GET /api/rest/v4/audio/105468/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "resource_uri": "https://www.courtlistener.com/api/rest/v4/audio/105468/?format=api",
    "id": 105468,
    "absolute_url": "/audio/105468/amazoncom-services-llc-v-perplexity-ai-inc/",
    "panel": [],
    "docket": "https://www.courtlistener.com/api/rest/v4/dockets/72502129/?format=api",
    "date_created": "2026-06-11T13:31:23.363069-07:00",
    "date_modified": "2026-06-11T13:35:51.957001-07:00",
    "source": "C",
    "case_name_short": "",
    "case_name": "Amazon.com Services, LLC v. Perplexity AI, Inc.",
    "case_name_full": "",
    "judges": "SMITH, TUNG, Hinderaker",
    "sha1": "e3c9954f8cc296c741d3de78b8f1c97f51ecd0ef",
    "download_url": "https://cdn.ca9.uscourts.gov/datastore/media/2026/06/11/26-1444.mp3",
    "local_path_mp3": "mp3/2026/06/11/amazon.com_services_llc_v._perplexity_ai_inc._cl.mp3",
    "local_path_original_file": "mp3/2026/06/11/amazon.com_services_llc_v._perplexity_ai_inc..mp3",
    "filepath_ia": "",
    "ia_upload_failure_count": null,
    "duration": 2217,
    "processing_complete": true,
    "date_blocked": null,
    "blocked": false,
    "stt_status": 1,
    "stt_source": 1,
    "stt_transcript": "Case number 26-144, Amazon.com Services, LLC v. Perplexity AI, Inc. Thank you, Your Honor, and may it please the Court, Chris Mischel for Appellant Perplexity AI. I'll aim to reserve three minutes for rebuttal. A preliminary injunction is an extraordinary remedy, available only where a plaintiff shows likelihood of success, irreparable harm, and that the equities favor altering the status quo. Amazon cannot make that demanding showing here. At bottom, Amazon seeks to stretch criminal statutes that prohibit computer hacking to sue perplexity simply because Amazon wants its own customers to access its website in its preferred way. That novel theory fails to satisfy multiple elements necessary to support a statutory violation, each of which would constitute an independent ground to reverse. On top of that, equitable considerations, including the promotion of new technology, competition, and consumer choice weigh heavily against enjoining perplexity at this early stage of the litigation. The motions panel in this case was right to grant a stay, and this Court should now reverse. The most straightforward ground for reversal, and where I think the Court can both begin and end, is the first element of Amazon's claim, and that is whether perplexity intentionally accessed Amazon's computers. The answer to that question is no. As the Supreme Court explained in the Van Buren case, accessing a computer has a technical meaning. It means entering that computer's system. Perplexity did not do that here. Perplexity developed a browser that users can download onto their own computer and then use to access Amazon or any other website. Yes, sir? Didn't the assistant – so I'm trying to understand who, under your theory, performed the accessing. Did the assistant access the Amazon computer? No, Your Honor. I think the most straightforward way to understand it is that the user accessed the Amazon computer. That is, the user of the Comet browser with the assistant that was developed by perplexity. I think the most straightforward, familiar example is that users of, for example, Safari or Chrome access websites all the time, but no one would say that Apple accessed the website simply because a Safari user navigated his or her browser there, nor would anyone say that Google accessed a particular website simply because a Chrome user navigated there. Counsel, but isn't another way to frame what is happening is that the user is giving the key to perplexity and perplexity is then entering Amazon's servers or computers. So much of this case turns on the proper analogy. You use the Safari analogy. Your friend on the other side uses the friend with the key to the safety deposit entering the bank. So why isn't that the proper analogy, the safe deposit analogy? I think a couple of responses, Judge Tong. I think first, the safe deposit box that my friend refers to and that this court referred to in PowerVentures really goes to the unauthorized access element of the claim. And here we have a threshold element that was not at issue in PowerVentures, and that's the access requirement. I'm happy to talk about the safe deposit box, but I think this case can be resolved on the more straightforward ground that there's no access in the first place and therefore no need to assess whether that access was unauthorized. And so to go back to, you know, I think in a sense you could say that the user of Safari hands the keys to Apple to go access the website. I suppose my friend, you know, could argue that, but he hasn't argued that and that would be a truly radical expansion of the Computer Fraud and Abuse Act. Under that kind of theory, if there was a, you know, dark web hacker who used Safari to go access a particular website, that website could bring a CFAA claim not only against the hacker but also against Apple. And there's simply no basis in the case law for that, particularly given that the Supreme Court and this court have consistently construed this statute narrowly in recognition that it's a criminal statute designed to achieve limited purposes. Counsel, I understand your attempt to distinction of the safe deposit box by saying that question goes to unauthorized