Quiz — OSINT Legal Limits, Dark Web Operations, and Blockchain Intelligence

Module: 02a — OSINT Legal Limits, Dark Web Operations, and Blockchain Intelligence Difficulty: intermediate

Questions

Q1. Under the Stored Communications Act (18 U.S.C. §§ 2701–2712), which category of social media data is protected from unauthorized access?

• A) Any post or profile that is searchable via Google
• B) Data that is publicly indexed by third-party services like Shodan or HIBP
• C) Private messages, friends-only posts, and login-gated data
• D) All social media data, regardless of privacy settings, because it is stored electronically

Correct answer: C Explanation: The SCA creates a two-tier framework: publicly available data (public posts, open profiles, publicly indexed pages) carries no SCA protection, while restricted data — private messages, friends-only posts, and login-gated content — is protected. Accessing restricted data without authorization is a criminal violation.

Q2. What did the Ninth Circuit hold in hiQ Labs v. LinkedIn (2022) regarding scraping publicly visible member profiles?

• A) Scraping publicly available data violates the CFAA because LinkedIn's Terms of Service constitute an access control.
• B) A cease-and-desist letter from LinkedIn transformed subsequent scraping into unauthorized access under the CFAA.
• C) Scraping publicly available data does not constitute unauthorized access under the CFAA because the data is not behind an access gate.
• D) LinkedIn's use of rate limiting qualifies as a technological protection measure, making scraping a DMCA § 1201 violation.

Correct answer: C Explanation: The Ninth Circuit, applying Van Buren's "gates-up/gates-down" framework, held that scraping genuinely public data — visible without login — does not constitute unauthorized CFAA access because there are no access controls to bypass. Critically, LinkedIn's cease-and-desist did not change this analysis for public data.

Q3. Under Van Buren v. United States (2021), what does the CFAA's "exceeds authorized access" provision actually prohibit?

• A) Accessing any computer system for purposes beyond those stated in the platform's Terms of Service
• B) Accessing a zone of a computer system the person was not permitted to enter, regardless of purpose
• C) Using automated tools (scrapers, bots) on any system that prohibits them in its ToS
• D) Any access that results in a commercial benefit not authorized by the platform

Correct answer: B Explanation: Van Buren established that "exceeds authorized access" applies only to entering a zone of a computer system the person was not permitted to enter — not to misusing data from a zone they were legitimately permitted to access. This ruling largely eliminated ToS violations as a basis for criminal CFAA liability.

Q4. What is the GDPR Article 5 principle most directly implicated when a researcher scrapes personal data about EU residents without a lawful basis?

• A) Accuracy — the data may be inaccurate when scraped
• B) Purpose limitation — data may only be collected for specified, legitimate purposes
• C) Data portability — individuals have a right to receive their data in machine-readable format
• D) Accountability — the data controller must demonstrate compliance with all principles

Correct answer: B Explanation: GDPR Article 5 mandates purpose limitation: data may only be collected for specified, legitimate purposes. Scraping EU residents' personal data without a lawful basis under Article 6 (consent, legitimate interest, etc.) violates this principle, with fines reaching 4% of global annual revenue.

Q5. Under 18 U.S.C. § 2261A (federal cyberstalking), what conditions transform legitimate OSINT research into a criminal course of conduct?

• A) Conducting more than 100 queries about a single individual within a 24-hour period
• B) Aggregating information about a specific individual in a pattern of surveillance used to monitor, threaten, or intimidate them
• C) Publishing OSINT findings about a private individual without their consent
• D) Using automated OSINT tools rather than manual searching

Correct answer: B Explanation: Federal cyberstalking requires a course of conduct (not a single lookup), targeting a specific individual, that places them in reasonable fear or causes substantial emotional distress. The aggregation problem is central: individually harmless queries (employer, neighborhood, schedule, vehicle) combine into a surveillance profile that can constitute a criminal course of conduct.

Q6. What was Ross Ulbricht's sentence following his conviction in United States v. Ulbricht (S.D.N.Y. 2015), and which charges formed the conviction framework?

• A) 25 years; convicted of drug trafficking conspiracy and computer fraud only
• B) Two life sentences without parole; convicted of drug trafficking conspiracy, continuing a criminal enterprise, computer fraud, and money laundering
• C) Life plus 40 years; convicted solely under the Continuing Criminal Enterprise statute
• D) 20 years; convicted of operating an unlicensed money transmitting business and drug trafficking

Correct answer: B Explanation: Ulbricht received two life sentences without parole. The Ulbricht charges — drug trafficking conspiracy, continuing criminal enterprise (CCE), computer fraud, and money laundering — remain the template for subsequent dark web marketplace operator prosecutions, including AlphaBay and Hansa.

Q7. What did United States v. Gratkowski (5th Cir. 2020) establish regarding law enforcement access to Bitcoin transaction records?

• A) Law enforcement must obtain a warrant before accessing blockchain transaction records, as users have a reasonable expectation of privacy in their pseudonymous wallets.
• B) Bitcoin users have no reasonable expectation of privacy in their blockchain transactions because they are voluntarily exposed to the public under the Third-Party Doctrine.
• C) Blockchain analytics tools like Chainalysis are inadmissible under Daubert because the heuristics are not peer-reviewed.
• D) Only the government, not private analytics companies, may analyze public blockchain data for law enforcement purposes.

Correct answer: B Explanation: The Fifth Circuit applied the Third-Party Doctrine from Smith v. Maryland, holding that by broadcasting transactions to the network, Bitcoin users voluntarily expose them to the public and have no Fourth Amendment protection. Law enforcement therefore does not need a warrant to run blockchain analytics against public transaction data.

Q8. What enforcement action did OFAC take regarding Tornado Cash in 2022, and what legal exposure does it create for ordinary users?

• A) OFAC issued a subpoena to Tornado Cash's operators; ordinary users face no liability unless they profited from the mixing service.
• B) OFAC sanctioned Tornado Cash as a sanctionable "person" under IEEPA, creating OFAC violation exposure for anyone who interacted with the protocol after the designation — including non-malicious users.
• C) OFAC designated Tornado Cash under IEEPA but limited exposure to developers and operators; user liability requires proof of criminal intent.
• D) OFAC sanctioned Tornado Cash under FinCEN's Bank Secrecy Act authority; users face civil money penalties only if they transacted more than $10,000 through the protocol.

Correct answer: B Explanation: OFAC sanctioned Tornado Cash as a sanctionable "person" under IEEPA in 2022, holding that smart contract-based mixers are subject to sanctions. Interacting with Tornado Cash after the designation created OFAC violation exposure even for non-malicious users. Two Tornado Cash developers were subsequently criminally charged with money laundering conspiracy.

Q9. What legal protection does the Illinois Biometric Information Privacy Act (BIPA, 740 ILCS 14) provide that distinguishes it from most other U.S. privacy statutes?

• A) It requires the Illinois Attorney General to bring all enforcement actions; there is no private right of action.
• B) It prohibits biometric data collection by law enforcement, exempting private actors from its scope.
• C) It provides a private right of action with statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation, plus attorneys' fees.
• D) It applies only to commercial entities with more than 25 employees, exempting most OSINT practitioners.

Correct answer: C Explanation: BIPA is the most plaintiff-friendly biometric privacy statute in the U.S., providing a private right of action — not just agency enforcement — with statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation. Clearview AI's Illinois liability under BIPA was estimated in the billions.

Q10. What is the legal status of a security researcher who creates an account on a dark web drug marketplace for intelligence-gathering purposes but makes no purchases?

• A) Fully protected under the DOJ 2022 good-faith policy because no illegal goods were purchased.
• B) Safe because account creation without purchasing is explicitly authorized by Silk Road precedent in the CFAA context.
• C) A grey zone — prosecutors argued in Silk Road cases that account creation implies conspiracy intent, though courts have generally not sustained conspiracy solely from registration without purchase.
• D) A clear criminal violation of 21 U.S.C. § 841 because creating an account constitutes an overt act in furtherance of a drug trafficking conspiracy.

Correct answer: C Explanation: Account creation on a dark web marketplace is a grey zone. Prosecutors argued in Silk Road prosecutions that account creation evidenced conspiracy intent, but courts have generally not sustained conspiracy charges based solely on registration without an actual purchase. Passive browsing without account creation remains safe in the U.S.

Quiz for Module 02a — LawZeee | Generated 2026-04-17