Amazon’s hacking claim targets regular browser users | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker

Perplexity AI this week filed its opening brief with the United States Court of Appeals for the Ninth Circuit, arguing that a preliminary injunction won by Amazon in March relies on a fundamental misreading of federal computer fraud law and, if left in place, would let internet platforms use criminal statutes to block competing technology their own users choose to install.

The 96-page brief, filed under case number 26-1444 and dated April 1, 2026, was prepared by Quinn Emanuel Urquhart & Sullivan, LLP and presents three core arguments for reversal: that Amazon is unlikely to prevail on the merits of its claims under the Computer Fraud and Abuse Act (CFAA) and California’s equivalent statute; that the district court improperly collapsed the separate legal tests for injunctive relief into a single merits finding; and that the lower court abused its discretion by refusing to require Amazon to post a bond.

Background: the Comet browser and the Assistant

Perplexity, founded in 2022, launched its Comet browser on July 9, 2025, initially restricting access to subscribers of its $200-per-month Max plan. The browser was made broadly available on October 2, 2025, after millions joined a waitlist during a three-month restricted period.

Building Comet was a significant undertaking. According to the brief, Perplexity acquired browser company Sidekick and assembled a team of nearly 100 engineers, researchers, and specialists – the largest team Perplexity had ever devoted to a single project.

Comet is built on Chromium, the same open-source engine that powers Google Chrome. Like Google Chrome and Mozilla Firefox, it is a software program downloaded onto a user’s computer to navigate the internet. It runs locally on the user’s machine. That architectural fact sits at the center of the legal dispute.

The browser includes an optional AI “Assistant” feature that is, according to the brief, “directly incorporated into the web browser itself” and operates on the user’s computer. Activation is not automatic. A user must click a tab in the upper right corner of the display to switch it on. Once active, the Assistant can perform tasks at the user’s direction – including browsing websites such as Amazon.com to search for or purchase goods.

The technical pipeline works as follows. When a user instructs the Assistant to find an item on Amazon, the Assistant may take a screenshot of the browsing session and send an encrypted version of that screenshot, or an HTML snapshot, from the user’s computer to Perplexity’s servers. Those servers respond to the user’s computer with instructions for how the Assistant should proceed on Amazon. Perplexity uses the screenshots and snapshots solely to accomplish the user’s task and, when necessary, to identify software errors; they are automatically deleted within 30 days. The Assistant never sends more information to Perplexity than what the user can see in the browser window.

Critically, according to the brief, no Perplexity computer ever has direct access to an Amazon computer during this process. Amazon’s own expert conceded in the district court that there are “no direct requests from Perplexity hosts to Amazon.com” and that data from Amazon is “transmitted to the user’s browser and then to Perplexity servers.” The Assistant cannot log into a user’s Amazon account by itself. For purchases, it requires additional manual user authorization; if the user is not already logged in, they must use “the normal login process and their own login information, with no shortcuts or automated authentication.”

How the conflict escalated

Amazon contacted Perplexity in August 2025 to complain that its Conditions of Use require all AI agents to act transparently when accessing the Amazon Store. As the brief notes, Amazon subsequently acknowledged that Perplexity is not a party to those Conditions of Use, which bind only Amazon’s own users.

Amazon’s stated concern about transparency centered on Comet’s user-agent string – a technical device by which browsers identify themselves to websites. Amazon alleged Perplexity configured Comet to transmit the same user-agent string used by Google Chrome, making the AI agent appear as though a human customer was browsing rather than an automated system. The brief counters that Comet uses substantially the same user-agent string as other Chromium-based browsers including Microsoft Edge, Brave, and Opera, and that Perplexity is under no legal duty to equip Comet with any particular user-agent string.

According to the brief, the true reason Amazon wanted the change was so that it could identify and block the Comet Assistant, “forcing customers to view its advertisements” – a characterization based on Amazon’s own internal complaints that its advertisers do not pay for their ads to be shown to “automated agents.”

