[pm90]

IANAL but you can be in trouble even if the data is openly available but the party managing the data deems it restricted in any way. I believe this is the reason security researchers get in trouble: they access data that is considered restricted and get prosecuted for "stealing" it.

I think the logic to that is something akin to: its illegal for you to take my car even if I leave it unlocked with the keys in it.

[nostrademons]

The company has to communicate that the data is restricted, they can't just deem it restricted after the fact. Usually when companies or individuals (eg. 3Taps & Aaron Swartz) have gotten in trouble under the CFAA, it's been because they've been served a C&D or IP-blocked and then persist in accessing the data, which the courts have upheld as "knowingly and intentionally accessing a computer without authorization".

In this case, WeWork is within their rights to terminate ThinkNum's membership for the ToS violation, but there's no legal case unless ThinkNum persists in scraping WeWork's data after the termination, or there's evidence that ThinkNum knew that the API was restricted at the time they accessed it. Hence the founder's repeated insistences that he did nothing wrong, and coyness in discussing the source of the data.