umma.dev

Amazon.com Services LLC v Perplexity AI Inc

👩‍⚖️ Legal

9 min read

You can read about the case here.

Imagine you hire a personal assistant to do your shopping. You give them your credit card and Amazon password, and they head off to buy what you need. Instead of walking through the front door of the store, they sneak through a side entrance wearing a disguise, to avoid security cameras. When Amazon catches your assistant they say, “I was just shopping for my client! I had permission”.

This is what’s happening in Amazon.com Services LLC v Perplexity AI Inc (ND Cal, 5 November 2025). A lawsuit filed in the Northern District of California. It’s one of the first major legal battles over “agentic AI”, technology that doesn’t just answer questions but actually takes on actions on your behalf.

Who’s Involved?

  • Amazon.com Services LLC (Plaintiff): The e-commerce giant that also runs Amazon Web Services (AWS), one of the world’s largest cloud computing platforms

  • Perplexity AI Inc. (Defendant): A $20 billion AI startup that makes an AI-powered search engine and, more recently, an AI “shopping assistant”/browser called Comet

Understanding the Technical Elements

What is an agent? It’s an assistant that can take out tasks for you, think of it as a virtual robot in a web browser.

  • AI Assistant: “Here’s a recipe for pasta carbonara”
  • AI Agent: “I’ve ordered the ingredients for pasta carbonara from three stores, compared prices, and scheduled delivery for tomorrow”

In August 2025, Perplexity launched Comet, a browser with agentic features. From telling the agent to buy items on websites to logging into accounts or searching the web, the agent can automate many things a person might find a mundane task.

Technical Problem: User Agent String Spoofing

When the agent accesses a website, it sends an identified called a user agent string. According to Amazon, Perplexity has configured Comet to identify itself as Google Chrome rather than an AI agent, which is known as user agent string spoofing.

Amazon uses systems to detect and block bots. By disguising a bot as Chrome, it can slip through the defenses engineers have set up.

Comet can gain access to a lot of personal data, such as Amazon browsing history, payment information, delivery addresses, product recommendations, reviews and prices etc. This is concerning for Amazon because Perplexity’s terms of service allegedly permit the collection of sensitive details such as, passwords and payment data - whilst denying liability for security breaches.

Understanding the Legal Frameworks/Statutes

Within the lawsuit, there are a number of legal frameworks that are referred to. Let me explain what these statutes mean and why it’s important to the lawsuit.

The compute Fraud and Abuse Act (CFAA): The Federal Anti-Hacking Law

The CFAA is the primary “computer crime” statue in the United States, passed in 1986.

It makes it illegal to:

  • Access a computer without authorisation
  • Exceed authorised access to a computer
  • Access a computer to comit fraud

The statute has both criminal penalties (fines and jail time) and civil liability (allowing companies like Amazon to sue for damages).

What counts as unauthorised in agentic terms?

Here’s the core legal question in technical terms:

User → grants credentials to → Perplexity Agent
Perplexity Agent → uses credentials to access → Amazon's servers
Amazon ToS → explicitly prohibits → bot access

Is this authorized access?

From a systems design perspective:

  • Authentication: Perplexity has valid credentials (passed)
  • Authorization: But is the activity permitted under system rules? (disputed)

Amazon argues this is like having someone’s WiFi password but using it to run cryptocurrency mining operations—you have the credentials, but you’re not authorised to use them that way.

California’s State Computer Crime Law

California has its own version called the “Comprehensive Computer Data Access and Fraud Act.” It’s California’s state-level equivalent of CFAA, with similar provisions but different interpretations by California courts.

Why both laws? Amazon can pursue violations under both federal and state law simultaneously, giving them multiple legal theories and potentially higher damages.

The Legal Claims

Violating the Computer Fraud and Abuse Act (CFAA)

What Amazon Alleges: Perplexity “knowingly and with intent” accessed Amazon’s computers without authorisation by:

  • Violating Amazon’s explicit Terms of Service that prohibit “any use of data mining, robots, or similar data gathering and extraction tools”
  • Disguising its AI agent to appear as a human using Chrome
  • Continuing this conduct even after being told to stop

The Legal Test

Under 18 U.S.C. § 1030(a)(2)(C), it’s illegal to intentionally access a computer without authorisation and obtain information. Courts have struggled with what “without authorisation” means:

  • Narrow interpretation: Only applies to hackers who bypass security (like password cracking)
  • Broad interpretation: Includes violating Terms of Service or other access restrictions
  • The circuit split: Different federal courts have ruled differently

The Technical Evidence

  • Comet identified itself as Chrome, not as “PerplexityBot”
  • This concealment was allegedly intentional to circumvent bot detection
  • Amazon had explicitly told Perplexity to stop in November 2024

Violating California Computer Crime Law

This is essentially the same argument as the CFAA claim but under California state law. California’s statute has slightly different elements and potentially different damages calculations.

