From what I understand, after a Gmail has left your computer’s browser, it’s encrypted. When it arrives at Google’s servers, it’s encrypted. In the middle, as it zips around the world through gateways and switches, a certifying authority — kind of like an internet traffic cop — makes sure that the email communication is following all the safety and traffic laws by remaining encrypted. The meta-data is akin to a destination that’s displayed on the outside of a car; the car is tinted so you can’t see inside unless you have a key, a specific key that the driver waiting at the next destination can use.

Now, the NSA can break encryption. But — importantly — they cannot instantly (so far as we know) break the type of encryption that Google attaches to every email sent by every user. Not for a single encrypted email, not instantly, and certainly not for millions.

It’s easy for the government to get emails directly from Google. But it’s pretty hard for the government to get Google emails in bulk — and in bulk is the descriptor here — from taps outside Google. Think of meta-data as the stuff on the outside of the car — it’s like the government has set up a license plate reader at key intersections and records all the traffic that goes by, but it cannot peak into the car unless it has the key.