[ringmaster]

When you write an authentication system with username and password you never display an error like "that password is incorrect", because then the attacker knows that the username is a valid one.

Why does everyone here assume that it's a vast conspiracy when, if they returned everything they had on you, it would be a giant red flag to anyone who was denied that they were being explicitly monitored?

The only way to guarantee secrecy for records that should rightfully be secret (whether you agree with the collection methods or not) is to deny everyone's request.