Question 1
In Van Buren v. United States (2021), the Supreme Court addressed the scope of "exceeds authorized access" under the CFAA. What was the Court's core holding? A Any use of a computer system that violates the operator's Terms of Service constitutes unauthorized access under the CFAA B The CFAA's "exceeds authorized access" clause applies only when a user accesses computer files, folders, or databases that are off-limits to them — not when they misuse access they are technically permitted to have C Government employees are categorically exempt from CFAA liability when accessing databases for law enforcement purposes D The CFAA covers any "without authorization" access and any access that "exceeds authorized access," and both prongs apply identically to ToS violations
Question 2
hiQ Labs, Inc. v. LinkedIn Corp. (2022) addressed CFAA liability for scraping publicly accessible data. What was the key legal rationale for finding that hiQ's scraping was not "without authorization" under the CFAA?A hiQ had obtained prior written consent from LinkedIn through a data-sharing agreement B LinkedIn's robots.txt file did not explicitly prohibit scraping, so no authorization was denied C The CFAA's "without authorization" language is analogous to trespass law — you cannot "break in" to a system that has no access gates requiring authentication D The Ninth Circuit held that the CFAA does not apply to any data transfer conducted over HTTPS
Question 3
United States v. Auernheimer (Weev, 2014) involved an IDOR vulnerability on AT&T's website — incrementing IDs in a URL to access 114,000 email addresses. The conviction was overturned. On what basis?A The court held that accessing unauthenticated URLs cannot constitute unauthorized access under the CFAA B The court held the conviction was improper on venue grounds — the defendant was not properly tried in New Jersey, the jurisdiction where the case was brought C The court held that sharing the data with journalists was protected First Amendment activity D The court held that the IDOR technique is a known vulnerability for which AT&T bore sole legal responsibility
Question 4
What is the most dangerous legal lesson from the Auernheimer case for security researchers who discover unauthenticated data exposures? A Unauthenticated access is always legal under the CFAA after Van Buren B The technical absence of a login gate is not a complete defense — publicizing or redistributing the exposed data can still expose a researcher to criminal prosecution C Venue is the only meaningful defense available in CFAA prosecutions D IDOR vulnerabilities are explicitly excluded from CFAA coverage under current DOJ policy
Question 5
In Facebook, Inc. v. Power Ventures, Inc. (2016), the Ninth Circuit found CFAA liability after Power Ventures bypassed Facebook's IP blocks following a cease-and-desist letter. What principle does this case establish? A CFAA authorization can be withdrawn solely through a written cease-and-desist letter, regardless of technical implementation B Bypassing a technical block (such as an IP ban) after receiving explicit notice to stop constitutes accessing a computer "without authorization" under the CFAA C Social media platforms have an absolute right under federal law to block any third-party access, including access by authorized users D User consent to third-party access of their own data is a complete defense to CFAA claims by the platform operator
Question 6
Under the "Hacker's Protocol" described in Module 1M, which action provides the strongest legal protection before beginning security testing of a target? A Confirming the target has no robots.txt file B Verifying the target's IP address is publicly routable C Identifying and operating under a published security.txt or Vulnerability Disclosure Program (VDP) that grants contractual authorization D Limiting testing to GET requests that do not modify server-side data
Question 7
Sandvig v. Barr addressed whether researchers violate the CFAA by creating fake accounts to test platforms for algorithmic discrimination. What was the court's holding regarding ToS violations as a basis for CFAA liability?A Creating fake accounts always constitutes unauthorized access under the CFAA, regardless of research purpose B Violating a website's Terms of Service alone — without bypassing a technical authentication gate — does not constitute a federal crime under the CFAA C Academic research is categorically exempt from CFAA liability under the First Amendment D The court declined to reach the CFAA question and dismissed the case on standing grounds
Question 8
A security researcher discovers that a company's API returns data for any integer user ID supplied in the request — no authentication token is required. She downloads 500 records to document the vulnerability, then posts the data on Twitter to "raise awareness." Which of the following best describes her legal exposure under current CFAA doctrine? A Zero exposure — hiQ established that unauthenticated data is public and CFAA does not apply B Low exposure for the download, but elevated exposure for publicizing the data — consistent with the Auernheimer pattern C Full CFAA exposure for both the download and the post — Van Buren narrowed but did not eliminate liability for accessing unauthenticated systems D Exposure only if the company sends a cease-and-desist letter after she posts the data
Question 9
According to Module 1M's risk analysis table, a researcher who continues probing a target after the company blocks her IP address and demands she stop faces which risk level? A Lower (for authorized users) B Medium (depends on whether the IP block was technically effective) C High (if she also leaks the data) D Critical (after receiving notice and a technical block, continued circumvention creates the highest CFAA exposure)
Question 10
After Van Buren (2021), which of the following scenarios remains the MOST legally dangerous for a security researcher, even if no authentication bypass occurred? A Accessing a competitor's public website to gather pricing information B Using a personal account on a platform to test for IDOR vulnerabilities against one's own user ID C Discovering a misconfigured S3 bucket containing sensitive records, downloading a copy to document the issue, and then disclosing it to a journalist without notifying the company D Reviewing HTML source code of a publicly accessible web page to identify exposed API keys