There has to be a court precedent that criminalized sniffing network traffic on the customer’s side.
Should be one of those many cases involving wiretapping for banking info.
It is about intent versus capability set that CFAA does poorly with differentiation in court.