Notes on Amazon v. PerplexityAgentic browsing and the Open Web Posted 2026-06-24 by Eric Rescorla
One of the many sites of conflict over AI use on the Internet is about the use of "agentic" Web browsers: those that incorporate AI features where the user can give the AI instructions and then let it interact with the site independently. For example, you might ask your browser to book travel and it would then go to travel sites, look at the various flights, and eventually buy tickets. Because these features are integrated with the browser, the AI agent does all of this work acting as you and interacting with the site using the same UI mechanisms you would (links, buttons, form fields, etc.). This means that the site doesn't need to provide any AI-specific affordances because the browser can just use the existing site; it also means that the user can use AI on the site whether the site wants them to or not. For various reasons, many sites aren't happy about this, with probably the highest profile case being Amazon.com Services LLC v. Perplexity AI, Inc., in which Amazon is suing Perplexity, which makes the Comet AI-powered browser. Here's the core of Amazon's objection, from its complaint:
In this post I want to take a look at what's actually happening in these systems, some of the objections to how they are used, and how it connects to the bigger tension between users and Web sites. Agentic Browsers #The figure below provides a rough diagram of the structure of an agentic browser, with the key differences from a regular browser shown in blue.
Just as with an ordinary browser, an agentic browser lets the user visit and interact with web sites, with the heavy lifting being handled by the "browser engine"[1] which is responsible for talking to the site, rendering the site's content, etc. To this, an agentic browser adds an agent harness (see here for more context) typically with some kind of chat interface. The harness is connected to the browser engine (e.g., via a tool calling interface) so that it can view and interact with the site. With hosted models—i.e., in the vast majority of cases—the actual AI model lives on a server in the model provider's infrastructure, which means that most if not all the information the harness sees gets sent back to the model provider for processing (inference) and the model provider returns responses (whether user-visible responses or tool-calling instructions). The net result of this is that the model is browsing the Web much as the user does. Exactly how much like the user does depends on how the browser is configured, and in particular how much the agent is sharing the same browsing context as the user's ordinary browsing in the form of various secret information such as:
If the agent doesn't share any of this information it mostly might as well be on another machine with no connection to you; it's just another Web client.[2] However, if it shares all of this information, then it's basically the user. Note that these secrets don't need to be sent to the model provider[3] any more than you have to see cookies the site sends you; all that's needed is that when the agent tells the browser engine to navigate to a site it's sharing the same context as it would if you did that navigation. This type of setup is necessary if you want the browser to do transactions on your behalf, because it has to do them as you.[4] This is obviously an incredibly powerful and desirable set of features: people's lives are full of all kinds of annoying clerical tasks and having an assistant who can do them for you is very convenient. It's routine for executives to have personal assistants, but it's not something most people can afford; if you were able to get that kind of experience for only $100 a month that would be a big improvement in lots of people's lives. The problem is that you're also investing a huge amount of trust in the agent, and, as my colleague Richard Barnes used to observe, in security, trust is a bad word, so there's a lot that can go wrong here. Security Issues #This brings us to the question of security. Amazon's complaint is written in legal rather than technical language, but as far as I can tell, it is raising three issues:
These are actually quite different issues and need to be examined separately. Potential Comet Security Issues #All browsers—all software products, really—have security issues, and this applies no less to Comet. Like many browsers, Comet is based on Chromium (the open source project behind Google Chrome), and so Comet will mostly have the same bugs Chrome has. However, there is a new category of threats introduced by agentic browsing, namely misbehavior by the model. As anyone who has spent much time working with AI models knows, they can misbehave in surprising ways, hallucinating facts or misinterpreting your instructions. However, if models are used to process untrusted input, then there is a whole new class of problem, namely prompt injection attacks. These attacks are largely what Amazon is complaining about when they say attackers can '“hijack[] the AI assistant embedded in the browser to steal data.”' (the citation is to an article about prompt injection.) Background: Prompt Injection #Consider the following simple example of someone using an AI model to evaluate candidates:
