> If you just happen on a dump of a company's data, you didn't have the necessary intent. If you hit a login form and figure out that it has flaws and then use those flaws to access data, you do.

A good first question here is why should that be the thing that matters?

Take the scenario where it lets anyone create an account. It's not yet obvious at that point what the thing is even for, but you sign up for an account and it gives you one. Once you sign in the things you have access to might be the sort of things you might not expect to be public, but then how are you distinguishing that from a data dump with the same stuff in it? Or is this one allowed because they're still essentially granting access to the public?

If someone who works there gives you the password, are you now authorized because they just authorized you, or not authorized because the password was only meant for people who work there? What if the password is included as part of the link?

So is the form of access control really the thing that ought to matter? Or is it what you're accessing? But now notice that the company isn't going to purposely authorize you to view the evidence of their criminal activity, so maybe a law that imposes a blanket ban on anybody accessing anything a company doesn't want them to is broader than it ought to be.

> But now notice that the company isn't going to purposely authorize you to view the evidence of their criminal activity, so maybe a law that imposes a blanket ban on anybody accessing anything a company doesn't want them to is broader than it ought to be.

I think we've jumped pretty clearly here from actual discussion about the CFAA to a policy stance you're taking about how you feel it should be acceptable to hack companies if they deserve it.