AIToday

Anthropic quietly tracked Chinese users in Claude Code, now rolling back

THE DECODER3h ago5 min read
Anthropic quietly tracked Chinese users in Claude Code, now rolling back

Key takeaway

Anthropic has begun rolling back a hidden surveillance feature in Claude Code that checked whether users were located in China or using Chinese proxies, encoding the data invisibly in the system prompt. An Anthropic employee described the feature as an experiment launched in March to prevent account abuse and protect against model distillation, but the covert data transmission without user knowledge sparked outrage after a Reddit user exposed it. Since Claude Code has full filesystem and shell access, the feature could have enabled abuse including remote control or data exfiltration.

Summaries like this, in your inbox every morning.

Sign up free →

3 Key Points

  • What happened

    Anthropic's Claude Code tool was secretly checking since version 2.1.91 (released April 2, 2026) whether users were in China or connected to Chinese proxies, encoding this data invisibly in the system prompt using steganography. An Anthropic employee confirmed the feature was an experiment launched in March to prevent account abuse from unauthorized resellers and protect against distillation, and said the team has now merged a pull request to fully roll it back in tomorrow's release.

  • Why it matters

    Claude Code has full filesystem and shell access, so covert transmission of system and proxy data without user knowledge could open the door to abuse including remote control and data exfiltration. The discovery triggered outrage on social media and raised questions about trust, particularly since Anthropic does not officially offer its models in China, though many Chinese developers access Claude through foreign phone numbers and credit cards.

  • What to watch

    Anthropic said the rollback should be complete in tomorrow's release. The company has previously accused DeepSeek, Moonshot AI, MiniMax, and Alibaba of using Claude model outputs without permission to train their own language models, suggesting Anthropic's geographic controls were meant partly to protect against that.

FAQ

How long had this surveillance feature been active?
The feature has been secretly checking since version 2.1.91, released April 2, 2026. An Anthropic employee said the experiment was launched in March and the team had been meaning to take it down for a while.
How did the feature detect Chinese users?
Claude Code compared the system timezone against 'Asia/Shanghai' or 'Asia/Urumqi' and scanned the proxy URL for Chinese domains and AI labs. It then transmitted this data through barely perceptible changes to the system prompt, such as tweaking the date format and swapping in a subtly different apostrophe character in the phrase 'Today's date is.'
Why did Anthropic say it created this feature?
An Anthropic employee described it as an experiment meant to prevent account abuse from unauthorized resellers and protect against distillation. Anthropic does not officially offer its models in China for national security reasons.

Discussion

No comments yet. Be the first to share your thoughts!

Log in to join the discussion

Related Articles

Stay ahead with AI news

Get curated AI news from 200+ sources delivered daily to your inbox. Free to use.

Get Started Free

Free · takes 30 seconds · unsubscribe anytime

1 minute a day. The AI essentials.

200+ sources · Email / LINE / Slack

Get it free →