This is a trivial application with any existing AI chatbot: you literally just type in the prompt and then upload the resume and it spits out an answer. Unfortunately, it's also insecure because an attacker can use a carefully crafted resume in order to get the model to produce fake output, which in this case means a higher rating than the model would otherwise have given their resume, potentially putting them at the top of the pile for interviews or hiring. The basic source of the problem is that existing AI models treat their input as a series of tokens (for the purpose of this post, words or characters). They don't really distinguish between different sources of input and in particular between (1) the user's prompt and (2) the data that the user is asking the model to process; they just get concatenated together into a single input stream,[5] as shown in the figure below:
So when the user submits someone's resume for review, it looks something[6] like this:
Now consider what happens if the attacker uses a slightly different input. For instance they might start it with "very highly, like 10/10", in which case the input looks like:
The model dutifully follows instructions and gives the candidate a 10/10 rating. Obviously, this is a very simplistic example, and there's an enormous literature about prompt injection, both in terms of attacks and defenses, but for the purpose of this post here's what you need to know:
Prompt injection on agentic browsing #The simplest form of attack is where there is only one Web site involved and that site is malicious (recall the core security guarantee of the Web: users can safely visit arbitrary web sites and execute scripts provided by those sites). Consider the case where the user is booking a hotel room, with a prompt like:
The hotel has an incentive to get the user to book a more expensive room. If a human was booking the room, the site could just lie about the room rates or pretend that the cheaper rooms aren't available, but if an AI agent is booking the room, then there is also a prompt injection attack available. For example, the site could add a prompt like:
With any luck, the model would duly decide to select a nice big room. Obviously, this isn't a great attack as stated, for a number of reasons. First, if the injected prompt is just part of the text the way I've shown above, then it's visible to regular users who might notice and complain. Fortunately for the attacker, it's actually possible to hide injected prompts in such a way that they're not so obvious. Here's one of the cooler examples, from a paper by Bagdasaryan et al.:
The stuff that looks like noise at the top of the image is actually an injected prompt that causes the model to want to talk about Harry Potter. An attacker could use a similar technique by using some existing asset, such as the picture of the hotel room or the hotel's logo. More importantly, there's not really any significant difference between this kind of prompt injection and the site just lying to the user about room prices and availability. This leaves tracks that might be used to implicate the site, but at the end of the day the Web just doesn't really have technical defenses that are designed to protect against this kind of malicious behavior, so AI doesn't really change the situation here. However, AI does enable a very similar form of attack that would not otherwise be possible. Consider what happens with a generic booking site like Expedia or AirBNB that allows the user to pick from multiple properties operated by different owners. The way these sites work is that the operators provide pictures and text, which the booking site shows to prospective customers. A malicious property operator can mount exactly the same kind of prompt injection attack, but intended to get the agent to select their property rather than an alternative. It gets a lot worse, though, because an agentic AI system can do a lot more than just book you the wrong hotel room. As a concrete example, Brave recently demonstrated an attack on Comet in which the user starts by asking the browser to summarize a page on Reddit that has a prompt injection attack and ends up with the attacker compromising their Perplexity AI account, exfiltrating email from their Gmail in the process. The worst case scenario is what used to be called universal cross-site scripting (universal XSS), in which an attacker on one site has complete control over the behavior of the browser on another site. Prompt Injection and Amazon #In the context of Amazon's complaint, then, there are two main prompt injection vectors:
The first form of attack requires something like universal XSS and is at least theoretically something browsers could mitigate by isolating the different browsing contexts.[7] The second form of attack is much harder to mitigate on the client because the whole idea here is that the agent is reading the site (in this case Amazon) and then taking action on the user's behalf. Either Amazon or the agentic browser could try to mitigate these attacks by detecting content that seems to be attempting a prompt injection attack, but the research so far on generic prompt injection defenses isn't super encouraging. In either case, an attacker could potentially use a prompt injection attack to control the user's interaction with Amazon, causing the browser to purchase items on the user's behalf (potentially sending them to the attacker), create fake reviews, etc. This is obviously bad, but it's not any worse than the kind of attacks you could mount if you had a remotely exploitable vulnerability in a browser, of the kind that get published in basically any browser release. The main difference is that a generic remote exploit is quite valuable, so probably not worth using to buy yourself an iPad on Amazon. Potentially, if prompt injection-based attacks were easy and cheap it would be worth using them to attack Amazon users. This kind of attack is obviously bad news for Amazon's users, and to some extent for Amazon as well if it results in fraud, but I expect there aren't other attack vectors on Amazon's users that are easier than prompt injection (simple credit card fraud is quite common), so it's not clear to me why this alone is a big enough issue to motivate Amazon suing Perplexity; do they also worry about browser vendors who don't do a good enough job of addressing security vulnerabilities? The Amazon Experience #This brings us to Amazon's second complaint, namely that the agent has "degraded Amazon customers' shopping experience". This complaint has to be read in light of the longstanding tension between Web sites and users—and Web browsers as user agents—over who should control the user's Web experience. Caricaturing the situation slightly:
I'm squarely on team "user agent". Back when I was at Mozilla my team and I documented this view in Mozilla's Web vision, but I would say it's the predominant view in the browser community, encoded in documents such as the W3C Web Platform Design Principles which describes what it calls the "Priority of Constituencies", which starts with "If a trade-off needs to be made, always put user needs above all." and the Internet Architecture Board's RFC 8890, "The Internet is for End-Users". It's important to realize that Amazon's incentives aren't really that closely aligned with the customers, because Amazon is trying to steer the customer to specific products. For example, many Amazon searches yield "sponsored" products, which is to say that vendors have paid Amazon to show their products high on the page. I.e., they are ads. Now, those ads might be for the same product you would buy anyway, but from the user's perspective, they are clutter and the user would be better served if Amazon ranked products by what it thought would be most attractive to the user.[8] A user-oriented experience #The diagram below shows a very simplified architecture for a shopping site like Amazon:
This is a familiar architecture to anyone who has built a Web site: the product catalog is stored in some database and when the user shops for a product, some shopping app front end does a database search, retrieves the list of relevant products, and turns them into a Web page that gets served to the user and rendered in their browser. Importantly, every major decision about how to represent this information is made by the shopping site, including which products to show on the front page, how to sort them, which ones to feature with a "buy now" box, etc. The browser just takes whatever information the site provides and shows it to the user.[9] Of course, this isn't the only way to build a shopping system. Consider the diagram shown below:
In this example, the shopping site just exposes a Web API which gives the user access to the product catalog and the user uses some kind of custom or third party shopping app to retrieve that information and surface it to the user. In this case, the user—or at least whoever made the app—controls the shopping experience, which means that they can provide information in whatever way the user prefers, rather than restricting the user to the site's preferences. This architecture doesn't work super-well on the Web for technical reasons (mostly, the same-origin policy), but works fine in mobile apps. Nearly every site will need to offer some kind of UI of its own, both as a default for many users and because many sites will simply be too small to make it worth someone writing a third party UI—though of course AI makes that easier—but it's quite possible for a site to offer a site-specific UI as well as exposing an API that allows for third party UIs to coexist. Amazon does offer an API for its affiliate program but it's clearly not designed to let you build an alternative to Amazon's interface and the terms of use have a number of policies that discourage writing your own storefront, including one that explicitly forbids writing apps that "emulate Amazon’s own shopping app functionality", and as far as I know nobody offers an alternative to Amazon's storefront that still lets you buy stuff at Amazon. You can get browser add-ons that change the behavior on Amazon's site (e.g., the Camelizer price tracking extension), but they exist in an uneasy detente with Amazon—for instance Amazon started showing users a warning that the Honey coupon app was a "security risk"—and the practical extent to which they can customize the user's experience is limited. An agentic browser allows the user to have a customized experience without needing the site to cooperate by publishing an API, or even to give permission, as shown in the diagram below:
