This weekend has seen revelations that some staff at the US National Security Agency (NSA) has mis-used the agency's massive surveillance apparatus to spy on love interests.
They even have a name for it - "LOVEINT" - the Wall Street Journal reveals ("int" being short for "intel" or "intelligence").
And a Bloomberg investigation reveals the NSA often ignored restrictions on domestic surveillance, and other guidelines.
For Auckland-based security expert Dr Paul Buchanan, the revelations come as no surprise.
Spying organisations and the people who work for them will always push the limits, he tells NBR ONLINE. He says that means legislation controlling security organisations should have tough oversight provisions - but he thinks they are lacking from the recently passed GCSB Act.
"The willful violations are symptomatic of the problems inherent in a business that trades in secret information," says the founder of 36th Parallel Assessments, who has worked at senior lecturer at Auckland University, and as a policy analyst for the US Secretary of Defence advising the Pentagon.
"On the one hand, the agency is only as secure as are the people working in it. Although NSA employees take loyalty and non-disclosure oaths that explicitly prohibit them from using their classified access for anything other than authorized information-gathering and analysis - usually based on national security grounds - there is always a few who, due to personal pressures, succumb to the temptation to use their access for other purposes," Dr Buchanan says.
"The degree of professionalism is always going to be variable in large organisations, so in an agency as large as the NSA - 33,000+ employees - there was and is bound to be at least a few who do not honour their oaths or adhere to the code of conduct that they signed up to. That is why regular security checks on intelligence employees, including random polygraph tests and forensic audits of their computers, is a standard in the business."
The LOVEINT aspect is a minor concern, Dr Buchanan says.
"Accessing classified information for monetary or ideological reasons is a major problem. The latter appears to be the case with Snowden, who downloaded information that he was not authorised to access in part because his libertarian beliefs clashed with the whole-scale surveillance system he was working for."
This points to the problems with the recent phenomenon of intelligence out-sourcing to private contractors, who may or may not adhere to the professional standards and use the same vetting processes employed by government agencies, Dr Buchan says.
"The word on Snowden is that once he got his CIA clearances in the first instance, and even though he resigned fairly abruptly and was appearing in internet chat rooms complaining about some aspects of is job, he was never vetted again nor were his computer use scrutinised before he fled"
The second problem is institutional rather than personal, the security expert says.
"Even if an agency maintains very high professional standards, there will always be an organizational drive to extend the reach of intelligence gathering in the absence of effective oversight mechanism that provide a system of checks and balances on what the agency can do. This oversight has to be more than just determining what the law allows: it has to be effective in constraining the behaviour of the agency being overseen."
As Bloomberg's investigation notes, it was not so much the 1979 FISA (Foreign Intelligence Surveillance Act) rules that were being broken - although they were - but the 1981 executive order that was violated on multiple occasions, Dr Buchanan says.
"Clearly the chain of command was unaware or could or would not control the violations (it is telling that the NSA Director of Compliance and Inspector General only found out about the decade-long problem in the last two years, under FISA court order). They law may have prohibited willful violations but the institutional set up could not prevent them."
This points to the problem of self-regulation, he says.
"Absent effective oversight from external entities formally empowered by law to compel agencies to conform to legal standards and obligations, voluntary or self-regulation is always going to be problematic. If we return to the earlier point that the weak link in the organization are the human beings within it, then the problem with self-regulation in a highly classified and compartmentalized agency such as the NSA (or CIA) becomes obvious. As Ronald Reagan said: 'Trust but verify'."
The bottom line is that for oversight to be effective, Dr Buchanan says.
"It has to be proactive and engaged in the daily scrutiny of intelligence activities. That way it can early detect personal or institutional transgressions. It can not just be an ex post check on misbehaviour."
With these revelations we have seen that with all of its legal armament and formal oversight - to include congressional oversigh - the US government has been unable to curb both the personal and institutional excesses detailed by Bloomberg and the Wall Street Journal, Dr Buchanan says, much less prevent Snowden's escapade.
"That is because it is heavy on the ex post and light on the proactive form of oversight."
Swing vote Peter Dunne successfully lobbied for several oversight provisions to be added to the recently passed GCSB Act, including reviews every five to seven years, an annual budget review, and an annual report on the number of NZ residents subject to surveillance.
Given his inside knowledge of the way security agencies tend to behave, are the oversight provisions enough?
"Not even close," Dr Buchanan says.
"Adding a deputy IG [Inspector-General] and notifying the IG when warrants are issued is a step in the right direction, but far from being effective, proactive oversight. The obligation to issue annual reports to the parliamentary committee and hold public hearings on them are more ex post window dressing," he tells NBR.
"The cross-signing of warrants by the PM and Commissioner for Security Warrants on cases of domestic espionage looks good but will unlikely result in anything other than a rubber stamp by the latter of the former's decision, and we must remember that the grounds for issuing security warrants has been expanded under the new Act. They are no longer confined to matters of national security, among other things.
"And of course, 'independent' oversight still ultimately remains under the control of the PM, as neither the select committee or the IG will have powers of compulsion or access to operational details without approval of the SIS and GCSB Directors.
"When it comes to oversight and other limitations on what the GCSB can and cannot do, the new legislation is a case of putting lipstick on a pig."