We’ve learned a lot from the dialectic of unauthorized and authorized disclosures. Why stop now? Let’s find out how, and to what extent, the rules against indiscriminate spying are enforced. Here are some basic questions. …

2. Access. Several government officials, including FBI Director Robert Mueller and Sen. Dianne Feinstein, the chair of the Senate Intelligence Committee, claim that “only 22 people have access” to the phone records database. The court order specifies them: the chief of the Homeland Security Analysis Center, the deputy chief, and 20 “specially-authorized Homeland Mission Coordinators” at the Signals Intelligence Directorate. The order says all queries of the database “shall be approved by” one of these 22 people. But how is that rule enforced? If you’re not on the list, can you search first and explain yourself later? Do you have physical if not legal access? The order directs NSA to “ensure” compliance through “technical and management controls,” but it doesn’t specify what technical controls, if any, block unapproved access. It also says the data can be searched by “manual analyst query.” Who oversees that?

What about Internet data? The NSA claims that “access to XKeyscore … is limited to only those personnel who require access for their assigned tasks.” But according to the Guardian, Snowden “says he was authorized to use [XKeyscore] while working as a Booz Allen contractor.” Is that true? How many people have legal access to these tools? How many have physical access?