Following 9/11, the NSA’s ability to gather the communications of US citizens was greatly enhanced by the Patriot Act of 2001, the Protect America Act of 2007, the FISA Amendments Act of 2008, and secret interpretations of US law that have only recently begun to enter the public view — interpretations that have surprised and concerned even the Patriot Act’s original authors. Documents leaked this year have revealed that the NSA is operating a massive global surveillance network, one that once seemed only possible in Hollywood fantasy, and that privacy advocates and some politicians fear is highly intrusive, dangerous, and unwarranted. Furthermore, the surveillance of US citizens appears to go well beyond the NSA’s explicit charge of collecting data “for foreign intelligence and counterintelligence purposes” as set forth in Executive Order 12333. Instead of just collecting data on foreigners, the NSA now appears to want all available communications data in the pursuit of terrorists.

Intelligence

If you have a phone and a computer, it’s likely that practically everything you do generates a signal: your bank records, your emails, your phone calls, your text messages, and your sexy Snapchats. At some point, they’re likely to be handled by companies like Google, Facebook, Apple, or AT&T. And like the NSA, your records live on the network.

Unlike documents in a safe or money in a bank vault, your electronic files probably aren’t sitting in one place, especially if they’re handled by global service providers like Google or Yahoo. In the age of global cloud data, it’s possible (even likely) that information you store with a US company is exchanged between servers located outside of US borders.

Because of legal restrictions regarding how the NSA is able to collect and search data, there’s an important distinction between the types of intelligence that the agency scoops up. There’s “content,” which is, naturally, the substantive matter of your communications. That includes the stuff inside your emails, the things you say in your phone calls, and the family photo album you store in Dropbox.

Then there’s “metadata,” which is “data about data:” it’s information about your content. For phone records that includes data like the times, addresses, and durations of phone calls. For email addresses that includes stuff like the IP addresses and the email addresses of the sender and recipient, and the date and time of the email.

A metadata map can tell someone much more about your life than a single email

The intelligence community and some government officials argue that metadata isn’t really content. But metadata can say a lot about a person, including who, when, and even where they talked to someone. That kind of information is particularly sensitive for people like journalists who have confidential informants, but it’s also potentially quite damaging for the average person who may, for instance, have called an addiction hotline or sent a political donation over the phone.

So how does the NSA collect this information? Broadly speaking, there are two approaches: “downstream” collection, which involves explicit, yet secret requests to technology companies for user data, and “upstream” collection, which is like a phone wiretap, pulling data directly from telecommunication cables. The US government doesn’t let companies give specifics about the amount of data they are forced to give up each year, and upstream collection methods have remained closely guarded secrets. Still, thanks to this year’s leaks, we know more than ever about how the NSA gets its hands on electronic data.