Last week, the ACLU joined a constitutional challenge to the FISA Amendments Act of 2008 (FAA), the statute that allows the NSA to engage in dragnet surveillance of Americans' international phone calls and emails. With the Federal Defenders Office, we filed a motion on behalf of Jamshid Muhtorov, the first criminal defendant to receive notice that he had been monitored under this controversial spying law. But Mr. Muhtorov received this notice only after the Department of Justice (DOJ) abandoned its previous policy of concealing FAA surveillance in criminal cases — a policy that violated both the statute itself and defendants' due process rights.

For criminal defendants and for the country, it's good news that the government is reviewing criminal cases in which FAA evidence has played a role. But the FAA is just one surveillance program among many. And given what we now know about the DOJ's unlawful notice policy, we should be asking whether the government has concealed in criminal prosecutions its use of other mass surveillance programs.

Let's start with the NSA's internet-metadata program. That program involved the NSA's bulk collection of records about Americans' online activity between 2001 and 2011. Under this program, the NSA vacuumed up information such as the "to" and "from" data in emails and, in all likelihood, the addresses of websites visited by Americans.

As Brett Max Kaufman and I have described elsewhere , the program has a problematic past . It was secretly authorized by President Bush in 2001 and then belatedly approved by the Foreign Intelligence Surveillance Court (FISC) in a secret opinion , recently declassified, that has been heavily criticized . In particular, the FISC found that bulk collection of Americans' internet metadata was permissible under FISA's pen-register and trap-and-trace provision (PR/TT). The program was reportedly discontinued in 2011 for "operational and resource reasons" — but only after the NSA had tracked Americans' internet activity for a decade.

It doesn't take much to imagine that, over those ten years, some of that internet data made its way into criminal investigations and prosecutions. Indeed, we know that the NSA collected huge volumes of metadata under this program, that it routinely pools its various streams of data in order to conduct "contact-chaining," and that it often feeds tips or leads to the FBI and even the DEA .

If the internet-metadata program did contribute to criminal prosecutions, the government had a duty to tell defendants. That's because FISA's PR/TT provision includes a notice requirement . Notice is also a matter of basic due process, because defendants have the right to test whether the government obtained its evidence against them lawfully.

The government has never told a criminal defendant that the internet-metadata program supplied evidence for a prosecution — but, as the FAA experience makes plain, that doesn't mean it didn't happen. We know that for five years the government violated an identical notice provision in the FAA, adopting a self-serving interpretation of the law that allowed the government to effectively circumvent the notice provision altogether. Indeed, after learning of DOJ's FAA notice policy, the solicitor general reportedly concluded that it "could not be justified legally."

It seems likely that the government embraced the same flawed legal theory with respect to notice and evidence derived from the internet-metadata program. If so, then criminal defendants were almost certainly left in the dark — and were very likely convicted with the help of this evidence.

If that's the case, those individuals went to prison without having a chance to test the legality of the government's bulk collection of their internet records — a program that, from its inception, stood on precarious legal ground. Any failure to provide notice would have been a violation of those defendants' due process rights, calling their convictions into question. Let's hope their cases are part of the Attorney General's ongoing review .