to it. Why go through all the troubling of crafting legislation, enlisting support and co-sponsorship, and adopting compromises if the bill is just going to be rewritten behind closed doors anyway?" Aftergood said.

Congressional sources, who would not speak for the record, insist the legislative negotiators got the best deal that they could. But at least one believes they could have tightened the selection-term definition. They felt under pressure by a multi-committee deal with the administration and the congressional leadership to get a surveillance bill done – and particularly to do it before the House considered the annual defense funding authorization bill, a leadership priority. That turned out to introduce a critical dynamic: by passing the Freedom Act first, the House leadership forestalled deeper restrictions to surveillance getting attached to the must-pass defense bill by frustrated civil libertarians.

But they feel that the restrictions on call records bulk collection make the bill worthwhile from a privacy standpoint, and believe Congress must now be notified if the government seeks before the Fisa Court to expand the boundaries of collectable data.

Civil libertarians and activists now hope to strengthen the bill in the Senate. Its chief sponsor, Patrick Leahy of Vermont, vowed to take it up this month, and to push for "meaningful reforms" he said he was "disappointed" the House excluded. Obama administration officials will testify in the Senate intelligence committee about the bill on Thursday afternoon, the first anniversary of the Guardian's disclosure of bulk domestic phone records collection. That same day, Reddit, Imgur and other large websites will stage an online "Reset The Net" protest of NSA bulk surveillance.

But the way the bill "morphed behind the scenes," as Lofgren put it, points to the obstacles such efforts face. It also points to a continuing opportunity for the NSA to say that Congress has actually blessed widespread data collection – a claim made after the Snowden leaks, despite most members of Congress and the public not knowing that NSA and the Fisa court secretly reinterpreted the Patriot Act in order to collect all US phone records.

"Many members of Congress may not have realized that what they thought was a vote to end unwarranted spying against Americans with the USA Freedom Act was actually a vote to reauthorize the Patriot Act," Lofgren said, "and will likely not end bulk collection."