Sounds like you're trying to compare a civil class action lawsuit to a criminal case.

Additionally, if the botnet does what it typically does..that is, coordinate to attack a specific website, that sounds a lot like a "single act".

I'm not trying to argue with you, just noting that others have tried to persue your line of thought and failed.

Edit: Regarding "I'm just wondering how ads/trackers get such a pass from CFAA"

To date, they get a pass because nobody can show $5k damages for a "single act". Of course, that may not be the only defense strategy they could employ. It's worked well enough thus far that they haven't needed to argue anything else.

In the reverse direction, where an end user does something like "add some funny thing to the url" on a popular website, it's easy to show $5k of damages, because the target isn't one person's home PC.

I'm just wondering how ads/trackers get such a pass from CFAA. My initial comment was about JavaScript, but Halperin is about adware install! And isn't merely creating botnets illegal? Even if you use them only for good things.

OK, so there are criminal and civil liabilities for pwning corporate websites. But it's OK for corporate websites to pwn user devices. Because there's a $5K damages threshold for CFAA, and also a damages threshold for tort class representatives.

That's arguably a huge bug in the legal system. Maybe there's a niche for private compensation services. Anonymously crowd-funded. Somali model.