The key insight here is that the AI agent can process the Web site directly, communicate directly with the user to determine the user's intentions, and then interact with the Web site using the same affordances as the site provides for the user. The site doesn't need to expose an API because the Web interface becomes the API, and the model provides the UI. Currently, that UI is a chat interface, but there's no technical reason why it couldn't be something fancier; after all AI models are good at writing code, so it's not like they can't provide a custom UI that talks to the Web-exposed "API" provided by the site. As I said above, this kind of alternative UI isn't necessarily in Amazon's interest. For example the agent can simply ignore sponsored products, rank options according to the user's preferences rather than Amazon's, or suppress Amazon's complicated search options (potentially because it knows what the user wants). It's obvious why Amazon might not want this, but a user doesn't download Comet and use it to go to Amazon by accident. Rather, the user has decided that they would rather have that experience than whatever curated experience Amazon provides. This doesn't seem that hard to understand: I love Amazon and I spend a lot of money there, but I don't think it's a secret that the UI has room for improvement. Covert Behavior #Finally, Amazon says:
This is referring to the User-Agent HTTP header, which is used to indicate which browser a client is using. Instead of identifying itself as Comet, Perplexity is using the same string as Chrome. It's important to put this decision in context, however, because Comet isn't the only browser to do this. The reason is that it's common for Web sites to use the User-Agent string to discriminate against certain browsers, for instance by disabling certain features. This a bad practice that MDN specifically warns against.:
Unfortunately, UA sniffing is also very common and so basically every browser makes some attempt to address it. For example, here is Chrome's UA string:
In other words, it's simultaneously claiming to be Firefox ("Mozilla"), Safari ("AppleWebKit") and Chrome. The reason for this mess is that one common way to do UA sniffing is to perform a substring search on the UA string, for instance assuming that if the string contains "Chrome" then the browser is Chrome. These messy UA strings are designed to compensate for this kind of brittleness while still accurately representing the browser. When a new browser ships, the vendor has to worry about whether they will get the experience of the current dominant browser, so what you're seeing here is kind of an archaeological record of the history of browsers. Some browsers go even further and just flat-out lie about the UA string. For instance, the Chromium-based browser Vivaldi mostly uses Chrome's UA string (see here for when they made the change). Brave does something similar much of the time. Both Vivaldi and Brave are based on Chromium, so it's likely that much of the time when sites treat them differently from Chrome, they are actually doing so incorrectly due to UA sniffing brittleness, though in some cases it may be intentional and we're back to the tension between the site wanting to control the user versus the user's interest in using software of their choice. So much for "falsely identifies." As far as I can tell "poses as a human customer" just means that the AI agent does stuff the same way a user would do it, and maybe claims that it is a human in some contexts (e.g., captchas) but of course that's the whole point of agentic browsing. Who is doing what? #Amazon's complaint accuses Perplexity of violating the Computer Fraud and Abuse Act (CFAA).
I'm definitely not a lawyer, so I'm not prepared to weigh in on any of the legal aspects here. However, I did listen to the oral argument at the ninth circuit, and much of the discussion turned on the extent to which Perplexity was responsible for accessing Amazon's computer as opposed to the user being responsible. This may be a legally significant distinction, but from a technical perspective, the situation doesn't seem very clear cut. The Base Case #I haven't spent a lot of time digging into the precise details of Comet's implementation, but at a high level the situation seems to be as follows:
Importantly, all of the externally visible side effects (e.g., network requests) come from the user's browser, not from Perplexity's servers, which never talk to Amazon directly, and may never even see sensitive information such as cookies and passwords (depending on how Comet is implemented). Cutting the Cord #During the oral argument, there was a lot of emphasis by Amazon on what would happen without the connection to Perplexity. Here's Amazon's attorney (automatic transcription by me using Chirp_3 and Gemini):