access. But I'd like to return to that point again. I mean, isn't the friend in that analogy seeking to access, you know, the bank and the safety deposit box? And the bank is saying, no, you don't have authority. The friend doesn't have authority to enter. So I think the friend might well be trying to access in that hypothetical, and that's why that hypothetical goes to the unauthorized access point. I think the case could be more resolved more easily on access, but it can also be resolved on unauthorized access in our favor. And I'm happy to address that directly. The difference between that case, PowerVentures, or that hypothetical is that the friend was trying to do something that the user itself couldn't do. In that case, the friend was trying to carry a shotgun into the bank. That's the example that this court gave in the PowerVentures case. Here, the user is not trying to do perplexity, presuming for purposes of answering this question that it is accessing Amazon, is not doing anything that the user couldn't do. In fact, if you wanted to devise a hypothetical in which it's clear that the developer is not doing anything the user can't do, it would be this case, because the user, by definition, provides all of the instructions to perplexity. Perplexity can't do anything without direction from the user. And I think- But once those directions are given, then there's, as I understand it, the assistant connects to the perplexity server, correct? In some cases. To get instructions, right? It goes to the model at perplexity server, and then it's communicated back to the user's computer, and then access occurs without the user doing anything more than having given that initial instruction. That's the way it works, right? I don't think so, with respect, Your Honor. I mean, I do, I think there are two different directions of communication here. To some extent, I think your question does capture this. The user connects from his or her individual machine to Amazon. That's one direction of communication. The user does, and I think this second part is captured in your question, does also connect to perplexity. But what doesn't happen, and this is the critical point, is that perplexity does not connect to Amazon. And when you're looking at a statute that uses the words intentionally access in their technical sense, intentionally enter a computer system, as the Supreme Court and Van Buren construed this statute, perplexity is simply not accessing Amazon in that sense. There's an intermediary, which is the user, and there may be two separate conversations, but there's, technologically, you know, but there's no technological connection from perplexity to Amazon. Judge Smith. I'm sorry, do you have a question? No. With respect, Judge Tong, we're not imposing that limitation. What we're imposing or seeking to enforce is simply the statutory text, which says intentionally access. And again, I think to go back to your Honor's question, what's critical about intent, and this, you know, the word is intentionally access, it's the user's intent that is driving the access to Amazon. It's the user that is saying, please go rank the categories of paper towels that are available on Amazon. The perplexity assistant itself, the Comet browser's assistant itself, is an inanimate piece of technology. It does not have any intent, just as Safari and Chrome don't have any intent. And to read into the statute the notion that a browser, including an AI-assisted browser, has its own intent, such that it is intentionally accessing the website, I think would be an extreme expansion of the statute, and at a minimum- Have you preserved that argument, counsel, the intent piece of the intentional access language, or are you just arguing access? No, no, no. I think we've argued intentional access throughout the course of the case, and that's the language of the statute. I think our reply brief in particular discusses this, but we've preserved that argument throughout. And I was going to say, I think that would be a novel and broad construction of the statute, which at a minimum is improper in a preliminary injunction posture. After all, we are here only on the appeal of the preliminary injunction, and the question is, should this court adopt that novel interpretation in order to essentially freeze perplexity in place for potentially one to two years while the litigation unfolds, or should the court simply let the litigation unfold in the natural course? There's another element that I'd like to talk about, and I think this is another clean, straightforward way to reverse the preliminary injunction, and that's the loss element. I think the court could decide the case entirely on that without confronting any of these other issues we've been discussing. This comes from Section E11 of the Computer Fraud and Abuse Act, and as the Supreme Court said in Van Buren, the definition of loss in the CFAA requires a showing of technological harm. This court in the High Cue decision, footnote 12 in particular, repeated that construction, saying, quote, the civil remedy requires a showing of technological harm, such as the corruption of files. I think Judge Breyer's persuasive opinion in the ExCorp case says the same thing, and even the Tenth Circuit's opinion that my friend relies on attributes that position to the Fifth Circuit. So the law is quite clear that a showing of technological