AI Agents and the CFAA: Amazon.Com Services v. Perplexity AI
Just a preliminary injunction stage, but an important case to follow.
|
6.19.2026 4:23 AM
The Ninth Circuit held argument last week in a very interesting case on the Computer Fraud and Abuse Act, the computer hacking statute, Amazon.com Services v. Perplexity AI , No. 26-1444. The basic issue: If an Amazon user wants to use an AI agent to help make purchasing decisions on the user's behalf at Amazon, but Amazon doesn't want users to do that, has the AI company committed a federal hacking crime if Amazon tells the AI company to stay away but the AI company continues to make its services available to the Amazon customers?
Perplexity AI's main brief is here , and Amazon's main brief is here . Oral argument is below.
Having written a lot on the CFAA, I wanted to offer some brief thoughts.
First, as I argued back in 2016, in Norms of Computer Trespass , I think the correct way to interpret the statute in shared password cases is with an agency test. If authorized User A gives his credentials to user B, so B can access A's account, B is authorized under A's authorization when—and only when—B is acting as A's agent. From 1178-79:
This approach mirrors the analogous rule in the physical world. When access is limited by a physical lock and key, whether entry is a physical trespass law depends on whether it falls within the zone of permission granted by the owner. For example, in Douglas v. Humble Oil & Refining Co. , a business owner gave an employee the key to his home so the employee could feed his pets when he was away. The employee later used the key to enter the home for a different reason. According to the court, this entry for reasons outside the scope of permission was a trespass. This approach allows computer account holders to share usernames and passwords with an agent. If the agent accesses the account on the account holder's behalf, the agent is acting in the place of the account holder and is authorized. The agent then has the same authorization rights as the account holder. For example, I recently set up a Gmail account for my students to email class assignments. I gave my assistant the account password and asked her go into the email inbox and collect them for me. When she did so, she was acting as my agent. Legally speaking, she was me. She was fully authorized to access the account in her capacity as my agent. Her conduct was authorized and legal, much like employee access to an employer's account for work purposes.
On the other hand, a third party who uses a password in pursuit of her own ends stands in the same place as a third party who has guessed or stolen the password. Consider the facts of Rich . When Rich accessed the LendingTree website using a password, he was not acting as an agent of a legitimate customer. Rich paid for access to the password, but he did not pay LendingTree. Instead, he paid an employee of a legitimate customer. Rich accessed the account to help himself get richer, not to help the employee. From the perspective of LendingTree, Rich's access was no different from access using a guessed or stolen password. Rich was not a legitimate customer or an agent of a legitimate customer. Whether he obtained the password by stealing it from the employee or by paying for it makes no difference to LendingTree. For that reason, Rich's access was unauthorized.
A complication in the Ninth Circuit is the pairing of the Ninth Circuit's 2016 decision in F acebook v. Power Ventures and its 2021 decision in LinkedIn v. HiQ Labs. Those two decisions together suggest that authentication is the key line, with the provider's limits mattering if there's an authentication gate but not mattering at all if there isn't. As LinkedIn put it:
The legislative history of section 1030 thus makes clear that the prohibition on unauthorized access is properly understood to apply only to private information—information delineated as private through use of a permission requirement of some sort. As one prominent commentator has put it, "an authentication requirement, such as a password gate, is needed to create the necessary barrier that divides open spaces from closed spaces on the Web." Orin S. Kerr, Norms of Computer Trespass, 116 Colum. L. Rev. 1143, 1161 (2016). Moreover, elsewhere in the statute, password fraud is cited as a means by which a computer may be accessed without authorization, see 18 U.S.C. § 1030(a)(6), [16] bolstering the idea that authorization is only required for password-protected sites or sites that otherwise prevent the general public from viewing the information.
We therefore conclude that hiQ has raised a serious question as to whether the reference to access "without authorization" limits the scope of the statutory coverage to computers for which authorization or access permission, such as password authentication, is generally required. Put differently, the CFAA contemplates the existence of three kind…
Read the full article at Reason →
United States