AI Agents and the CFAA: Amazon.Com Services v. Perplexity AI

The Ninth Circuit held argument last week in a very interesting case on the Computer Fraud and Abuse Act, the computer hacking statute, Amazon.com Services v. Perplexity AI, No. 26-1444.  The basic issue: If an Amazon user wants to use an AI agent to help make purchasing decisions on the user’s behalf at Amazon, but Amazon doesn’t want users to do that, has the AI company committed a federal hacking crime if Amazon tells the AI company to stay away but the AI company continues to make its services available to the Amazon customers?

Perplexity AI’s main brief is here, and Amazon’s main brief is here. Oral argument is below.

Having written a lot on the CFAA, I wanted to offer some brief thoughts.

First, as I argued back in 2016, in Norms of Computer Trespass, I think the correct way to interpret the statute in shared password cases is with an agency test.  If authorized User A gives his credentials to user B, so B can access A’s account, B is authorized under A’s authorization when—and only when—B is acting as A’s agent.  From 1178-79:

This approach mirrors the analogous rule in the physical world. When access is limited by a physical lock and key, whether entry is a physical trespass law depends on whether it falls within the zone of permission granted by the owner. For example, in Douglas v. Humble Oil & Refining Co., a business owner gave an employee the key to his home so the employee could feed his pets when he was away.  The employee later used the key to enter the home for a different reason. According to the court, this entry for reasons outside the scope of permission was a trespass. This approach allows computer account holders to share usernames and passwords with an agent. If the agent accesses the account on the account holder’s behalf, the agent is acting in the place of the account holder and is authorized. The agent then has the same authorization rights as the account holder. For example, I recently set up a Gmail account for my students to email class assignments. I gave my assistant the account password and asked her go into the email inbox and collect them for me. When she did so, she was acting as my agent. Legally speaking, she was me. She was fully authorized to access the account in her capacity as my agent. Her conduct was authorized and legal, much like employee access to an employer’s account for work purposes.

On the other hand, a third party who uses a password in pursuit of her own ends stands in the same place as a third party who has guessed or stolen the password. Consider the facts of Rich.  When Rich accessed the LendingTree website using a password, he was not acting as an agent of a legitimate customer. Rich paid for access to the password, but he did not pay LendingTree. Instead, he paid an employee of a legitimate customer. Rich accessed the account to help himself get richer, not to help the employee. From the perspective of LendingTree, Rich’s access was no different from access using a guessed or stolen password. Rich was not a legitimate customer or an agent of a legitimate customer. Whether he obtained the password by stealing it from the employee or by paying for it makes no difference to LendingTree. For that reason, Rich’s access was unauthorized.

A complication in the Ninth Circuit is the pairing of the Ninth Circuit’s 2016 decision in Facebook v. Power Ventures and its 2021 decision in LinkedIn v. HiQ Labs.  Those two decisions together suggest that authentication is the key line, with the provider’s limits mattering if there’s an authentication gate but not mattering at all if there isn’t.  As LinkedIn put it:

The legislative history of section 1030 thus makes clear that the prohibition on unauthorized access is properly understood to apply only to private information—information delineated as private through use of a permission requirement of some sort. As one prominent commentator has put it, “an authentication requirement, such as a password gate, is needed to create the necessary barrier that divides open spaces from closed spaces on the Web.” Orin S. Kerr, Norms of Computer Trespass, 116 Colum. L. Rev. 1143, 1161 (2016). Moreover, elsewhere in the statute, password fraud is cited as a means by which a computer may be accessed without authorization, see 18 U.S.C. § 1030(a)(6),^[16] bolstering the idea that authorization is only required for password-protected sites or sites that otherwise prevent the general public from viewing the information.

We therefore conclude that hiQ has raised a serious question as to whether the reference to access “without authorization” limits the scope of the statutory coverage to computers for which authorization or access permission, such as password authentication, is generally required. Put differently, the CFAA contemplates the existence of three kinds of computer systems: (1) computers for which access is open to the general public and permission  is not required, (2) computers for which authorization is required and has been given, and (3) computers for which authorization is required but has not been given (or, in the case of the prohibition on exceeding authorized access, has not been given for the part of the system accessed).

But how does that apply here? As I read the briefing, a big issue in the new case is how that distinction between access that is open and access that is closed—for which, in the Supreme Court’s language, there is a “gate”—applies. In prior cases, the idea of a gate, or a closed area, was generally understood to mean a barrier to a private area of the computer. In Power Ventures, for example, the shared credentials were used to access private messages. In Van Buren, access was to a sensitive database.

But there are a lot of websites these days in which an account is used not to mark out private spaces, but rather more just to track customers. We’ve all seen this when making purchases online. The website might want you to create a customer profile, for example, to target ads to you or give you a special deal or calculate shipping or whatnot. An important issue in the Amazon case is whether use of a username and password for those limited purposes counts as creating a private space in the “gate” sense that Van Buren, LinkedIn, and Power Ventures had in mind.

There’s a lot more going in the case, so check out the briefs and argument if you’re interested.  One benefit of this being a large dollar case is that there are outstanding lawyers on both sides, and the briefs are very good.  (As I joked on Twitter, I can safely predict that the winning lawyer will be a former clerk for Brett Kavanaugh on the D.C. Circuit who then clerked for Chief Justice Roberts on the Supreme Court and later was an appellate specialist at DOJ.) As always, stay tuned.

The post AI Agents and the CFAA: Amazon.Com Services v. Perplexity AI appeared first on Reason.com.