harm is necessary, and Amazon does not make that showing here. Counsel, what do we do with the statutory definition of loss, though, that seems to stretch more broadly? It says loss means any reasonable cost to any victim, including the cost of responding to an offense, and here I think Amazon has argued that there is such loss. Right. Your Honor, I think the Supreme Court, of course, was interpreting that language in Van Buren, and if you read the whole, as I know you have, the whole statutory definition, there are a number of references that can only be interpreted as referring to concrete technological harm. For example, it refers to restoring data, program, and a system to its condition prior to the offense, or damage from an interruption of service. Damage itself is a defined term. That's an E-8 of the statute. It refers to an impairment to the integrity or the availability of data. So all of those are technological meanings, and as the Supreme Court said in Van Buren, that's not surprising because this is a technological statute. I think the answer directly, Judge Tong, is that if you just read the words responding to an offense in isolation, they might well have a broad meaning, but applying canons like the Noscost or Associus canon, you read the statute, you know, words in a list to have the meaning of surrounding words, and I think that's what the Supreme Court was doing in Van Buren. I think that's a, not only is that a Supreme Court opinion that's binding of its own force, but I also think it's a persuasive construction of the statute, applying that canon and applying the overall premise that the Supreme Court and this Court have frequently applied to this statute, which is that it has a technological focus. Counsel, I understand your argument that the user is sort of the intermediary or is the one directing perplexity comment in terms of directing the purchase, making the purchases on Amazon. So you have perplexity, the user, and then Amazon, and then your argument is because perplexity is not the one accessing Amazon, you know, there's no direct connection or there's no sort of immediate interfacing between the two entities that there is no access. Now, Amazon makes the argument, well, that's, the Internet consists of a network of computers. So, you know, if I'm adopting your rule, I want to be careful that I'm not undermining that understanding of the Internet because a user may be accessing a website and have to go through perhaps various different servers. There's no direct access or direct connection. But I think we would say that the user is still accessing, or maybe not, I don't know, but can you help me? I'm honestly struggling with that concept. I think you might well be right about that, Judge Tong, and our position doesn't depend on any quarrel with that. In other words, and I want to return to the concept of intentional access, you might well say that, again, take the worst case scenario, the hacker that everybody agrees is covered by this statute. If the hacker hacks into Amazon using some kind of intermediate computer like a router or a server or something like that intentionally to hack into Amazon, we're not here to argue that that is not covered by the statute. This case is critically different, though, because Perplexity is simply the developer of the browser, and all of the intent to go to access Amazon comes from the user itself. Why can't we infer intent, though, from the fact that Amazon claims that Perplexity is trying to circumvent the gates that Amazon has erected to prevent Perplexity from entering its servers or to prevent the user who is using Comet from entering Amazon's servers? Why isn't that at least some indication of intent? So I think it's not an indication of any intent to do anything other than what the user itself wants to do. I think, again, that question maybe goes more to the unauthorized access prong as opposed to the threshold access question. But Perplexity is no differently situated than – I return to this, but I think it's a critical analogy – no differently situated than Apple and Google in that, yes, Apple and Google and Perplexity all provide a browser that users can use to access websites. But you would never say that Google intends for me to visit NinthCircuit.gov this morning because that's what I typed into my computer when I was looking up the address of the courthouse. Or if you were going to say that, you would be radically expanding the Computer Fraud and Abuse Act. That's certainly not the theory of the decision below, and I don't think this court should adopt that in the preliminary injunction posture. I think I've eaten into my rebuttal, so I'd like to reserve whatever I can. Thank you, Counsel. Thank you, Your Honor. Thank you, Your Honor. May it please the Court. Hagen Scotten for Amazon. And with the Court's permission, I'd like to start where my opponent did, which is with the access element. Perplexity accesses the secure areas of the Amazon store exactly the way anyone accesses a website and exactly the way the term is used in Van Buren, the way this court consistently used it. It sends electronic signals that go into that site and do things that take pictures, that send data back, that put items in the user's shopping cart. That is always how the term access is used, and I think it helps to walk through an example, because I think, Judge Hinderaker, you