Anthropic is scrambling to disable a covert surveillance feature in Claude Code after Reddit users exposed a scheme that turned the developer tool into a tracking device. Starting with version 2.1.91, the software secretly monitored whether users were accessing the service from China. According to researcher LegitMichel777, the utility scanned systems for "Asia/Shanghai" or "Asia/Urumqi" time zones and checked proxy servers for links to Chinese domains and AI labs. Unsurprisingly, the release notes made no mention of these "innovations."

Spy Tactics and Steganography

The identification mechanics read like a spy thriller: instead of transparent reporting, Anthropic employed steganography. Claude Code transmitted collected metadata via microscopic alterations in the system prompt. For instance, the algorithm would swap apostrophe characters or subtly change the date format in the phrase "Today’s date is." To cover its tracks, the code was obfuscated using XOR encryption. As LegitMichel777 rightly points out, given that Claude Code requires full access to the file system and shell, this covert data exfiltration sets a dangerous precedent for remote control and abuse.

Claude Code team member Tarick Schihipar attempted to justify the move on X as an "experiment" to combat resellers and model distillation.

Reputational Fallout

Anthropic has long been at odds with DeepSeek and Alibaba, accusing them of scraping Claude’s outputs to train their own systems. However, their methods raise serious questions: a company that brands itself on safety and transparency deployed an encrypted surveillance module that tags users based on their punctuation. It is a classic case of "operational backsliding," where corporate ethics stop the moment national security interests and protecting unit economics from Chinese competitors begin. Following the public outcry, Anthropic hastily approved a pull request to remove the features, but trust in the brand’s enterprise tools is now under serious scrutiny.

The software scanned system settings for Chinese locations. Data was transmitted covertly through punctuation manipulation in prompts. Anthropic removed the functionality after the exposure, citing protection against model theft.

AI SafetyCybersecurityAI ToolsAnthropic