Every official query. Agents are allowed to search through that data at their whim. This was detailed by Snowden.
False. That is categorically, 100% false. That was people interpreted Snowden's claim to be, and that's not how it works. If you look at the nuance of Snowden's claims, even he himself has made various statements to the effect of, "Even if it's not being abused today, it could be in the future." Wow, no shit, Captain Obvious: ANY government power "could" be abused. And? I mean, really? That's why in a democracy we sort of have this thing called the "rule of law". And yes, we're imperfect, in all manner of ways. Again: And?
In the case of the phone call metadata, it has been approved and reauthorized every 90 days by all three branches of government -- the intelligence committees of both houses of Congress, two different presidential administrations (which you could only believe are "the same" if you're one of those crazy libertarian types), and a total of 17 different federal judges, who have variously sat on the court whose single purpose and reason for being is to protect the rights of Americans under the law and the Constitution in the context of FOREIGN intelligence collection. (I know all the protests: no, FISC is not a "rubber stamp" court; it is simply not an adversarial court, and armies of lawyers IC agencies don't even waste their time bringing forward requests that are likely to be denied.)
Only 22 people, in total, even have query access to the database, and this data has only been queried around 300 times. Each of those queries requires its own FISA order (to demonstrate the target is not a US Person, or if it is a US Person, that an individualized warrant exists for a legitimate foreign intelligence purpose), and EVERY query of any kind of SIGINT collection, of any kind, has a layer of daily audits. Every query. Ironically, the only people who had theoretical access to data without oversight -- if they wanted to violate their oath, their trust, the law, and the Constitution -- was system administrators. And now, because of Snowden, sysadmins can only conduct sensitive duties (such as entering datacenters or having physical access to anything beyond normal workstations) with another sysadmin (two-person integrity).
Yes, the capability they want against the terrorists is a complete panopticon of all activity. And the simple response is that no, they are not allowed to have that capability when it comes to US citizens. As per the constitution.
There is no way to have technical (or any) capabilities to collect against "only" the foreign targets without having the capability to collect against any target that is using the same systems, networks, and tools. The only distinction now is the US Person-status. That is the fundamental issue in the digital world, and the source of the fundamental misunderstanding of the United States' foreign SIGINT capabilities.
You're vastly oversimplifying the situation, beyond the fact you don't understand anything about SIGINT law, governance, or policy. Where, in the Constitution, does it say the government cannot have a CAPABILITY that COULD be used against Americans? (Hint: ANY government power "could" be used against Americans.) What is the difference, from a Constitutional perspective, of a foreign counterterrorism target using Gmail, Yahoo, Hotmail, Facebook, WhatsApp, Skype, etc. (which they do), and an American using those same tools? Do you see the problem, here? It's the PERSON, not the TOOL.
Your "solutions" -- which you don't even need to enumerate for me to guess -- would basically mean that all a foreign target has to do to subject himself to the same Constitutional and warrant protections that are reserved only for US Persons is to ENSURE his communications enter, touch, or traverse a US system or network. Right now that happens incidentally, or because US adversaries still find them to be the easiest methods to communicate, even if their comms might be using a US service, or a US-designed or -owned technology, or may enter the US, even if incidentally.
Given that foreign intelligence collection against non-US Persons fundamentally does not require a warrant, never has, and never will, what tools do you think enemies of the US would choose to use if suddenly you could wave a magic wand and require a warrant for Every. Single. Communication. of a foreign target using a US system? How would that work in, say, a sex chat room that terrorists happen to have chosen to communicate (it happens). Or a private web forum, hosted in the US (it happens). Or any number of US-based cloud and network providers? If you have a solution for how to have realtime or near-realtime access -- and yes, the (near-)realtime here is key, else SIGINT becomes worthless for all but a narrow set of strategic activities -- to only the bad guys while magically protecting everyone else using the same system, I would love to hear it.