actually described it exactly right. There was nothing to caveat. Suppose the user gives a command, and I'll use Perplexity's example. This is the example their chief technology officer gave. Buy a 12-pack of paper towels. They type that in to the Comet browser. The Comet browser asks Perplexity's servers, what do I do with that? And then Perplexity's servers say, go to the Amazon store. Perplexity's servers, the reasoning layer, the work is all done by Perplexity, say, display the user's credentials. They say, look around. They say, find the cheapest paper towels. They say, put it in the user's shopping cart. And at the end, they may say, now go back to the user and ask if they want to buy it. But at every step of the train, Perplexity is driving. That makes it a term. But isn't Perplexity driving at the instruction of the user? And so in a sense, isn't the AI assistant the user's agent? So I think it is entirely fair to say it is the user's agent, just as in Power Ventures. There too, the user wanted the access done. The user there was using a simpler agent that invited his or her friends from Facebook to the defendant's rival website. The user said, do this for me. Please, Power. It pressed a button. It clicked a button. And then Power automated the process as the user's agent, just as here. And here's really the easiest way, or another easy way to tell. It is undisputed that if you sever the connection between Perplexity and the user's computer, everything stops. There's no more buying. Nothing's getting put in a shopping cart. The agent doesn't work anymore. So Perplexity is not doing it. If the user is accessing, it should keep going, right? If the user's at their computer, they say, buy me the 12-pack. But you sever the connection, it stops. There's no way in which it is only the user accessing. And I did also want to dispel what I think is a false dichotomy. The court is correct that we're talking about three entities, user, Amazon, and Perplexity. The fact that the user tells Perplexity, go ahead and send your agent there. Go do this for me, does not mean that Perplexity isn't also accessing it, right? Two people can do something. If under any standard of law, if I tell someone to do something and they intentionally do it, they too are intentionally doing it. So if I were to tell somebody, please trespass on my neighbor's property, and they knew it was private property, they knew they weren't allowed there, and all the other elements of trespass were met, and they went there, they would still be intentionally trespassing even as I told them to do it. Counsel, this raises a question for me. So if your theory is correct, isn't the user exposed to criminal liability under the CFAA? No, Your Honor. I mean, not without a whole lot of facts that aren't present here and are seldom present. This court has made very clear in cases such as Nozzle that conditions of use and terms of use do not suffice to put a user on notice. And therefore, that's the only way a user here might know they're not supposed to do this. Perplexity, of course, got a call from our CEO, or sorry, got a call to their CEO, got a cease and desist letter, got multiple technical blocks which they intentionally circumvented, and continues to access right now. I mean, some of it's sort of a little absurd to say we don't intend to go there. That is why they're here. They intend to go to the Amazon store. A user, by contrast, isn't on notice. And this court has said that repeatedly in narrowing the CFAA to make sure that your random user can't be held liable. Also, they probably don't do $5,000 worth of damage. They probably also don't obtain anything, and so on and so forth. In some other scenario where they're doing all those things after getting a cease and desist letter, you have someone who's starting to look more like a hacker than a user. But that's not any user. This also, by the way, Your Honor, fundamentally distinguishes this Safari example, which really never came up in the district court for very good reason. Perplexity itself says that it is nothing like these passive web browsers my friend is now relying on on appeal. I'm going to quote, and this is page 81 of the record excerpt, or actually the supplemental record excerpt. What sets Common apart is its agentic capabilities, the ability to find information and act on it intelligently and autonomously. It also says that it is unlike passive browsers. It is unlike Safari, which passively display whatever content websites throw at a person. If you cut your connection to Safari, you can still use Safari because Safari is not being guided by Apple. Apple isn't doing anything when you are using Safari. I mean, it made the program, but it's not doing it. It is in some ways, Your Honor, the difference between a car and a taxi. If Your Honor looks up a lot of sort of common sense explanations of what a browser is, it's often likened to a car that the user can drive to websites, which are like places. That's not what the agent is. By perplexity's own admissions, these are sworn admissions, they're ads, it's like a taxi. And you can give instructions as generic as, take me to a scenic site. And if in taking to a scenic site, the taxi decides to drive over barricades and drive into some secure area so you can see the Statue of Liberty really up close, that taxi driver is trespassing and doing it all wrong. You