Well, that's kind of the thing, isn't it? It's *hard* to draw that boundary and the CFAA is really vague about what constitutes unauthorized. I mean, do we commit a felony if we link to perfectly accessible sites where the owner has written a ToS that purports to give them full control? How do we even know that we weren't authorized? Clearly we need to have some kind of notice. And the web is full of programs, it's not reasonable to expect everyone to read every ToS on the web, clearly we should have some expectation that if the site gives us access when we ask for it that we're allowed to actually view the page. But at the same time, we can't go too far in legitimizing those who hack the websites into giving access. At the same time, I'd hate to see felonies for people who put an anonymous email into anonymous FTP or who don't feed some website all their personal details when signing up.
That's why I think that access should be authorized as long as it is given and there's no important deception. Here 'important' simply means that if you hadn't deceived the site, it wouldn't have granted access. It also requires actual deception--something untrue. For example, pretending that you were the owner of some account and trying to reset the password, lying to the support staff to get access, or simply brute forcing an account that isn't yours. It'd be best to add in some minimum amount of damages that have to have been suffered, too, so that some technical violations that cause no actual harm don't get treated as federal crimes. Say, for example, if some kid claims to be 18 to access a porn site.
I find this to be a more balanced idea that focuses the criminal penalties on people who are actually up to no good, without giving websites carte blanche to dictate what is and is not a felony.