A) intrinsic violations of privacy by the very nature of the technology of the program
B) collateral damage in the execution of the program
C) lack of oversight in the choice of targeting of the surveillance program
Using Network Pattern Analysis and Detection (NPAD) the NSA is able to "pull relationships" among signal events (intercepts) out of a soup of (cellular) phone traffic, financial traffic and Internet traffic (predominantly unencrypted emails but also source and target links of encrypted emails or emails which have been decrypted). The intercepts allow an analyst to infer relationships between subjects that are the interactors in an intercept.
Relationships are pulled out by detecting the presence of "indicators" such as keywords, voice prints or characteristic financial transactions. When a threshold of relationships is reached then a warrant may be sought from FISA based on the "probable cause" presumably indicated by the relationships.
To get to this point however requires that a significant amount of conversation or email content be examined to trigger reasonably interesting relationships and herein lies issue A. In an effort to screen traffic to and from the United States (assuming that the data collection is so limited - making it foreign intelligence) essentially ALL traffic has to be screened for indicators - presumably one classified aspect of the program is just how much traffic is subject to screening, is it done by sampling or by exhaustive brute-force examination of each and every event. This is the "warrantless" surveillance aspect of the program which many are attending to in the press. The FISA warrants come in after some probable cause has been established and then perhaps archived signals are re-examined for full content and new events are selected based on the identities of subjects related to cell phones, IP addresses, bank accounts and so on in the original relationships.
Proponents of the program will argue that privacy is not violated until a person attends to the content of an intercept and that there are many many intercepts that are only examined by the automated elements of the NPAD system since presumably most intercepts are not significant to the NPAD. So no privacy is violated in these "negative" cases.
It is on this point that somewhat of a majority of US citizens seem complacent regarding the program as an invasion of their privacy. "I'm not doing anything wrong and the bad guys are out there so I'll cede a bit of privacy realizing the rapid advance of technology and the need to uncover the bad guys as early and efficiently as possible."
Thus far the program has been subject to no operational oversight other than by the administration which has already exhibited little regard for the principles of checks and balances. Gen. Hayden and other spokes persons for the administration argue that the speed with which events happen and the speed with which the NPAD operates make it impractical to have oversight on an intercept by intercept basis. This is certainly true as the sheer magnitude of the number of intercepts precludes any human assessment case by case.
So let's assume that the NPAD is really useful at picking out significant relationships and winnowing down the set of intercepts that a human has to look at to a manageable number in terms of the number of analysts that are available. Some (most?) of these intercepts will be false-positives - they will turn out to be innocuous - and this is one of the real dangers of the program - collateral damage in the intelligence operation: Otherwise innocent persons can be mis-identified as targets of interest in the "long war". Now such persons may well be "cleared" early on by the initial analyst's examination of intercepts - the person's privacy has been violated irretrievably at this point; or the person may not be cleared until some rather nasty experiences are thrown their way - for example the attorney in Oregon who was mistakenly arrested and reluctantly released after some weeks by the FBI as being involved in the Madrid bombings.
The point needs to be understood that individuals are apparently identified based on impersonal indicators alone - not just because a "known bad guy" is on one end of the line; otherwise there is no useful reason that the bad guy isn't under FISA warrant and associated phone numbers, voice prints and so on are used as indicators to pull out phone calls involving the bad guy, for example.
So issue B is collateral damage and frequency of its occurrence.
The third issue arising from no third-party oversight is more sinister. It is the question of who is overseeing the targeting of the NPAD. In other words who is making the decisions about what sorts of indicators and patterns are being used to trigger human attention? The power of such a system and the lack of oversight of its targeting certainly would permit it to be used for investigating all sorts of things that someone would find objectionable -- child pornography rings, drug rings, in fact pretty much any sort of organized activities (Quakers protesting a war of choice) -- that might be construed as "not in the national interest".
So issue C is the lack of apparent oversight in the targeting of the NPAD.
These latter two issues are not receiving much if any attention and are at least as important as the first issue. This type of technology is a more effective Big Brother capability than Orwell imagined.