Barack Obama’s rhetoric in his big surveillance speech on Friday was pleasing to privacy advocates. But the substance of his proposals for the future of mass data collection amount to a gift for the National Security Agency.

The battle over the future of surveillance now shifts from the White House to Capitol Hill, where Obama conceded that legislation will be necessary on practically all of his desired proposals – terrain very favorable to the NSA, and where it has a major opportunity to rebrand itself with a forthcoming leader.

Obama’s remarks about the importance of privacy obscured that he has not closed any door on the world’s most powerful surveillance agency. The ones that appear closed depend on crucial details that Obama has left unresolved, even after seven months of congressional hearings, two conflicting public federal court rulings, and a voluminous report by his own surveillance advisers.

Most significant is Obama’s call for the government to relinquish the collection of records of every phone call made in the United States. But it’s too soon to determine if bulk collection actually ends, or merely transfers to a private custodian on behalf of the NSA. Obama did not resolve whether a post-government collection of metadata ought to require an individualized showing of a plausible connection to terrorism, which would be determined in advance by a judge in all but exceptional cases.

That’s how investigations over personal data typically work, and the reason why the laws governing them have always been about the terms under which the government can get the data in the first place. But NSA has argued, with great success, that the relevant privacy protection ought to surround when it gets to study the data – taking its access to the data for granted.

The mere fact that the data will transition out of government hands is less than meets the eye. Obama conceded to NSA’s favor a point in serious dispute: that the NSA must have access to a massive pool of domestic phone data.

Once that concession is made, the logical contour of a private repository for metadata storage lends itself to being comprehensive – far beyond the current amount of data each company holds before purging it. In order for metadata analysis to add any value at all, NSA has said it needs the whole “haystack” to find hidden connections to terrorism. Conceding the need for the haystack lends itself to gathering all the hay, whether at Fort Meade or by an intermediary.

National Security Agency Director General Keith Alexander, Deputy Attorney General James Cole, Attorney General Eric Holder, and Senator Patrick Leahy. Photograph: Carolyn Kaster/AP Photograph: Carolyn Kaster/AP

But that necessity has been called into question. NSA and its allies have lately been given to a different metaphor: not of the haystack, but what NSA deputy director John C Inglis last week called an “insurance policy”. That contention – a more intellectually honest construction – reflects that the phone data has not, as the NSA initially and forcefully misrepresented, prevented US terror attacks. The greatest counter-terrorist effect the NSA has identified through its mass phone data processing, in 12 years of existence, has been the identification of a financial transfer to a Somali affiliate of al-Qaida from San Diego.

All that ought to prompt celebration at Fort Meade. Privacy advocates evidently did not persuade Obama to definitively end what is by far the most domestically controversial of all the surveillance activities disclosed by Edward Snowden.

Not only will the NSA (and its allies at the office of the director of national intelligence) spend the next several weeks in part advising Obama on what a post-government, metadata custodian ought to look like, the agency will be a major player in shaping the legislation that will bring such a custodian into existence, owing to its advocates in the Senate and House intelligence committees. Congress’s default position, on a bipartisan basis, is deference to the security agencies.

That isn’t to say the NSA has won. It must first withstand the USA Freedom Act, a bipartisan civil libertarian bill to end bulk collection already backed by about a quarter of legislators. If the bill passes, creating a new comprehensive metadata storehouse, or forcing telecoms to retain data for years, will be exceptionally difficult. And the standards of evidence the NSA or the FBI must meet before a judge to gain access to the records will inevitably rise, a critical civil liberties protection.

Beyond the domestic metadata collection, the surveillance landscape after Obama’s speech looks remarkably clear for NSA.

Obama placed no durable restriction on the mass collection of foreign citizens, merely tasking the attorney general and director of national intelligence to come up with proposals for giving foreigners abroad more privacy safeguards. Foreign leaders did somewhat better than their billions of citizens, with “allies” receiving Obama's assurance that they won’t be spied upon absent a “national security” rationale – significant caveats, and applying already to an infinitesimal fraction of the billions of communications gathered by NSA every day.

Consider the following construction by Obama:

“In terms of our bulk collection of [overseas] signals intelligence, US intelligence agencies will only use such data to meet specific security requirements: counter-intelligence, counter-terrorism, counter-proliferation, cybersecurity, force protection for our troops and our allies, and combating transnational crime, including sanctions evasion."

That’s even broader than it sounds. Those already-expansive policy goals only govern the use of data, not its collection in the first place. And it sets up the tricky problem of how the NSA can determine whether any of that enormous data trove is useful without studying it in the first place.

CIA director John Brennan talks with the director of national intelligence James Clapper. Photograph: Jim WatsonAFP/Getty Images Photograph: JIM WATSON/AFP/Getty Images

Any additional safeguards on other aspects of the NSA’s powers remain subject to a dizzying array of reviews, despite the numerous ones already performed, and which were supposed to inform White House policy. There have been reviews to determine when the NSA can tweak encryption standards; reviews to determine the institutional writ of a privacy advocate before the secret surveillance court that oversees it; reviews to determine the closure of an authority allowing the NSA to search, without a warrant, through its foreign-derived data troves for American identifying information. All these reviews provide the NSA with additional opportunities to make sure it maintains as much flexibility and power as possible.

And it has another one coming up. General Keith Alexander and his deputy Inglis are both stepping down. The next director of the NSA will inherit a post-Snowden agency, and has a tremendous opportunity to attempt a public reset. While it’s too soon to tell whether Alexander's successor will seize that opportunity, Washington loves to confuse a new person in charge with an institutional overhaul. If the only thing NSA has lost so far is a PR campaign, the rematch is set to begin this spring.

NSA has whined for months that the White House has not ridden to its rescue. That whine turned out to be unfounded. “We cannot unilaterally disarm our intelligence agencies” is probably the most durably significant line of Obama’s speech, and the sentence that will have the greatest resonance as a guide to the NSA’s future, especially compared to anything he said about the importance of liberty.

The Mozilla Foundation – the internet non-profit that makes, among other things, the Firefox browser – reacted to Obama’s speech in a way that pointed to the path not taken. “Overall, the strategy seems to be to leave current intelligence processes largely intact and improve oversight to a degree,” it said in a statement.

“We’d hoped for, and the internet deserves, more. Without a meaningful change of course, the internet will continue on its path toward a world of balkanization and distrust, a grave departure from its origins of openness and opportunity.”

Whatever direction that path takes, Obama has reaffirmed the NSA’s largely unfettered ability to exploit it. The reality is that the limits of technology – not policy, which can be manipulated, and not law, which can be finessed – are the NSA’s most important restrictions.