I'm pretty sure it took some significant research to find this area where CFAA limitations might be causing problems. Unfortunately the area they have found is so narrow that it is almost completely useless to anyone living in the real world. Most of the world's population is not doing research on discriminination, at least via means of hacking to protected computer systems. Further, there is no real proof that these considerations are not taken into account whenever CFAA is being applied to real use cases. So their lawsuit is academic at best, and misleading at worst.
The people whose activities CFAA are targeting, are much more significant problem. Computer systems gets hacked and password protections skipped, bots are sending millions of spam messages, protected computer systems integrity violated in blatant way, worms, viruses and randomware are spreading all over our networks. ACLU can get minor exceptions to CFAA passed, but they have no way of overthrowing the whole act. Minor tweaking is just fine, but they can't claim significant victories for those.