Amazon filed suit against Perplexity AI on June 24, alleging that the company’s Comet browser violates the Computer Fraud and Abuse Act by accessing Amazon’s systems without authorization. The complaint rests on three claims: Comet presents a Chrome user-agent string rather than identifying itself as an AI agent, it bypasses the curated shopping experience Amazon has built over decades, and its architecture creates security vulnerabilities that put customer data at risk. Each claim deserves scrutiny, because they are not equally strong.
Eric Rescorla (EKR), a security engineer and author of Educated Guesswork, published a detailed technical analysis on June 24 dissecting the complaint. His core observation is that the user-agent spoofing charge is the weakest of the three. Every major Chromium-based browser, including Vivaldi and Brave, reports a Chrome-compatible string to avoid breakage caused by widespread UA sniffing. Chrome’s own user-agent string simultaneously claims to be Firefox, Safari, and Chrome, a legacy artifact of decades of browser-detection brittleness. MDN’s documentation explicitly warns developers against relying on user-agent strings for feature detection. Calling Comet’s behavior “false identification” applies equally to browsers used by tens of millions of people.
The security argument carries more weight, but still has limits. Agentic browsers introduce a real threat class: prompt injection. A malicious web page can embed instructions invisible to a human reader but legible to an AI model, potentially redirecting the agent to take unauthorized actions. Brave demonstrated a concrete attack against Comet earlier this year in which a crafted Reddit page led to account compromise and Gmail data exfiltration. That is not a theoretical risk. The question is whether Comet’s exposure is worse than the baseline risk of any networked browser. Rescorla’s analysis suggests the gap is narrower than Amazon’s complaint implies. Every browser ships with exploitable vulnerabilities. Amazon does not sue browser vendors over CVEs.
The third claim is where Amazon’s incentives are most visible. The complaint argues that Comet “degrades the individualized shopping experience.” In practice, an agentic browser can filter sponsored listings, sort products by criteria the user actually cares about, and skip the promotional clutter that Amazon’s interface deploys by design. Amazon’s search results include paid placements. A user who downloads Comet and directs it to shop on Amazon is, by definition, someone who prefers a different interface. The W3C Web Platform Design Principles and the Internet Architecture Board’s RFC 8890 both place user needs above site preferences when the two conflict. Amazon’s complaint, stripped of legal language, asks the court to rule that a user cannot delegate their browsing to software of their own choosing when the site objects.
The who-is-responsible question is genuinely hard. Amazon’s attorneys argued at Ninth Circuit oral argument that severing the connection to Perplexity’s servers stops all agent activity, which they say proves Perplexity is the actor. Rescorla counters that this is an implementation artifact: Perplexity runs model inference on its servers for commercial reasons, but the same behavior could run entirely on-device. A model shipped inside the browser with no external calls would produce identical results. Amazon would almost certainly still object.
For anyone building agentic commerce tools right now, the practical read is this: the legal question of whether a user’s authorized agent constitutes unauthorized access is unresolved and actively litigated. The user-agent string defense is technically strong but legally untested in this context. The security exposure from prompt injection is real and unsolved across the industry.
Teams shipping agentic browsing or shopping agents in the next 90 days should document the user consent and delegation chain explicitly, because Amazon’s theory of liability centers on Perplexity as the actor rather than the user. If your architecture puts inference on-device and all network requests originate from the user’s machine, Rescorla’s analysis suggests that weakens Amazon’s CFAA framing. It does not eliminate it.
Analysis by Educated Guesswork (Eric Rescorla), published June 24, 2026.
