Anthropic faces backlash over covert monitoring in Claude Code
Anthropic is rolling back a hidden monitoring feature in its coding tool Claude Code after the mechanism was exposed publicly and drew criticism over transparency and user trust. According to the supplied source text from The Decoder, the feature had quietly checked whether some users with active proxies appeared to be located in China, routing through Chinese URLs or connected to Chinese AI labs.
The controversy is notable not only because of what the code allegedly did, but because of how it reportedly did it. The source text says the system transmitted signals through nearly imperceptible changes in the tool’s system prompt, a form of steganography that ordinary users could not easily detect. That design choice turned what might otherwise have been a straightforward policy enforcement mechanism into a larger argument about covert telemetry inside an AI development tool with broad local access.
What the hidden feature reportedly checked
The Decoder’s source text says the feature had been present since Claude Code version 2.1.91, released April 2, 2026. It reportedly looked for several indicators associated with China-linked access patterns. Those included whether the system timezone matched Asia/Shanghai or Asia/Urumqi, whether a proxy URL pointed to Chinese domains and whether the connection appeared tied to a Chinese AI lab.
Rather than surfacing those checks directly in visible logs or prompts, the software allegedly encoded the results into subtle formatting changes. The supplied text says Claude Code would alter date formatting and even switch the apostrophe character used in the phrase “Today’s date is.” To users, the prompt would appear unchanged. Internally, however, those variations could carry a hidden signal readable by Anthropic.
The report also says the relevant code was obfuscated using XOR encryption with key 91, making it harder to spot in a casual inspection. According to the source text, the release notes for version 2.1.91 did not mention the check.
Why the disclosure triggered strong reactions
The sharpest criticism centered on consent and trust. Claude Code is not a passive consumer app. It is a development tool that, according to the supplied text, has full filesystem and shell access. In that context, any undisclosed mechanism that examines system properties or proxy configuration looks especially sensitive.
The Reddit user cited in the source text characterized the covert transmission of system and proxy data without user knowledge as a fundamental breach of trust. The argument was not only that the feature existed, but that it used hidden prompt-level signaling rather than a plainly documented enforcement flow. For developers and enterprise teams evaluating AI tooling, that distinction matters. Transparency around what is being inspected, what is being transmitted and why is often as important as the security objective itself.
The source text also notes a practical objection: the mechanism may have been easy for skilled attackers to bypass, raising questions about whether the trust costs outweighed the technical benefit. If a covert check can be defeated without much difficulty, the remaining effect may be strongest on ordinary users rather than sophisticated abusers.
Anthropic’s explanation
According to the supplied text, Anthropic employee Thariq Shihipar, who works on the Claude Code team, described the feature on X as an experiment intended to prevent account abuse from unauthorized resellers and to protect against distillation. He also said the team had since implemented stronger mitigations and had already been planning to remove the earlier mechanism.
The reported response matters because it frames the issue as one of interim security controls rather than long-term product policy. Anthropic, according to the source text, had already merged a pull request to remove the feature, with the rollback expected in the next day’s release. In that account, the hidden prompt signals were not defended as a permanent or acceptable norm, but treated as an experimental measure that had outlived its usefulness.
Even so, the explanation does not erase the governance problem the episode exposed. Security teams often justify temporary controls during periods of elevated risk. But when those controls operate invisibly inside tools used by developers, the bar for internal review, disclosure and auditing becomes much higher.
The broader geopolitical backdrop
The Decoder’s source text places the monitoring issue inside a larger policy and competitive context. Anthropic does not offer its models in China for national security reasons, according to the supplied text. At the same time, many Chinese developers are said to access Claude through foreign phone numbers and credit cards.
The report also says Anthropic has previously accused several Chinese AI companies, including DeepSeek, Moonshot AI, MiniMax and Alibaba, of using Claude model outputs without permission to train their own models. If that concern is part of the company’s threat model, it helps explain why access patterns tied to proxying and location might have attracted scrutiny.
That context is important but not sufficient to settle the product question. AI companies increasingly operate at the intersection of commercial software, export controls, platform abuse prevention and model-protection strategy. Measures designed for one goal can create new liabilities elsewhere, particularly when the tool in question runs close to user systems and developer workflows.
Why this matters beyond one feature
The episode illustrates a deeper tension in AI infrastructure. Model providers want to stop fraud, unauthorized resale and training-data extraction. Users want capable tools that behave predictably and disclose their monitoring behavior clearly. As AI coding assistants gain more powerful local privileges, that tension is likely to intensify.
What happened with Claude Code is therefore more than a short-lived product embarrassment. It is an early warning about the standards that advanced AI tooling will be expected to meet. Hidden controls that might once have passed unnoticed in a web service are harder to justify in software that can inspect local environments and execute commands.
For the broader market, the lesson is straightforward: security features in developer-facing AI tools need to be visible, reviewable and proportionate to the threat they address. Anthropic’s reported rollback may close this specific chapter, but it will not end the larger debate over how much invisible enforcement users will tolerate from the systems increasingly embedded in their work.
This article is based on reporting by The Decoder. Read the original article.
Originally published on the-decoder.com








