By Wave Not Crazy
On April 30, the Guangzhou Internet Court issued a ruling.
The defendant was an open-source AI agent software. The reason for the lawsuit: It called the underlying operating system permissions without authorization, circumvented the plaintiff platform's technical management measures, and achieved automated operations.
The court ruled: Immediately stop providing downloads, immediately stop the act of circumventing technical measures, delete relevant tutorials, and delete relevant data.
This is the first behavior preservation ruling in the field of AI agents in China.
Less than two months ago, the United States District Court for the Western District of Washington was also hearing an almost identical case: Amazon sued Perplexity, alleging that the latter bypassed Amazon's API to directly operate Amazon's pages. Amazon won, and the court issued a preliminary injunction.
In two lawsuits in China and the United States, one using a behavior preservation ruling and the other a court injunction, both are setting the same "legal bottom line" for the AI agent era—AI agents cannot act recklessly.
It is said that this year AI has entered the era of agents. These two lawsuits are of significant indicative value. After digesting the news, your Bro Wave found that there is an even more thought-provoking question behind this:
Why are they the targets?
01 Two Judgments, Same Principle
If you look carefully at the complaint in Amazon's lawsuit against Perplexity, the core is just one sentence:
Perplexity bypassed our API, directly operated our pages, and undermined our technical management measures.
Translated, this means: You used our things without our permission.
There is a specific legal term for this: "circumventing technological protection measures." It is explicitly prohibited both in China's "Anti-Unfair Competition Law" and in the U.S. "Computer Fraud and Abuse Act" (CFAA).
But why Perplexity?
Because Perplexity is currently one of the most aggressive AI agent companies. Its product logic is: Users grant me authorization, and I can operate any platform on behalf of the user.
This logic sounds reasonable—the user authorized it, why should the platform interfere?
But platforms and courts see it differently.
Perplexity's official website article criticizing Amazon for being a bully
Because there is a second layer of authorization: platform authorization.
To operate Alipay, you need not only the user's consent but also Alipay's consent. To access WeChat chat records, you need not only the user's consent but also consider whether others in the group chat are aware. To operate Amazon, you need not only the user's consent but also Amazon's consent—the platform has the right to decide who can operate within its territory.
The problem with Perplexity lies in this: It only obtained the user's authorization, not the platform's.
If a small-scale AI agent company does this, the platform might not bother. But Perplexity's current daily active users have reached a level that forces Amazon to take notice.
Now look at the domestic case.
The defendant is an open-source AI agent software, with an operational logic almost identical to Perplexity's: It calls the operating system's "accessibility service" permissions to click, swipe, and input on behalf of the user.
This "accessibility service" permission was originally intended for people with disabilities, but AI agents have turned it into a tool to "bypass platform rules."
Because "accessibility service" is a permission at the operating system level, higher than permissions at the app level. Once this permission is obtained, it's like getting a "master key" that can open any house. The AI agent can then operate any app without needing separate authorization from each one.
Platforms, of course, do not welcome this "master key."
Many interpret this as commercial competition, fearing others will take their turf, but that's too simple. From a legal perspective, it's a question of whether rights and responsibilities are balanced.
Once an AI agent can bypass platform rules, all the content review, data security, and user privacy protection mechanisms that platforms have built up over the years become ineffective.
Douyin (TikTok) is not against you using external AI agents; it's against you bypassing its review mechanisms. Meituan is not against you using AI agents; it's against you bypassing its data security rules. The logic is simple: If a user's delivery address and phone number are leaked, who is responsible?
This isn't about whether you can use it; it's about who the user holds accountable if something goes wrong after using it.
02 The AI Phone Following the Trend
Speaking of this, the iterative path of a blockbuster product is worth comparing: Doubao Phone.
In 2025, Doubao Phone 1.0 chose an aggressive path: directly obtaining underlying operating system permissions from phone manufacturers to operate other apps on behalf of the user. Order takeout, hail a ride, send a WeChat message—all with one sentence.
This path soon proved infeasible. It kept running into security walls and was later forced to suspend some automated operation scenarios itself.
A product hailed as the "First Phone of the AI Era" hit a wall when facing the ecosystem.
Where did the problem lie? Again, that term: Dual Authorization.
Doubao Phone obtained user authorization but did not obtain authorization from any platforms, not even its own Douyin (TikTok). Legally, this is a "gray area"—the user did authorize it, but the platform definitely did not.
The ruling from the Guangzhou Internet Court draws a clear red line for this gray area.
Doubao Phone is also astute; it didn't confront head-on but chose a smarter path: a rapid change of course.
Recent reports indicate that Doubao Phone 2.0 will be released in the first half of the year. Unlike version 1.0, version 2.0 is negotiating authorizations one by one with ecosystem partners. It is said that agreements may have been reached with the Alibaba ecosystem, opening necessary permissions, i.e., API interface cooperation, for high-frequency scenarios like ride-hailing, food delivery, and ticket booking. This is equivalent to being compatible with Alibaba's Qianwen AI agent.
Following this win-win model, interface cooperation with WeChat, Meituan, Alipay, and JD.com is also within sight.
Looking at the judicial precedent again, you can't say Doubao Phone compromised. Rather, it demonstrates a strategic capability of recognizing the times.
The judiciary provided the answer: Bypassing platform rules won't work. So, take the proper path—negotiate one by one.
This is what a major company aiming to build a world-leading AI agent product should look like.
03 A Shared Consensus Is Forming
Looking at three things together: Amazon vs. Perplexity in the U.S., the Guangzhou Internet Court ruling, and Doubao Phone's shift from "bypassing" to "negotiating."
A global trend can be observed:
The era of unbridled growth for AI agents is over; the era of compliance competition has begun.
This shift has multi-layered impacts on the industry.
First, compliance costs are becoming the "entry fee" for AI agent companies. Before, making an AI agent only required caring about "whether it could be made." Now, they must also care about "whether it can legally operate on other platforms." This gives larger AI agent companies (those with resources to negotiate authorizations) a greater advantage. Small and medium-sized AI agent companies will either be acquired or pivot to developing "AI agents within platforms."
Second, "dual authorization" is becoming an industry standard. This actually aligns with user interests. Users aren't afraid of AI helping with operations, but they fear AI operating secretly. If every AI agent requires both "platform authorization + user authorization" to operate, users can feel more at ease.
Furthermore, open source can no longer be a reason for exemption. In the domestic case, the defendant argued, "I am open-source software, non-profit, and should not be restricted." The court did not accept this. Because open source does not equal exemption from liability. Even if you are open source, if your code is used to circumvent technical protection measures, you are responsible.
Returning to the initial question: Many are making AI agents. Why were these first penalized?
The answer is actually quite simple: It's not because they are the largest, but because they are the most aggressive and the most representative.
Perplexity is one of the most aggressive AI agent companies in the U.S. The domestic open-source software is also one of the earliest practitioners of "bypassing platform rules."
Penalizing them first isn't because they are the "worst," but because they are the "most typical."
This is a wisdom in regulation: targeting the most typical and aggressive ones makes the rest adjust on their own.
It is foreseeable that more AI agent companies will negotiate authorizations with platforms, more platforms will introduce "AI Agent Access Specifications," and fewer courts will hear similar cases.
The rules of the game for the AI agent industry have been quietly redefined.