Amazon’s own advertising business provides important context. Amazon’s third-quarter 2025 advertising revenue reached $17.7 billion, growing 22 percent year-over-year. The Comet browser’s AI assistant bypasses sponsored products, recommendations, and other advertising elements when users browse Amazon, which sits at the commercial heart of the dispute.

Amazon formed a group focused on agentic AI in March 2025 and launched a suite of agentic AI tools in October 2025. It also offers a tool called “Buy for Me” that allows customers to purchase items from third-party retailer websites – often without the knowledge of either the customer or the retailer – by using an agentic AI tool to complete the purchase on the third-party website. Amazon’s Rufus AI assistant reached more than 300 million users throughout 2025 and generated nearly $12 billion in incremental annualized sales.

On October 31, 2025, Amazon sent Perplexity a letter accusing it of violating the CFAA and the California Comprehensive Computer Data Access and Fraud Act (CDAFA). Days later, Amazon filed the lawsuit on November 4, 2025, in the Northern District of California. Amazon’s new AI agent rules, formalized in its Business Solutions Agreement effective March 4, 2026, show how the company has been hardening its governance posture across the board.

The district court’s March 9 ruling

United States District Judge Maxine M. Chesney issued a preliminary injunction on March 9, 2026, just one business day after a hearing during which she repeatedly acknowledged the case as unprecedented. At the hearing, Judge Chesney stated that the conduct at issue “almost as if what [Perplexity is] doing shouldn’t be covered” by the CFAA and that “people ought to be allowed to bring these kinds of shopping assistants in and have them talk.” She also described herself as “kind of stuck” with the statute because it “is SO broad and covers people who may be performing a beneficial act.”

The injunction barred Perplexity from accessing or providing a means for others to access “Amazon’s protected computer systems using AI agents,” which the court defined broadly as “any software or computer program deployed through Perplexity’s Comet web browser that can autonomously or semi-autonomously perform actions and interact with third-party websites on behalf of, or at the instruction of, any user.”

The court denied Perplexity’s request for a $1 billion bond – which Perplexity had sought based on its market valuation – finding insufficient information to assign a dollar figure to losses limited to Comet’s access to Amazon’s password-protected accounts. It also declined to stay the injunction pending appeal. The next day, Perplexity filed a notice of appeal, and a motions panel of the Ninth Circuit issued an administrative stay and then stayed the injunction pending the appeal, with expedited briefing ordered.

The appeal: five elements, five deficits

The CFAA claim under 18 U.S.C. § 1030(a)(2) requires Amazon to establish five independent elements. Perplexity must have (1) intentionally accessed a computer, (2) without authorization or exceeding authorized access, and thereby (3) obtained information (4) from any protected computer, with (5) loss to one or more persons during any one-year period aggregating at least $5,000. The brief argues Amazon is unlikely to satisfy any of them, let alone all five.

On the first element – intentional access – the brief draws a pointed comparison. A Comet user accessing Amazon from her own computer is, the brief states, “no more equivalent to Perplexity accessing Amazon than a Safari user accessing Amazon from her own computer is equivalent to Apple accessing Amazon.” Because Amazon sued only Perplexity, the company cannot meet the access element. The only entity reaching Amazon’s servers is the user, on the user’s own device.

On authorization, the argument is that Amazon account holders themselves authorized the Assistant to access their own information to facilitate their own shopping. The district court acknowledged this conduct may be “beneficial” to everyone involved. No private information beyond what the user can see in the browser window was transmitted; the Assistant is, according to the brief, functionally “akin to what a person would see from looking over the user’s shoulder.” The brief distinguishes the Facebook v. Power Ventures precedent – which the district court relied on heavily – by pointing out that Power Ventures involved a company accessing third parties’ private information without those users’ authorization. In this case, every piece of information the Assistant accesses belongs to the user who activated it.

On the third and fourth elements, the brief is direct: Perplexity does not connect to, and obtains no information from, Amazon’s servers or computer systems. Data arrives at Perplexity’s servers only after passing through the user’s browser – a sequence Amazon’s own expert confirmed.

