What will Obama’s State of the Union mean for the internet?

Broadband companies have seen a lot of scrutiny over the past two years. Among other things, Google’s super-fast Fiber pilot program drove home just how bad major ISPs really were, spurring competitors like AT&T into building more high-speed networks. Even before Fiber, though, cities were funding their own broadband services —Chattanooga, Tennessee; Cedar Falls, Iowa; and a handful of others have successfully launched municipal networks at gigabit speeds. But they’ve run into rules that either set hurdles for cities or block their efforts altogether, and Obama is stepping in.

Obama’s new broadband plan, which he announced last week, includes federal programs that would provide training, technical support, loans, and more to underserved areas. What’s gotten the most attention, though, is his call to end or modify 19 state laws that make building municipal networks harder. The most recent list of restrictions, a January report by consultant Craig Settles, actually cites 21 state rules, and some other lists count one more in Texas. These include a half-dozen direct bans, as well as stipulations that put community networks at a disadvantage to commercial cable companies.

In mid-2014, FCC chairman Tom Wheeler said that given the opportunity, the agency would act to "preempt" these laws. This hasn’t happened yet — though it may be on the horizon. Next month, it will respond to petitions from municipal broadband groups in Chattanooga and Wilson, North Carolina.

ISPs, meanwhile, have lobbied for these rules by saying that local government-funded networks are risky and inefficient. US Telecom, a broadband trade group whose board of directors includes executives from AT&T, Verizon, and several regional telecoms, has said that states are "well within their rights" to restrict local broadband in the name of protecting taxpayers. In a response to Obama’s announcement, US Telecom president Walter McCormick warned that his plans "call for the federal government to regulate the internet, and for municipal governments to own the internet." If the FCC takes Obama’s advice, expect lawsuits to follow quickly.

Obama hasn’t talked about net neutrality since last year, when he unexpectedly announced his support for a dramatic policy change. In December, Obama urged the FCC to reclassify broadband from an "information service" to a more heavily regulated "telecommunications service" under Title II of the Telecommunications Act. Since then, FCC chair Tom Wheeler has said he’ll be circulating a new Open Internet Order next month, and Congressional Republicans have introduced a bill that would implement some net neutrality rules but avoid Title II. There’s not much more Obama can do at this point, but it’s possible he’ll make a last-ditch appeal for reclassification in his speech.

There’s a lot of momentum behind new cybersecurity measures in 2015, after the very public catastrophe at Sony Pictures and equally damaging retail breaches at Target, Staples, and others. The big question is what the government can do to stop similar hacks from happening again. So far, the administration’s answer is "information sharing," building new systems and requirements that will encourage companies to share threats on their network as they become apparent. If agencies like the FBI and NSA can spot threats early, the thinking goes, they can stop them before the damage fully sets in.

It makes a lot of sense politically — it sounds innocuous, and will make for a good line in tonight’s speech — but it’s less useful from a security perspective. The tools used in the Sony and Target hacks weren’t particularly novel, and it’s unclear whether better threat sharing would have made a difference in either case. The hacks were the result of internal corporate security failures, and it’s hard to imagine a federal program that would be able to meaningfully address them.

At the same time, many web freedom advocates are already worried that information sharing will become an excuse for further surveillance measures. Sharing information on a threat could mean informing on a user, often without any semblance of due process or court approval. President Obama’s threat-sharing proposal improves on CISPA (the much-reviled cybersecurity bill from 2012, which has also been reintroduced) by proposing new privacy guidelines, but that measure hasn’t been enough to satisfy critics. "We're skeptical the guidelines will provide any semblance of privacy," the EFF writes. "Even if they’re well crafted, there’s no way to know whether the guidelines are being followed or enforced."

After a year of card breaches, the president is also interested in more protections for sensitive consumer data. Obama is asking Congress to give companies firmer rules about when they have to notify customers about these hacks (Obama wants a 30-day deadline) and to criminalize "illicit overseas trade in identities," the goal of groups like the Target hackers. He’s also reviewing a revised draft of a "Consumer Privacy Bill of Rights" for Congressional consideration, and asking for a bill that will limit how education companies can use data from students — specifically, banning them from selling it for non-educational purposes or using school data for targeted ads. The Federal Trade Commission has spent the past few years cracking down on sites or apps that collect information from children online, and the fight probably isn’t ending any time soon.

Obama has already announced new revisions to the Computer Fraud and Abuse Act, one of the most hated laws in the tech world. The law was meant to provide an easy way for prosecutors to press charges against digital attackers, but in the years since its adoption, many legal experts have critiqued it as vague and overly broad. Unfortunately, the early consensus is that the revisions make the law even worse, raising penalties and broadening language until even the mildest security research can be construed as a felony. After the draft leaked last week, researchers pointed to certain passages as effectively outlawing academic security research entirely. As researcher Robert Graham put it, "Internet innovation happens by trying things first then asking for permission later. Obama’s law will change that." If the net effect is less independent research, then we’ll all be left with more easily hacked software, making everyone less safe.

The most troubling aspects of the law have to do with the way "unauthorized access" can be interpreted. Seen in the right light, it could mean as little as sharing a Netflix password or clicking on a link to leaked data. The courts are still parsing the meaning of "unauthorized" in the initial law, and many of the updates are direct responses to subsequent court rulings, but there’s still a troubling vagueness to much of the language. The law will likely be revised in Congress (if it makes it through at all), and the courts will fight for years over the exact meaning, but the new language, combined with raised sentences in many areas, is already sending up red flags.

The biggest problem may be the idea of "unauthorized access" itself. In both its original and revised form, the CFAA is built on the assumption that any activity that’s not explicitly authorized is potentially illegal. It’s a strange assumption, cutting directly against the hacker ethos in computer science, and it’s resulted in prosecutions that often rely on intimidation rather than solid legal practice. For Aaron Swartz, that meant a tragic suicide before the case went to trial. For weev, it meant a case that fell apart as soon as it faced scrutiny on appeal. While President Obama will frame the new draft as an effort to reform the law, there’s no indication that either case would have played out differently under the new rules.

That’s everything that’s been released so far, but there’s always the chance the president will throw in something unexpected tonight, whether it’s NSA reform or more net neutrality rabble-rousing. If he does, we’ll add more thoughts here as soon as we know more. And it's worthwhile to see what hasn't been mentioned in the lead-up to his State of the Union, like any sign of the surveillance and privacy changes he was promising last year.

More importantly, this is only the start for this year's internet agenda. We'll be watching closely as Congress debates the new Republican net neutrality bill and the resurrected CISPA cybersecurity proposal, as well as the FCC's votes on community internet, net neutrality, the merger between Comcast and Time Warner Cable, and more. And the fight against NSA surveillance, while noticeably absent from White House rhetoric, will continue in court, where we're still waiting on judgments in multiple cases.