Claude Code is steganographically marking requests
What Claude Code is doing
- Client inspects environment (e.g.,
ANTHROPIC_BASE_URL, hostname, timezone) for signs of Chinese labs or resellers. - If matched, it steganographically encodes that classification into the system prompt using subtle Unicode variants and date formatting.
- Domain and lab keyword lists are obfuscated in the binary via base64/XOR.
- This happens client‑side and is not clearly disclosed in UI, docs, or release notes.
Intended purpose & effectiveness
- Many commenters infer the goal is to detect:
- Chinese API resellers pooling cheap Claude Code subscriptions.
- Model distillation by Chinese and other labs.
- Some see this as “defense in depth” akin to trap streets or anti-cheat: easily bypassed by sophisticated actors but enough to catch sloppy resellers.
- Others call it “amateur hour”: trivial to evade (change domain, strip the markers) while still burning trust with legitimate users.
Impact on legitimate users
- Concern that:
- Normal developers using proxies, corporate gateways, or unsupported regions might be misclassified.
- Anthropic could silently degrade responses, route to weaker models, or ban accounts based on these tags.
- Several note there are legitimate reasons to proxy (auditing, filtering secrets, multi-account routing) that could be penalized.
Trust, ethics, and privacy
- Many view the hidden, obfuscated behavior on user machines as malware‑like and a breach of trust, independent of motive.
- Others argue it’s a standard anti-abuse measure, comparable to analytics or anti-cheat, and likely covered by existing ToS/privacy language.
- Legal questions raised: potential consumer fraud if service is silently degraded, GDPR/export-control/EULA issues, even CFAA‑shaped concerns; others dispute that this rises to illegality.
Comparisons & broader reactions
- Compared to:
- Trap streets, watermarking, corporate surveillance tooling, and game anti-cheat.
- Prior Anthropic incidents (Fable’s hidden model degradation, source-map leak) as part of a pattern of “shady” behavior.
- A noticeable subset of commenters say this reinforces their shift away from Claude Code toward:
- Open-source or simpler harnesses (pi, Codex, OpenCode, custom agents).
- Cheaper or open-weight models (GLM, DeepSeek, Qwen, local deployment).
- Some frame it in geopolitical terms (keeping “superintelligence” from China); others see that framing itself as dangerous and hypocritical.