It gets worse...
I'm sure that most computer literate folks are aware of the US Office of Personnel Management (US OPM) data base hack. As I write this comment for El Reg, CNN is proposing that somewhere between 15 and 20 million data sets (each data set containing detailed personal information regarding a specific gov't employee or applicant) were leaked. However, the majority of these data sets also contain/contained "Form SF86" information, which may or may not include equally detailed information on that employee/applicant's parents, siblings, superiors (military), managers (civilian), love interest, parents of the love interest, etc, etc. Thus the 15-20 million number may effectively be exponentially higher. At the moment, those who know are not talking.
Why is this relevant?
The US OPM collects this data in an open and above-board manner. Everyone knows that they collect it. Everyone knows they have it. Whether or not one agrees with the justifications for them gathering this massive amount of detailed personal info, the collection practice and processes are traditional and accepted.
Other three & four letter agencies (TLAs & FLAs) are not open and above-board in their collection of personal data. Also, as this article well documents, not everyone knows which TLAs and FLAs are collecting data, what data they are collecting, where they are storing it, how they are storing it, and so on.
Let's talk a bit about the gov't employees, and applicants. For these individuals, it's likely the TLAs and FLAs simply use US OPM data sets as a starting point, and then collect follow-on data related to a specific area of interest. After all, why expend resources to collect the same data twice? ISP data, as described in this article, would thus be only a small part of an individual's expanded data set, as archived by a TLA or FLA.
Nightmarish problems arise when a TLA or FLA (or one of their contractors, or sub-contractors) is hacked, and leaks not only the copied US OPM data sets, but also any follow-on data that was subsequently collected by the agency itself. (There is reason to believe that such leaks have already happened. More than once.)
Is a cloak & dagger TLA or FLA going to cop to losing tens of millions of US OPM data sets? I find it unlikely. In order to 'fess up to losing them, the TLA or FLA would have to admit to having made copies. In order to 'fess up to losing (as an example) ISP metadata collected as follow-on to copied US OPM data sets, a TLA or FLA would need to admit to secretly collecting the metadata.
I could ramble on. But I should stop now, having verbosely expressed the opinion that police state entities have already collected and leaked significant personal info for nearly every one of us, at our expense, and will never tell us what was collected or when/how it was leaked.
In closing: Nicholas Merrill is a patriot and a hero. And should be honored as such.