The fifth element, financial loss, is addressed through Supreme Court and Ninth Circuit precedent. The brief cites Van Buren v. United States (2021) and hiQ Labs, Inc. v. LinkedIn Corp. (2022) for the proposition that CFAA “loss” requires “technological harms such as the corruption of files.” Amazon offered no evidence of any such harm. Its real complaint is lost advertising impressions – monetized attention that the district court dismissed as potential lost business, not the kind of technological injury the CFAA was designed to address.

The statute’s history

Congress enacted the CFAA in 1984 under the Counterfeit Access Device and Computer Fraud and Abuse Act. At the time, the statute imposed criminal penalties on those who accessed computers “without authorization” to obtain information, with the initial version limited to computers containing national security information or financial data and those operated by or on behalf of the government. Congress subsequently extended the prohibition to any “protected computer,” defined as any computer used in interstate commerce.

The brief argues that Congress enacted the CFAA “to prevent intentional intrusion onto someone else’s computer – specifically, computer hacking” – analogous to “breaking and entering.” Courts have consistently held it should not “transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved.” The California CDAFA, the state counterpart at issue, was similarly “principally aimed at computer hacking and tampering.”

The equitable arguments

Beyond the merits, Perplexity raises two structural arguments. First, the district court improperly collapsed the four independent Winter requirements – likelihood of success, irreparable harm, balance of equities, and public interest – into a single finding. The court effectively found irreparable harm simply by finding likely success on the merits, rather than analyzing it separately.

On irreparable harm, the brief notes that Amazon produced no evidence that any customer had ever complained about or encountered problems with the Assistant. Amazon’s only articulated harm was reduced human traffic on its website and thus fewer advertising opportunities – precisely the kind of economic injury compensable in money damages that does not support injunctive relief.

On the balance of equities, the brief flags the commercial stakes for Perplexity. The Assistant is Comet’s differentiating feature. Blocking it on the world’s largest online retailer would effectively cripple the browser in its most important use case. If users migrate to competing browsers, they are unlikely to switch back even if the injunction is eventually reversed. The brief also raises Amazon’s “Buy for Me” feature as an unclean hands argument: Amazon’s own agentic AI tool lists products from independent retailers on Amazon.com without those retailers’ knowledge or permission, and even listed Perplexity’s own merchandise without consent. Amazon cannot, the brief argues, invoke equity while engaged in equivalent or worse conduct against third parties.

What this means for the ad tech and marketing industry

The legal contest between Amazon and Perplexity sits squarely in the middle of a much larger question: who controls what happens when a user’s AI agent visits a commercial website? That question has accelerated rapidly. The advertising industry saw Amazon, Google, and IAB Tech Lab accelerate autonomous campaign tools simultaneously in November 2025, while publishers grapple with AI-driven traffic that generates no ad impressions. Walmart Connect announced its own agentic advertising strategy in January 2026, reflecting how retail media networks across the industry are recalibrating around AI-mediated shopping.

If the Ninth Circuit upholds the preliminary injunction, it would confirm that platform operators can invoke the CFAA to restrict third-party AI agents their own users choose to employ – even when those agents access only the user’s own account data, with the user’s permission, for the user’s benefit. That outcome would carry significant implications for any company building AI assistants, browsers, or agents that interact with major commercial platforms. It would effectively give platforms a legal veto over client-side AI software, regardless of what users want.

If the Ninth Circuit reverses, the ruling would establish that the CFAA, written in an era of mainframe computers and dial-up intrusion, does not extend to AI agents operating locally on a user’s device at the user’s instruction. That reading would reduce one major legal risk for companies building agentic tools – but platform operators would almost certainly respond with technical countermeasures and updated terms of service rather than accept third-party agent access.

Reddit filed a separate federal lawsuit against Perplexity on October 22, 2025, alleging circumvention of its anti-scraping controls. Perplexity therefore faces the Ninth Circuit appeal while managing multiple simultaneous legal fronts, though the Reddit case involves different conduct – web scraping via search engine results pages rather than AI-assisted shopping through a locally installed browser.

