I think you've fallen into a message board hole.

Of the humans alive today, basically a rounding error of them are ever going to come anywhere near the CFAA. Firstly, the intent requirement. Which has been pointed out to you upthread and you just sortof waved away that judges are willing to accept anything as proof of intent, despite that not seeming to be the case from the cases I can see. Secondly, the average human alive is not poking at web vulnerabilities as part of their humanitarian journalism. The CFAA is nearly a perfect overlap where the people at risk of accidentally violating it are the folks who have the means to ask a professional about their nuanced situation.

The CFAA (like many laws) has problems, but you've really latched onto whether or not something counts as a crime for the CFAA in a way that doesn't seem to be attached with a real threat model.

> Firstly, the intent requirement. Which has been pointed out to you upthread and you just sortof waved away that judges are willing to accept anything as proof of intent, despite that not seeming to be the case from the cases I can see.

It's not that they're willing to accept anything, it's that isn't really how intent works, because intent is a question of fact when the ambiguity is a question of law.

Which is how it produces an unreasonable result: It's not the intent to commit a crime, it's the intent to commit an act, whether or not you knew it was a crime. And when the law was ambiguous, you can't have known, because the judge hadn't decided it yet. So you do X, you end up in court, the judge finally decides if X is illegal, and then if it is the government has to prove if you intended to do X. But you did intend to do that, you just didn't intend for that to be illegal, which is the part they don't include in the accounting.

It seems like I should also clarify this point from my post above:

> and failed to include the part about intent to commit a crime

The salient thing that burglary has and the CFAA is missing isn't the intent to commit unauthorized access, it's the intent to commit a separate crime, e.g. unauthorized access with the intent to commit credit card fraud. Because without that the penalties make no sense and it's not clear that should even be an independent crime, since there are definitely times when accessing a server the operator doesn't want you to should be allowed and basically all of the cases where it shouldn't are the instances where you're doing it to commit a separate crime.

> The CFAA is nearly a perfect overlap where the people at risk of accidentally violating it are the folks who have the means to ask a professional about their nuanced situation.

So you're in a situation where there hasn't been a high court case with the same fact pattern yet. You ask a professional and they tell you so. What now?