With the rise of agents that heavily interact with Web2 applications, primitives that help users unchain their Web2 data will become increasingly important. These primitives include account encumbrance using TEEs, zkTLS to prove something about a user account, etc.
These primitives allow crypto companies to offer products/services that empower users to unlock their data without giving these companies access to users' credentials. Examples include @flashbots_x's Teleport (account encumbrance) and @plutolabs_'s Web Proofs (zkTLS).
Obviously, Web2 companies do not like users controlling their own data. One of their favorite legal hammers to stop this is the Computer Fraud and Abuse Act (CFAA), which provides a private right of action against a person who “intentionally accesses a computer without authorization.” Specifically, Web2 companies love to sue products/services that empower users to export their data under the CFAA. Here's an example of X doing this against a scraping company:
I wrote a long article about the CFAA back in August. In that article, I focus on a court case called BrandTotal (and test it against influential precedent). The TLDR of that article is that I believe that products/services that empower users to unchain their data from a Web2 platform without accessing their credentials have a strong argument that they do not violate the CFAA.
Let’s quickly review the BrandTotal case to see why. BrandTotal was an analytics company that collected Facebook ad data using browser extensions used by end users and its own scraping services. Facebook really did not like this. It used contractual (TOS, cease and desist) and technical (CAPTCHAs, account bans) methods to block BrandTotal, but BrandTotal kept on collecting anyway.
Facebook sued BrandTotal under the CFAA. In analyzing the claim, the court made key distinctions between different BrandTotal products/services. These products/services varied in whether they had access to user credentials. From the court’s reasoning, we can see a pattern emerge: whether BrandTotal violated the CFAA came down to whether it had access to user credentials. Here’s a summary table depicting this:

This ruling reinforces that the CFAA is an anti-hacking law, not a broad data misappropriation tool. Crypto companies using/providing products/services to help users unlock their own data (or public data) without accessing those users’ credentials should not be considered to engage in “hacking” under any conceivable definition of that term and have a strong argument they do not violate the CFAA.
None of the above is legal advice (as always) and this is an area of law in flux. You should discuss your situation with your legal counsel.
For more details, check out the full breakdown: https://paragraph.xyz/@proofs-and-protocols/browser-extensions,-the-cfaa-and-user-control-5
Disclaimer: This post is for general information purposes only. It does not constitute investment advice or a recommendation or solicitation to buy or sell any investment and should not be used in the evaluation of the merits of making any investment decision. It should not be relied upon for accounting, legal or tax advice or investment recommendations. You should consult your own advisers as to legal, business, tax, and other related matters concerning any investment. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by Variant. While taken from sources believed to be reliable, Variant has not independently verified such information. Variant makes no representations about the enduring accuracy of the information or its appropriateness for a given situation. This post reflects the current opinions of the authors and is not made on behalf of Variant or its Clients and does not necessarily reflect the opinions of Variant, its General Partners, its affiliates, advisors or individuals associated with Variant. The opinions reflected herein are subject to change without being updated.
This post originally appeared on X.