The Ninth Circuit heard oral arguments on an expedited schedule. The court’s decision, when it arrives, will be closely watched by every company building AI agents designed to interact with commercial websites.

Timeline

• August 2022: Perplexity AI founded
• November 2024: Amazon first contacts Perplexity regarding its “Buy with Pro” feature, which allowed paying subscribers to make purchases through Amazon using Perplexity-managed Amazon Prime accounts
• March 2025: Amazon forms a group focused on agentic AI
• July 9, 2025: Perplexity launches Comet browser for $200 Max subscribers
• August 2025: Amazon contacts Perplexity’s Chief Business Officer Dmitry Shevelenko to complain about Comet’s user-agent string behavior; Amazon institutes a technical block on Comet’s assistant access to Amazon.com
• October 2, 2025: Perplexity makes Comet broadly available following millions of waitlist sign-ups
• October 2025: Amazon launches a suite of agentic AI tools
• October 22, 2025: Reddit files federal lawsuit against Perplexity and three data scraping companies in the Southern District of New York
• October 31, 2025: Amazon sends Perplexity a letter accusing it of violating the CFAA and CDAFA
• November 4, 2025: Amazon files federal lawsuit against Perplexity in the Northern District of California; Amazon issues legal demand to stop AI-assisted shopping
• November 4, 2025: Perplexity publishes blog post calling Amazon’s action “bullying”
• November 11-13, 2025: Amazon launches Ads Agent at unBoxed conference; IAB Tech Lab releases Agentic RTB Framework v1.0; advertising platforms accelerate agentic infrastructure
• February 17, 2026: Amazon posts updated Business Solutions Agreement to Seller Central introducing formal Agent Policy effective March 4, 2026
• March 4, 2026: Amazon’s Agent Policy takes effect, requiring AI agents to identify themselves as automated systems
• March 9, 2026: United States District Judge Maxine M. Chesney grants Amazon’s preliminary injunction in Case No. 3:25-cv-09514
• March 10, 2026: Perplexity files notice of appeal with the Ninth Circuit
• Late March 2026: Ninth Circuit motions panel issues administrative stay, then stays the injunction pending appeal and orders expedited briefing
• April 1, 2026: Perplexity files its 96-page opening appeal brief, Case No. 26-1444, in the Ninth Circuit

Summary

Who: Perplexity AI, Inc. is the appellant, represented by Quinn Emanuel Urquhart & Sullivan, LLP. Amazon.com Services, LLC is the appellee. The case is before the United States Court of Appeals for the Ninth Circuit.

What: Perplexity filed its opening brief on April 1, 2026, challenging a preliminary injunction issued on March 9, 2026, that bars its Comet browser’s AI Assistant from accessing Amazon’s password-protected account sections. The brief argues the district court misapplied the Computer Fraud and Abuse Act and California’s CDAFA, improperly collapsed the equitable tests for injunctive relief, and erred in refusing to require Amazon to post a bond.

When: The underlying lawsuit was filed on November 4, 2025. The preliminary injunction was issued on March 9, 2026. The opening appeal brief was filed on April 1, 2026, in expedited proceedings before the Ninth Circuit.

Where: The original case was filed in the United States District Court for the Northern District of California, Case No. 3:25-cv-09514, before Judge Maxine M. Chesney. The appeal is pending in the United States Court of Appeals for the Ninth Circuit, Case No. 26-1444.

Why: The dispute centers on whether Perplexity’s Comet browser AI Assistant – which runs locally on a user’s device, accesses only the user’s own account data with the user’s permission, and sends no information to Perplexity’s servers that the user cannot already see – constitutes unauthorized computer access under federal and state hacking statutes. Perplexity argues that Amazon is using the CFAA to protect its advertising revenue from AI-mediated shopping, not to address the kind of computer intrusion those statutes were designed to prevent.