may or may not be if you just told the taxi driver, take me somewhere. So this Safari thing is not only really not preserved, it illustrates the fundamental distinction here on the agent. Counsel, I'm still stuck on the potential of criminal liability for the user. So the user could be on notice that, well, perplexity can't access Amazon servers. But if the user nevertheless insists on using the Comet browser in order to make purchases on Amazon, isn't the user knowingly complicit under your theory? Well, no, Your Honor, for a couple of reasons. And one, I just want to, the premise, the Comet browser, which does function like Safari, is not what's at issue here. Comet, that's all fine. It's just this agent feature. If the user specifically triggers the agent and is on notice, now, I don't know how they would get on notice. There's no mechanism. But if for whatever reason, they kept doing it, and Amazon takes the time to send them individually a cease and desist letter that says, please stop sending your Comet agent to our website. And then they do all the things that have been done here. They breach barriers. They ignore this and so on. At that point, I think it is fair to say their access is unauthorized, just like the individual friend in this court's, the PowerVentures bank example, eventually does become liable for trespass. And sure, the owner of the website could too, if they kept pushing their friend into the room after the bank said, your friend is not allowed in our bank. Please don't send them back here. But it would be an extremely high threshold. And again, you have all these other elements. My friend wants to rely on the access element. But there's a lot of other elements. Even if the friend is on notice, are they doing damage? Are they at the $5,000 threshold? Are they obtaining information? Once you get to that phrase, where you've got somebody who just keeps doing these things and inflicting the sort of technological harms, I'll get to that in a minute, the perplexity has. Sure, in that case, an individual person could be on notice. That looks nothing like any of the examples this court has given in cases like BRCA or NOZL, which are about terms of use or computer conditions. None of those threaten an employee or, sorry, a user with liability in the least. It's not really until they turn themselves into the exact kind of hacker the perplexity is that they're starting to face liability. And I will take a second with the court's permission to address the loss element, which I think is the only other element my friend has raised on argument. And there, I think he is correct that courts have construed the very capacious language of the CFA to, using canons like no secure associates. Let's look at the examples here and narrow it. In fact, this court did it in an opinion written by Judge Smith called Andrews versus Sirius XM Radio. That was a couple of years before Van Buren, but it really says the same thing. That the harms here have to be technological harms in the sense that they're harms that result directly from the intrusion. They can't be things like, for example, figuring out what the person who stole the data is going to do with it. That's moxie pests. So that is not the sort of harm. Or to choose an example, many district courts have rejected after Van Buren, attorneys fees for things like what I'm doing today are not covered. But where it is an engineering harm, a technological harm inflicted by the intrusion, it's covered and everything here is. All the costs here are Amazon engineers doing things to repair the system, to restore it so that it no longer falsely charges advertisers based on things that only comment and no human is seen. To unblock accounts that were automatically blocked because Amazon security software sort of went off and blocked not just the agent, but the user. Or to investigate and fingerprint the agent. Many courts post Van Buren talking about what technological harm is, we use identifying the agent as a classic, or the intruder as a classic example. That's what fingerprinting is. It's these engineers trying to figure out how is this thing getting into our system? What is this thing? Where is it going? So these are all classic technological harms. We're leaving the court of the need to reach that. And I would be remiss if I didn't mention a whole other reason the court need not reach it, which is the CDAFA, which my friend never mentioned. District court very explicitly did rely on, both in its order at page five, and also you can see it's the transcript at 138 to 140, where the district court says, California state analog is broader. Exactly the two elements we've discussed today, access and loss. It completely eliminates the loss argument, which the district court said, and said that's why I really don't even need to think too hard about this question for the CFA at this stage. It's undisputed that it has no such constraints on loss. It's also broader on access, where it includes causing to be accessed. And it defines access to include things like communicating with. My friend has not, and he couldn't because it's waived. They had many opportunities to raise in the district court, has never suggested that the access here would not satisfy the CDAFA. Is the theory under state law that perplexity is causing the user to access? If we don't agree, let's say we don't agree with the