A new draft of President Obama’s executive order on cybersecurity—which could have enormous effects on how, under the guise of defending the country from hackers, the government can spy on Americans’ Internet activity—has been leaked.

From a privacy advocate’s perspective, he got the biggest thing right.

The order, at least as of the leaked Nov. 21 draft, takes care to lift privacy restrictions only when it comes to “critical infrastructure.” That means that if hackers attack a network that controls the country’s power grid, the government can intervene, picking up information stored in that network as it goes. But if it’s Facebook that’s hacked, the government isn’t afforded that same ability.

The fact that Obama is working on an executive order at all is a sign of Washington’s deep disagreements on how to improve the country’s cybersecurity. Both major parties are fairly uncompromising on their competing ideas: Republicans tend to want “information-sharing” bills, like the Cyber Intelligence Security Protection Act (CISPA), which would make it possible for networks to share their contents with the government—and if seriously damning information, like an email that indicated you’re a pedophile, came up, they could use it against you. Democrats prefer the Cybersecurity Act of 2012 (efeated twice in the Senate in 2012 alone) which would set standards for networks to adopt, on their own—something Republicans see as an undue burden on private companies.

But Internet privacy activists don’t care for any of these. Members of the Electronic Frontier Foundation, for instance, have called CISPA a “privacy nightmare,” and have called the wording of the Cybersecurity Act “dangerously vague.”

Of course, there could be a devil in the details. It’s worth noting that we’re looking at a draft, and that it’s nine days old. Still, there are a few choice details to give privacy advocates hope. There is an entire section devoted to “Privacy and Civil Liberties Protections,” for example. Also, the order doesn’t propose a brand-new definition of “critical infrastructure,” one that could potentially be used to encompass websites you use in your day-to-day life, for example. Instead, it cites an established definition from 2001. That definition, while clearly meant to refer to structures so vital to the country that “the incapacity or destruction of such systems and assets would have a debilitating impact on security,” does include “virtual” systems.

A White House official refused to comment on what a more updated draft of the order might look like, or when it might be signed, “out of respect for our deliberative processes.”

The man who leaked the documents, lawyer and homeland security consultant Paul Rosenzweig, told the Daily Dot he couldn’t name his source. “I got it and flipped it onto the Web,” he said, because “information yearns to be free.”

Photo via Barack Obama/Facebook