The CFAA is overbroad and remains unclear with respect to "without authorization, or exceeds authorized access" even after the 2021 Van Buren v. United States ruling. But Beeper Mini doesn't damage or destroy any files on Apple's servers, so I think the CFAA doesn't apply [1]:
> The majority also recognized that the portions of the CFAA that define damage and loss are premised on harm to computer files and data, rather than general non-digital harm such as trespassing on another person’s property: “The statutory definitions of ‘damage’ and ‘loss’ thus focus on technological harms—such as the corruption of files—of the type unauthorized users cause to computer systems and data,” the Court wrote. This is important because loss and damage are prerequisites to civil CFAA claims, and the ability of private entities to enforce the CFAA has been a threat that deters security research when companies might rather their vulnerabilities remain unknown to the public.
The relevant text of the CFAA is 18 U.S. Code § 1030(a)(5) [2]:
> (A)knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
> (B)intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
> (C)intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.
> The majority also recognized that the portions of the CFAA that define damage and loss are premised on harm to computer files and data, rather than general non-digital harm such as trespassing on another person’s property: “The statutory definitions of ‘damage’ and ‘loss’ thus focus on technological harms—such as the corruption of files—of the type unauthorized users cause to computer systems and data,” the Court wrote. This is important because loss and damage are prerequisites to civil CFAA claims, and the ability of private entities to enforce the CFAA has been a threat that deters security research when companies might rather their vulnerabilities remain unknown to the public.
The relevant text of the CFAA is 18 U.S. Code § 1030(a)(5) [2]:
> (A)knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
> (B)intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
> (C)intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.
[1] https://www.eff.org/deeplinks/2021/06/van-buren-victory-agai...
[2] https://www.law.cornell.edu/uscode/text/18/1030