FORTUNE — 2013 will be remembered as the year Edward Snowden changed everything we know about the scope of U.S. surveillance practices. The former National Security Agency contractor leaked classified documents to The Guardian and the Washington Post before fleeing the country first for Hong Kong and then Russia.
By now the revelations about the government’s snooping are well known. Six months after the first media reports were published, a federal judge ruled that the government’s bulk collection of Americans’ phone records likely violates the Constitution. Days later, a presidential advisory panel recommended new limits on NSA surveillance powers, including an end to the phone records program.
The government still doesn’t know how many more secrets may yet surface from Snowden’s leak. Here, a look back on what we learned this year about how the super-secret agency has been gathering intel about phone and internet activity in the U.S. and around the world.
Collecting “business records” in bulk
The first blockbuster disclosure about NSA surveillance revolved around the “ongoing” collection of Verizon (VZ) customer records in the U.S. — thanks to a secret court order granted by the Foreign Intelligence Surveillance Court. Such court orders — which rely on the “business records” provision in the Patriot Act — cover not the content of calls, but their “metadata,” such as the phone numbers involved, “location data, call duration, unique identifiers, and the time and duration of all calls,” The Guardian reported.
2013’s biggest moments in tech
Reports by The Guardian and the Washington Post blew the lid off an NSA program called PRISM: “collection directly from the servers” of nine U.S. Internet companies, including Microsoft (MSFT), Yahoo (YHOO), Google (GOOG), Facebook (FB), and Apple (AAPL), according to an agency presentation slide.
All of those companies either denied knowledge of the program, or that they provided the government with such access. More recently, a group of tech giants issued an open letter to Washington, urging surveillance reform.
James Clapper recants
As recently as March, director of national intelligence James Clapper told the Senate Intelligence Committee that the NSA did not collect data on millions of Americans — at least, “not wittingly.”
But on June 21, following the initial stories on the Snowden leaks, Clapper recanted that statement in a letter to intelligence committee chairwoman Dianne Feinstein (D-Calif.). “My response was clearly erroneous — for which I apologize,” he said.
XKeyscore unlocks almost “everything”
NSA training materials described this program as the agency’s “widest-reaching” means for gathering intelligence online, allowing analysts to search for a variety of internet activity by filling out an on-screen form, according to The Guardian.
“One presentation claims the program covers ‘nearly everything a typical user does on the Internet,’ including the content of emails, websites visited, and searches, as well as their metadata,” the paper reported.
Who had the worst year in Asia? Obama.
Lavabit shuts down email service
In August, Edward Snowden’s encrypted email service provider, Lavabit, shut down its business amid a secret court battle. “Without congressional action or a strong judicial precedent,” Lavabit owner Ladar Levison wrote in a message to users, “I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States.”
Two months later, unsealed court records showed that the government wanted Levison to provide encryption keys for the emails of all Lavabit customers. “In my case, they wanted to break open the entire box just to get to one connection,” he told the New York Times.
NSA audit details violations
An NSA audit from May 2012 showed “2,776 incidents in the preceding 12 months of unauthorized collection, storage, access to or distribution of legally protected communications,” according to the Washington Post. Responding to the report, NSA compliance director John DeLong said the violations weren’t “willful,” and that they numbered in the “parts-per-million or parts-per-billion range.”
Commenting on the same report, the chief judge of the Foreign Intelligence Surveillance Court told the Post that the court’s oversight capabilities were limited. “The FISC does not have the capacity to investigate issues of noncompliance, and in that respect the FISC is in the same position as any other court when it comes to enforcing [government] compliance with its orders,” U.S. district judge Reggie Walton said in a statement.
Tapping Merkel’s cell?
World leaders including Brazil’s Dilma Rousseff, French president François Hollande, and Germany’s chancellor Angela Merkel bristled at reports of U.S. surveillance efforts in their respective countries. An incensed Merkel took her complaints to the top, calling on President Obama to address allegations that her own cell phone had been tapped. In response, “The president assured the chancellor that the United States is not monitoring and will not monitor the communications of the chancellor,” White House spokesman Jay Carney said.
Using clouds and cookies
The allure of user data stored and tracked by major Internet companies continued to surface in leaked documents. The NSA found ways to tap into the private clouds of Google and Yahoo — retrieving in a single month as many as 181,280,466 records from user accounts, the Washington Post reported. (Both companies denied giving the NSA access to their systems.)
Google “PREF” cookies, which can help identify a user’s web browser and serve up personalized ads, have also enticed the NSA. “In addition to tracking web visits, this cookie allows NSA to single out an individual’s communications among the sea of Internet data in order to send out software that can hack that person’s computer,” the Post reported in a later story.
One method for undermining those deemed “radicalizers” by the NSA? Document their online porn habits.
From Glenn Greenwald, Ryan Gallagher, and Ryan Grim in the Huffington Post: “Among the vulnerabilities listed by the NSA that can be effectively exploited are ‘viewing sexually explicit material online’ and ‘using sexually explicit persuasive language when communicating with inexperienced young girls.’ ”
9 tech startup CEOs on the best and worst of 2013
Tracking location data via cell phones
From a person’s home or from business meetings, hotel rooms and doctors’ offices, the NSA is collecting billions of records a day on the cell phone locations of individuals.
“In scale, scope and potential impact on privacy, the efforts to collect and analyze location data may be unsurpassed among the NSA surveillance programs that have been disclosed since June,” wrote Barton Gellman and Ashkan Soltani in the Washington Post. “Analysts can find cell phones anywhere in the world, retrace their movements and expose hidden relationships among the people using them.”