The Arguments

Amazon’s Perspective

Legal argument

  • Perplexity knowingly violated clear Terms of Service
  • The disguising of Comet as Chrome shows intent to circumvent security
  • Having user credentials doesn’t override ToS restrictions
  • This creates security risks and harms Amazon’s business model

Technical argument

  • Perplexity deliberately configured Comet to avoid detection
  • User agent string spoofing is a classic bot tactic
  • Amazon’s systems rely on identifying traffic types to maintain security
  • The masquerading undermines Amazon’s ability to protect its platform

Business argument

Shopping agents threaten Amazon’s lucrative advertising business. Amazon makes much of its profit by selling prominent product placement in search results. If AI agents shop for customers, companies can’t buy their way to the top of search results, the ads lose their value.

From Amazon’s complaint

“Perplexity is not allowed to go where it has been expressly told it cannot; that Perplexity’s trespass involves code rather than a lockpick makes it no less unlawful.”

Perplexity’s Perspective

Legal argument

  • User agents act on behalf of users with their explicit permission
  • This is fundamentally different from scrapers, crawlers, or bots
  • Users have the right to use tools to interact with services
  • Amazon is trying to monopolize how users can access their own accounts

Technical argument

  • Comet isn’t scraping data or training AI models
  • Credentials are stored locally on the user’s device, not on Perplexity’s servers
  • Comet only takes actions the user requests
  • The user agent is simply executing the user’s intent more efficiently

Philosophical argument

If you have permission to shop on Amazon, why can’t you use a tool to do it for you? It’s like arguing that you can only shop on Amazon using Amazon’s official app, not through a web browser or third-party tool.

From Perplexity’s response

“User agents are exactly that: agents of the user. They’re distinct from crawlers, scrapers, or bots.”

Why Does it Matter?

This case forces courts to consider a distinction that doesn’t clearly exist in current law.

Traditional Bot

  • Acts autonomously to collect data
  • Typically operates at scale across many accounts
  • Primary purpose is data harvesting
  • No individual user authorization

AI Agent (Perplexity’s argument)

  • Acts on specific user instruction
  • One-to-one relationship (one agent per user)
  • Primary purpose is task completion, not data collection
  • Explicit user authorization

Why it’s legally complicated

The CFAA was written in 1986, long before AI agents existed. Courts have struggled even with simpler cases about Terms of Service violations. Adding autonomous AI into the mix creates unprecedented questions.

Terms of Service as Gatekeepers

Imagine you’re reverse-engineering an API to build a better interface for a service. You’re not doing anything malicious—just improving user experience. But the ToS says “no reverse engineering.” Should that be a federal crime? Courts have increasingly recognised that ToS can’t be the sole basis for criminal liability under CFAA. Otherwise, companies could essentially write criminal law by adding terms to their ToS

The Credential Sharing Problem

This raises questions about delegated authority. In physical law, if you give someone your house key and they commit a crime inside, you’re generally not liable (unless you knew about their intent). But in computer law, the rules are murkier.

The Business Model Threat

Amazon’s advertising business generated $47.5 billion in revenue in 2023. Here’s how it works:

  • You search for “running shoes”
  • Companies pay Amazon to show their shoes at the top
  • You click and potentially buy

With AI agents

  • You tell Comet “buy running shoes under $100, best rated”
  • Comet searches, compares, and purchases—all invisible to you
  • The ads you never see can’t influence the purchase
  • Amazon’s advertising value plummets

The Legal Implications for Engineering

From an engineering perspective, Amazon needs to prove:

  • Intent: Configuration decisions showing deliberate concealment
  • Causation: The spoofing actually bypassed security measures
  • Harm: Concrete damages (security risks, lost ad revenue, system resources)
  • Notice: Proof they told Perplexity to stop

What Amazon Want

Injunctive Relief (court orders)

  • Stop Perplexity from accessing Amazon using AI agents
  • Prohibit Perplexity from using existing Amazon accounts or creating new ones for agents
  • Require Perplexity to destroy any unlawfully obtained Amazon data, including customer data
  • Require Perplexity to disclose every Amazon account ever accessed through Comet

Monetary Damages

  • Compensatory damages (actual harm suffered)
  • Statutory damages under CFAA (up to $5,000 per violation, or actual damages)
  • Attorneys’ fees and costs

Why the disclosure request matters

If Amazon gets a list of every account Comet accessed, they can:

  • Notify affected customers
  • Assess the scope of the breach
  • Calculate damages
  • Potentially suspend or restrict those accounts

Technical Considerations for the Future

Technical best practices

  • Always identify your agent honestly in user agent strings
  • Respect robots.txt and platform APIs
  • Implement proper authentication and authorization checks
  • Store credentials securely (preferably not at all—use OAuth)
  • Build rate limiting and abuse prevention into your systems

Legal best practices

  • Seek permission before launching products that interact with third-party platforms
  • Document your attempts to comply with laws
  • Respond immediately to cease-and-desist letters
  • Consult with both technical and legal teams on design decisions
  • Consider whether your business model depends on legally grey areas

Business best practices

  • Build partnerships with major platforms rather than antagonizing them
  • Be prepared to share revenue if your agent uses someone else’s platform
  • Have a plan B if your current approach is deemed illegal
  • Consider whether being “right” legally is worth the litigation risk

Legal Considerations for the Future

Understanding the technology matters

  • You can’t evaluate CFAA risk without understanding how the system works
  • “User agent string spoofing” isn’t just technical jargon, it’s evidence of intent
  • The difference between local and server-side storage affects privacy and security analysis