Wow.<p>I read Tentler's follow-up post on this, where he abruptly declares that what they're doing isn't unlawful. Presumably, he's saying that because a competent lawyer told him that. If that's not the case, he should retain one.<p>There are a number of problems with his logic:<p>* The fact that AV vendors have done things like this in the past (or even do them today) almost definitely won't inoculate <i>this particular team</i> from civil or criminal actions which will cost them a fortune to defend.<p>* There is no provision in CFAA, or in any unauthorized access statute I've ever read, that has a safe-harbor provision for scanners that do "opt-out". Providing a block-list is good, and neighborly, but it probably doesn't protect them.<p>* "But the server never asked for a password" is not going to be an effective defense. It's actually even less compelling in this case than it was in the Aurenheimer case, because a web server normally exists to publish documents to the world, but virtually all VNC servers do not.<p>* Most importantly: what they're doing is so non-minimal. They appear to really be pushing the boundaries of what it means to do an Internet survey. If they wanted to map open VNC servers, they could do that without <i>screenshotting people's open servers</i>.<p>This team starts that scanner process knowing that they're going to reap hundreds of screenshots that the owners of those systems don't want them to have. If you can describe your project reasonably in a sentence that includes the words "knowing" and "unauthorized", get a lawyer to sign off on it first.<p>Hopefully, they already did, and I'm just being noisy!