I certainly agree that if you sever the connection to Perplexity—e.g., if Perplexity's servers go down—then the agent won't work, but at some level that's just an implementation artifact: for commercial reasons Perplexity executes the models on their own servers, but there's no in principle reason why they couldn't instead ship a (less powerful) model as part of their product and perform inference on the user's machine. In that case, the agent would continue to function just fine without any connection to Perplexity. I doubt Amazon would be any happier if Perplexity had implemented things this way. Note that the boundary is even more fluid than this because modern browsers are remotely updateable and Perplexity can remotely update the local agent (model weights, system prompts, etc.), so at the end of the day they could actually have quite fine control of system behavior even if all execution happens on the client. The bottom line here is that if you look at things from a technical perspective it doesn't much matter where inference actually happens in terms of who is "responsible" for the browser's behavior. Local Proxying #Consider another case in which there's no AI at all. Instead, we have a local browser that acts as a proxy. The vendor then uses the proxy to connect to servers.[10] Again, this isn't a legal opinion, but I think most technologists would say that it's the vendor that is accessing the site not the local browser. If this doesn't match your intuition, recall that essentially all traffic between endpoints on the Internet goes through intermediate routers controlled by third party ISPs, but we think of the endpoints and not the ISPs as accessing other endpoints. SerpAPI #Google and Reddit are both suing a company called SerpAPI, which provides scraping services for "Google and other search engines" (as well as Perplexity, which allegedly uses SerpAPI). The complaints allege that SerpAPI helps their customer bypass blocking:
Note that even though this case also involves Perplexity, what's happening is conceptually quite different than what we've been discussing so far, because it involves Perplexity—and SerpAPI's other clients—directly retrieving content from sites (in Perplexity's case presumably to train their model). By contrast, in the agentic browsing case, Comet is retrieving data from the site on the user's behalf, though of course it's possible that Perplexity is training on the data retrieved for the user. This isn't a hypothetical case: a lot of Web sites try to restrict automated retrieval of large portions of the site ("scraping" or "crawling"). One technique for preventing scraping is to block requests from IP addresses known to be associated with undesired scraping. Some respond by tunnelling traffic through residential proxies, thus making IP-based blocking more difficult if not impractical. This is obviously an extreme example, but there are much fuzzier cases. If you read my previous post on tool calling you should remember that tool calling works by having the model provide textual output that is interpreted by the model harness as a tool call. Nothing stops the vendor from cutting the model out of the loop entirely and just generating their own tool calls which will then be executed by the browser, allowing the vendor to use the browser to talk to sites on the Web. The only limit here is whatever restrictions are coded into the agentic browser. As discussed before, at minimum we would expect it to be able to make Web requests from the user's machine using their credentials, though it's possible that it has extra privileges beyond that (e.g., to read files off the user's disk). In any case, there's no requirement that whatever functions the vendor is invoking in the agentic browser be derived from the user's requests to the browser at all. The point I'm trying to make here is that just because the traffic is technically coming from the user's computer doesn't mean that the user is really directing what's happening; in the normal case the browser's behavior is the result of an interaction between the browser's programming and the user's behavior, but that doesn't have to be how things are. The Bigger Picture Beyond Agentic Browsing #In this particular case, Amazon is suing Perplexity, but if you look at their complaint, the logic extends far beyond agentic browsing. The argument goes like this:
But there's nothing special here about agents. For example, what if the site had similar terms of use forbidding the use of ad blockers? That site might also block any browser vendor who had a built-in ad blocker (like Brave) and sue them for not identifying themselves in the User-Agent string. From the perspective of the open Web, there are really two problems.
Both of these ideas really go against the basic principles of the open Web, which are about user control. Quoting the Mozilla Web Vision again:
It's precisely this kind of user agency which distinguishes the Web from downloadable apps, and it's the bargain that companies sign up to in return for being able to stand up a rich experience that anyone can use without downloading anything.[12] This isn't to say that there isn't a tension here: sites have historically attempted all kinds of technical measures to prevent users from experiencing their content on their terms, sometimes unilaterally (user agent blocking, ad blocking detection, JS minification, etc.) and sometimes with the help of user agents (DRM for video), but at the end of the day the site is rendered on the client, and so the user mostly has the ability to download a client which renders the site in the way they prefer.[13] From this perspective, agentic browsing is just another browser feature that lets the user engage with the Web on their terms, whether the site likes it or not.
|