Re: Not a CFAA issue
Your formulation of item 1 is far too vague.
Van Buren quite rightly narrowed the scope of the CFAA. I think it's important that decision be interpreted in the circuits to mean that ToS alone, or any other sort of implied contract, is not a sufficient gate to invoke criminal penalties under the CFAA.
In this case, however, hiQ took two steps to deliberately and positively exceed authorized access. They developed and deployed technological countermeasures to LinkedIn's technological gatekeepers; and they ignored a cease-and-desist notification from LinkedIn's lawyers.
Allowing that activity to invoke the CFAA is a much higher bar than simply ToS violation. Ordinary use of the public web doesn't require deliberate positive technological bypass of gatekeepers,1 and it certainly doesn't require ignoring an official and direct statement from the site owner forbidding the activity.
Now, you might apply the "Aaron Swartz" test here and say that even those should be insufficient tests to allow the CFAA to apply. And I agree the Swartz case is extremely unfortunate, and a clear case of excess by an unscrupulous prosecutor to the point of outright malice (as with some other CFAA prosecutions). But the CFAA is the law of the land, and as with many laws some contingency must be brought to bear. hiQ are not Swartz; they are not a private individual attempting, rightly or not, to make publicly-funded research more widely available. They're a commercial entity trying to make a profit from someone else's intellectual property, the law be damned.
1What's a "positive ... bypass"? Employing technology which manipulates an interface in a manner other than what's intended by its owner. Using NoScript, say, or an ad blocker, wouldn't be a positive use; there the user is preventing some unwanted software from executing on his or her own equipment. It's a negative bypass.