direct access, your argument against the direct access point, that it's perplexity that's causing the access of the user. And in my mind, that all collapses. I'm not actually aware of a principle of law under which perplexity doing all these things isn't itself accessing. But to buy perplexity's theory, your honor has to say, well, it's the user doing it. But we know that all the steps, all the actions being taken that push the agent to the store are actually being taken by perplexity. And we certainly know that it is doing it intentionally. And I think that really, sorry, Arne. So I do have a question. And this case is difficult in part because we're dealing with a statute from 1986. It was updated in 1990 something. And it involves AI, which is a new technology. It's not really built for these circumstances. And so to the extent there's some ambiguity in access and whether it should apply in this instance, does the rule of lenity have any purchase here? I mean, is that something we should be looking at? If we're going to err, should we err on the side of not finding a violation? Because my concern is that there's going to be unintended consequences that flow from whatever we do here today. And they're hard to foresee. And this is a difficult case in that sense. So I want to address sort of each of the thoughts in Arne's question. And to start with, I would reject the idea that there's really anything pathbreaking here. You're right that the rule of lenity has a role. But there's a reason, sorry, my friend never argued it and they didn't mention it in their briefs. And that's because it's already done that work. This court considered the rule of lenity in cases like High Q, where it drew the exact line the district court relied on here, which is to say, almost all the web is public. You can go there, it's not affected by the CFA. I don't care if you issue a cease and desist letter, you can't keep people out of it. But where you are in a password protected area, the website owner can restrict you. That was a rule of lenity ruling. It's already baked into the line we've drawn here. So I don't think there's anything more for the court to do, but to apply the very settled law. And I should add, Your Honor, in terms of unintended consequences, I think Your Honor should look at the software developers brief, the finance industry brief, the airline industry brief, all of which help understand the real danger of unintended consequences. It is perplexity's rule that is novel. It is not only contrary to what this court said, applying the rule of lenity in High Q and Power Ventures. It is contrary to the norms by which developers operate now. It is a given norm, just like it would be in any form of private property, the website owner can keep people out of their private spaces. Developers rely on this to innovate, protect theft, to be accountable for their own systems, so they can control things and protect customer experiences, develop the best possible product. That is the norm right now. It is perplexity's submission that is new. Perplexity is saying, no, we need to break down those barriers so we can penetrate them. The record evidence is undisputed that its competitors, which have the same technological capabilities that do, and I'm referring specific to Brave and Microsoft Edge, they could go into the Amazon store, but they don't. If a user says specifically, go there, tries to push them in, they say, for security reasons, I cannot go there. They respect the settled rules that are both this court's rules, the law's rules, and the norms here. This Mad Max world that perplexity wants, where if a single user gives you their password, you can send in an AI agent which can do harm on a far more massive scale than an individual human because it operates so quickly. That's the virtue of AI as well. That's the new rule. All Amazon is really asking for is that this court apply the same settled norms that have always guided innovation, right? Property owners can protect their private property from trespasses. You can innovate everywhere, but let the property owner keep their own spaces safe and decide when to invite in these new inventions. That's not in any development in the CFA or CDAFA. I see only about 20 seconds left. Happy to answer the court's questions. Thank you, Your Honor. Thank you, counsel. Thank you, Your Honor. Just a few quick points in rebuttal. First, on the preservation point, I'd direct the court to 3 ER 515 paragraph 23 and 3 ER 521 paragraph 5. Those are two examples from our declarations where we expressly make the comparison between perplexity and Safari and Chrome. So that example has been used throughout the case. And with respect, I don't think my friend distinguished it at any meaningful level.  