Metadata -> Data
So, assuming that agency X request details, only having metadata and approach A: Alice's IP connected to port 25 at Bob's IP and sent a stream of TLS encrypted stuff.
OK so port 25 should imply email (SMTP) and X gives a precise date and time and A keeps logs and mail archives and keeps precise time.
There are at least six assumptions in the above short paragraph, each of which needs to be proven to ensure that the data provided really matches the request. I can make the example really complicated without even sweating. I wonder why key escrow or (state sanctioned) direct cracking etc are considered more desirable as routine policy by .gov?