Because of a legal precedent and a general fact about contract law:
1. Installation and/or execution of software constitutes copying (the "RAM Copy Doctrine") which is only lawful if the person currently using the software has been licensed or sold the software
2. Licensing restrictions can restrict license holders from exercising rights they otherwise would have as a matter of law
There is nothing prohibiting you from only licensing your software out under terms that prohibit licensees from exercising fair use or first sale rights. Indeed, this is one of Oracle's main "innovations": ever since Larry Ellison failed to get David DeWitt fired for daring to benchmark Oracle, they just made everyone who buys Oracle promise not to benchmark it. This is legally sound and the only way around it is to argue that the software transaction was actually a sale and not a license - as far as I'm aware, though, nobody has been able to successfully articulate such a claim.
IAAL, and that is a good question. (This is not legal advice.)
CRFA appears to apply to contracts that bind an "individual" and not a "person". This technical difference is important in contracts: an individual is also known in the art as a "natural person" (i.e., a human being), while a "person" could be an individual, a company, or other organization.
So it is possible that the law does not apply to Orca Security because they are a "person" and not an "individual". In other words, if it can be found that Mr. Shua was acting as an officer or other representative of Orca Security instead of in his personal capacity, then CRFA may not apply to the license agreement.
Again, this is NOT legal advice, and anyone seeking a legal opinion should engage a licensed attorney. This law is pretty new and I don't know whether this specific question has been tested by any court. But I would tread with caution.
I would be extremely surprised if the CRFA applied to competitors (or generally to corporations). The first word is "consumer", and competitors are generally not consumers of each other's products.
If you are correct though, doesn't that make Oracle et al's "no benchmarks" stipulation non-enforceable as well? That would be kind of nice.
Doesn't a brief window exists where at 11:59pm you can run Oracle but after midnight when lic expires and the results are back you could report on those numbers.