Ultimately, I think most of his arguments would also apply to reach the conclusion that Apple is accessing Amazon simply because a Safari user directs his or her browser to Amazon. I think the best attempt to distinguish that is this discussion about communications between the user and perplexity itself. And we were talking about this a little bit in the earlier argument. There are situations in which the user communicates with the perplexity server. But that's, again, nothing that's out of the ordinary for regular browsers like Safari and Chrome. There are features of those browsers like autocomplete or autotranslate or autofill, which are familiar to anyone who uses the internet, in which a user of the browser will communicate with Google or Apple before then going to a different website. And that, again, I think it proves far too much to suggest that Apple or Google are accessing the website in that situation. To use the paper towels example, again, yes, there is a communication between the user and perplexity in which perplexity says to the user, here are the ranking of the paper towels. But then the critical point is that the user then goes to Amazon to buy the paper towels. That's not fundamentally different than if I was sitting behind my desk and I asked my daughter to look at my screen that had Amazon on it and say, which paper towels should I buy? If she says, go buy this 12-pack and I go do it, she is not accessing Amazon.com. She and I are having one communication. And then in the technological sense, the only access to Amazon is from me, the user on my machine, not to perplexity. So I think that fundamentally resolves the access element. And at a minimum, I think under principles of lenity and particularly at the preliminary injunction stage, given the potential unintended consequences and ambiguities, this court should allow the litigation to play out rather than the harsh remedy of a preliminary injunction. My friend mentioned some amicus briefs. We have amicus briefs on our side as well. The Electronic Frontier Foundation, Mozilla, which is the developer of the browser Firefox that I think is in a position to understand this case well, submitted a brief on our side, in particular on the access element that I'd urge the court to consult. And I would say, you know, all of those things, in addition to the lack of reparable harm, the equities that favor consumer choice and innovation and competition, all of which we outline in our brief, all of those point to if this court views this as a close case, you should reverse the preliminary injunction and allow the litigation to proceed. I'll just say one word about the loss element. I think my friend largely conceded that it does require technological harm, but what Amazon has alleged is not technological harm. I think my friend even said what we mean is, you know, harm that follows from technology, but that's not what Van Buren says. I'd urge the court to look at pages 566 to 68 in the third volume of the ER. That's where Amazon describes its harms. They are not technological harms of the type that the statute covers and that Van Buren and IQ and X Corp have all said are required. The CDAFA, the state statute, the claim fails on the access requirement for the same reason that this does. Amazon does, excuse me, perplexity does not cause the user to access Amazon any more than Apple causes its users to access Amazon because they have a Safari browser. Can I ask, does an AI agent ever have intent? I mean, I think that's a kind of profound question and one that suggests there should be no preliminary injunction entered on that theory. You know, I think the better way to understand what we call agentic AI in this case is I believe what your honor said, which is that the AI is the agent of the user. The AI is the agent and the user is the principle. That's the agency relationship. Couldn't there be code or instructions or learning that's included in there or baked in there that leads the AI agent to do things that aren't exactly what the user is asking it to do, but maybe go back, maybe it's getting data and taking it back to an LLM model to train it, things like that I could think of. And these are the sort of things that are going through my mind and I'm a lawyer, so I'm struggling with this. So am I and fair enough, you know, and I'm not here to make pronouncements about the future of AI or to embarrass the future, as I think the Supreme Court said in a recent decision in this area, but I think the area of technology, but I think that all points strongly toward not entering a preliminary injunction in this case. I would also say just on the record of this case, the more far-fetched AI hypotheticals, which are maybe possible down the road, you never know, are not presented in this case. It's undisputed among the parties and we cite these portions of the record in our brief that in this case, the perplexity browser only responds to the user. It is the tool of the user. It can only do things at the direction of the user. So maybe there's new developments on the horizon that would present different issues, but those would be for different cases. And I think that's all the more reason, to decide this case on the more straightforward basis. The last thing I'll just say, and I hope you don't reach this. It's in our brief, the bond requirement. We don't think you need to reach that because we think you should reverse the PI, but if you're going to affirm the PI, the bond or rule 65C of the Federal Rules of Civil Procedure say that there has to be a bond if there's going to be loss. There's no doubt in this case, there would be serious loss to perplexity if the preliminary injunction were left in place. The district court simply said it couldn't figure out what the right amount was. So it put zero as the amount, but that can't be right. That's a paradigmatic abuse of discretion. And at a minimum, the court should remand for further consideration of that issue. Thank you, counsel. The case is submitted."
}