Anthropic Rolls Back Covert Surveillance Feature in Claude Code

Anthropic is facing intense scrutiny following the discovery of a hidden surveillance mechanism within its Claude Code tool designed to identify Chinese users. The revelation has sparked a massive debate regarding user privacy, data exfiltration risks, and the ethical boundaries of model protection.

The Mechanics of Stealth Detection

The controversy erupted when a Reddit user, LegitMichel777, exposed that Claude Code version 2.1.91—released on April 2, 2026—contained undocumented code to flag users in China. Unlike standard telemetry, this feature utilized a sophisticated form of steganography to transmit data through "barely perceptible" changes in the system prompt.

The software was designed to compare the system timezone against "Asia/Shanghai" or "Asia/Urumqi" and scan proxy URLs for Chinese domains or connections to Chinese AI labs. Once a match was found, the tool would subtly alter the output by tweaking the date format or swapping a standard apostrophe for a different character in the phrase "Today's date is." While invisible to the human eye, these micro-adjustments allowed Anthropic to identify the user's origin instantly. To further hide this activity, the code was reportedly obfuscated using XOR encryption with a key of 91, preventing it from appearing in standard text dumps.

Security Risks and Privacy Violations

The discovery has raised significant alarms among the developer community. Because Claude Code operates with full filesystem and shell access, critics argue that any covert communication channel could potentially be exploited for more severe forms of abuse, including remote control or unauthorized data exfiltration.

Beyond the technical security implications, the discovery is viewed as a fundamental violation of user trust. The feature was implemented without any mention in the official release notes, leaving developers unaware that their proxy data and system settings were being analyzed to circumvent regional restrictions.

Anthropic’s Defense: Protecting Against Model Distillation

In response to the backlash, Anthropic employee Thariq Shihipar clarified that the feature was an "experiment" launched in March. The primary objective was to prevent account abuse by unauthorized resellers and to protect against "distillation"—the process where competitors use model outputs to train their own LLMs.

Anthropic has a history of tension with Chinese AI firms, previously accusing companies like DeepSeek, Moonshot AI, MiniMax, and Alibaba of using Claude's outputs without permission. Since Anthropic does not officially offer its models in China due to national security reasons, identifying users who access the service via foreign credit cards and phone numbers was seen as a way to safeguard proprietary intelligence. However, following the outcry, Anthropic confirmed they have merged a pull request to roll back the feature entirely.

Key Takeaways

  • Steganographic Detection: Claude Code used subtle character swaps in system prompts and XOR encryption to secretly identify users connecting from China.
  • Security Concerns: The ability to run covert checks in a tool with full filesystem access raises significant fears regarding data exfiltration and user privacy.
  • Model Protection vs. Privacy: Anthropic defended the move as an experiment to prevent model distillation by Chinese AI labs, but has since committed to a full rollback.