At 11:59 P.M. on Saturday night, the U.S. National Security Agency supposedly yanked the cord on its bulk telephone records collection, thereby ending an expansive surveillance program that the nation’s intelligence community put in place in the wake of the September 11, 2001 terror attacks.
“There will be no analytic access to the collected metadata after this time,” the Office of the Director of National Intelligence (ODNI) said in a statement.
The public learned of the agency’s spying program after Edward Snowden—ex-NSA contractor and whistleblower extraordinaire—leaked information about it to news outlets in 2013. That revelation provoked an uproar among privacy advocates, and Congress eventually reacted by replacing parts of the U.S.A. Patriot Act, which authorized the privacy-invasive program, with a seemingly-less-intrusive piece of legislation, the U.S.A. Freedom Act, over the summer.
It would be wrong to conclude, however, that this moment signaled the demise of the agency’s surveillance powers. Rather, the NSA has transitioned to a new system. The reformed scheme addresses the most controversial aspects of the collection program, but questions remain about its implementation. Here’s everything you need to know about the change.
What happened at midnight on Saturday?
When the clock struck midnight, a 6-month-long “orderly transition” period for the NSA expired. After the Freedom Act became law in early June, the agency was granted a 180-day grace period to get its affairs in order before putting an end to the bulk phone metadata collection program authorized by a particular portion—Section 215—of the Patriot Act. Under the new guidelines, the NSA no longer may directly collect and hold data about the domestic phone records of U.S. citizens.
Instead, telecom companies will retain and access the data on their customers. The NSA may then seek warrants from the secretive courts created by the Foreign Intelligence Surveillance Act (FISA) in order to compel these companies to hand over pertinent information on terrorism suspects and affiliates. The requests are not done in bulk, but rather require “specific selectors” such as the phone number of an individual. The NSA then has up to 180-days to query the telecom companies for more data—on socially connected persons of interest, so-called one-to-two degree “hops” on their networks—before seeking a renewed authority from a FISA court.
There are exceptions to these items though.
What kinds of exceptions?
Notably, the NSA’s bulk collection database still exists. The agency has requested permission to keep its records for the past five years intact through Feb. 29, 2016. This will ostensibly allow the agency to make sure nothing has gone awry during the transition. Access will be “limited to technical personnel and solely for the purpose of verifying that the new targeted production mechanism authorized by the USA FREEDOM Act is working as intended,” ODNI said in a statement. The database is “hands off” for analysts. Additionally, it’s worth noting that the NSA must retain these records until all lawsuits regarding the original program are resolved.
What’s inside the database?
As mentioned, the database contains metadata. It includes information on phone calls such as who, when, and how long—for instance, the identity of the sender and recipient, the duration, and the time and date. Metadata does not include the content of conversations. However, that doesn’t make it any less of a treasure trove for dot-connecting investigators.
Why did the NSA need such broad powers to begin with?
The agency argued that it needed quick insight about possible terrorists’ networks in case another attack struck. That way the NSA could find out vital intel in emergency situations at the drop of a hat.
On the face of it, that capability might seem reasonable. The argument gains support in the wake of the recent terror attacks in Paris as well as other places around the world. An investigation into the success of the program, however, revealed no evidence that the program ever helped in any case. “We have not identified a single instance involving a threat to the United States in which the telephone records program made a concrete difference in the outcome of a counterterrorism investigation,” concluded a privacy and civil liberties board set up by the president last year, which reviewed the program’s efficacy (or lack thereof).
Plus, privacy advocates have been quick to note the potential for abuse and lack of checks and balances for whomever has access to the database.
Will any parts of the old program continue?
In addition to the technical extension of the database until Feb. 29, 2016, as mentioned above, there is another quandary. An overlooked clause in a note accompanying the Patriot Act seems to authorize bulk collection indefinitely for “ongoing investigations.” There’s some debate about what this means exactly, as the New York Times has reported. For instance, does the authority of that supplementary note supersede the Freedom Act? The answer is not immediately clear. Also, do campaigns against al-Qaeda and ISIS qualify as ongoing investigations? And if so, if they drag on—does this then give intelligence agencies carte blanche to continue collecting phone metadata in bulk? Also unclear.
Are there any other potential legal loopholes?
In fact, yes. An executive order—number 12333—signed originally by Ronald Reagan—could be interpreted to authorize the continuance of bulk collection, so long as it is “incidentally collected in the course of a lawful foreign intelligence investigation,” as the Washington Post explains. Given the global nature of the world’s telecommunications infrastructure, that capability could easily allow the agency to continue its snooping on just about anyone. The national security blogger Marcy Wheeler recently raised this point on her site Empty Wheel, suggesting that the agency’s phone metadata dragnet could potentially continue unabated under the earlier authority. By justifying the program through other means, the NSA could find a functional workaround just as it did for its seemingly retired email metadata bulk collection program, Stellarwind.
How big a deal is the program’s sunsetting really?
The American Civil Liberties Union called the Freedom Act’s passage a “milestone.” Snowden called it “an important step.” One of the reasons so much attention has been paid to the bulk collection program for phone metadata is because it represented the first explosive revelation that the Guardian published from Snowden’s files. In that sense, this Saturday marked a significant and tangible victory springing from his leaks.
But there is plenty of surveillance still going on. For instance, the NSA continues to collect tremendous amounts of Internet data—a practice that has been slightly less controversial since it focuses on international targets. Of course, the agency almost certainly scoops up domestic data in the process.
Follow Robert Hackett on Twitter at @rhhackett. Read his cybersecurity, technology, and business coverage here. And subscribe to Data Sheet, Fortune’s daily newsletter on the business of technology, where he writes a weekly column.
For more about the NSA, watch the video below: