Unchaining Web2 Data Onchain: What Agents and Oracles Need to Know About the Law
With the rise of agents that heavily interact with Web2 applications, primitives that help users unchain their Web2 data will become increasingly important. These primitives include account encumbrance using TEEs, zkTLS to prove something about a user account, etc.
These primitives allow crypto companies to offer products/services that empower users to unlock their data without giving these companies access to users’ credentials. Examples include @flashbots_x‘s Teleport (account encumbrance) and @plutolabs_‘s Web Proofs (zkTLS).
Obviously, Web2 companies do not like users controlling their own data. One of their favorite legal hammers to stop this is the Computer Fraud and Abuse Act (CFAA), which provides a private right of action against a person who “intentionally accesses a computer without authorization.” Specifically, Web2 companies love to sue products/services that empower users to export their data under the CFAA. Here’s an example of X doing this against a scraping company:
X Corp Lawsuits Target Data Scraping
X Corp former Twitter sues data scrapers, Bright Data, Center for Countering Digital Hate CCDH, John Doe IP addresses. Sues for unjust enrichment, breach of contract
https://natlawreview.com
I wrote a long article about the CFAA back in August. In that article, I focus on a court case called BrandTotal (and test it against influential precedent). The TLDR of that article is that I believe that products/services that empower users to unchain their data from a Web2 platform without accessing their credentials have a strong argument that they do not violate the CFAA.
Let’s quickly review the BrandTotal case to see why. BrandTotal was an analytics company that collected Facebook ad data using browser extensions used by end users and its own scraping services. Facebook really did not like this. It used contractual (TOS, cease and desist) and technical (CAPTCHAs, account bans) methods to block BrandTotal, but BrandTotal kept on collecting anyway.
Facebook sued BrandTotal under the CFAA. In analyzing the claim, the court made key distinctions between different BrandTotal products/services. These products/services varied in whether they had access to user credentials. From the court’s reasoning, we can see a pattern emerge: whether BrandTotal violated the CFAA came down to whether it had access to user credentials. Here’s a summary table depicting this:
This ruling reinforces that the CFAA is an anti-hacking law, not a broad data misappropriation tool. Crypto companies using/providing products/services to help users unlock their own data (or public data) without accessing those users’ credentials should not be considered to engage in “hacking” under any conceivable definition of that term and have a strong argument they do not violate the CFAA.
None of the above is legal advice (as always) and this is an area of law in flux. You should discuss your situation with your legal counsel.
For more details, check out the full breakdown: https://paragraph.xyz/@proofs-and-protocols/browser-extensions,-the-cfaa-and-user-control-5
DisclaimerAll information contained herein is for general information purposes only. It does not constitute investment advice or a recommendation or solicitation to buy or sell any investment and should not be used in the evaluation of the merits of making any investment decision. It should not be relied upon for accounting, legal or tax advice or investment recommendations. You should consult your own advisers as to legal, business, tax, and other related matters concerning any investment. None of the opinions or positions provided herein are intended to be treated as legal advice or to create an attorney-client relationship. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by Variant. While taken from sources believed to be reliable, Variant has not independently verified such information. Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by Variant, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Variant (excluding investments for which the issuer has not provided permission for Variant to disclose publicly as well as unannounced investments in publicly traded digital assets) is available at https://variant.fund/portfolio. Variant makes no representations about the enduring accuracy of the information or its appropriateness for a given situation. This post reflects the current opinions of the authors and is not made on behalf of Variant or its Clients and does not necessarily reflect the opinions of Variant, its General Partners, its affiliates, advisors or individuals associated with Variant. The opinions reflected herein are subject to change without being updated. All liability with respect to actions taken or not taken based on the contents of the information contained herein are hereby expressly disclaimed. The content of this post is provided "as is;" no representations are made that the content is error-free.