Confirmed: Claude Code secretly accesses user data, with time zones and Chinese AI labs all being key targets
Today, Anthropic is experiencing a "double blessing."
On the one hand, it has released Claude Sonnet 5, the "Sonnet model with the most Agent attributes to date," with performance approaching that of Opus 4.8.
On the other hand, it has publicly announced that the U.S. Department of Commerce has lifted the export controls on its Claude Fable 5 and Mythos 5. Anthropic will resume access starting tomorrow and will soon share the latest progress.
According to an agreement signed by U.S. Commerce Secretary Howard Lutnick, since sending relevant letters on June 12 and June 26, Anthropic has closely cooperated with the U.S. government and taken measures to address the risks associated with Claude Mythos 5 and Claude Fable 5.
Among them, Anthropic has promised to proactively identify and address the potential security risks brought by these models; maintain close cooperation with the U.S. government on the agreements, standards, and release arrangements of Mythos, Fable, and future models; and report any malicious activities to the U.S. government when discovered.
Based on the actions taken and commitments made by Anthropic, as well as the assessment of the current transfer risks of Claude Mythos 5 and Claude Fable 5 by the Bureau of Industry and Security of the U.S. Department of Commerce, the U.S. Department of Commerce has decided to withdraw the control measures in the letter dated June 12.
This means that the export, re - export, and domestic transfer of Claude Mythos 5 and Claude Fable 5, including deemed exports and deemed re - exports, will no longer require a license in the future.
However, the U.S. Department of Commerce reserves the right to re - evaluate this decision. If the situation changes or Anthropic fails to fulfill its commitments, the U.S. Department of Commerce may still re - impose license requirements.
However, Chinese users can't be happy for the time being.
On the same day, another topic was being hotly discussed in the developer community: someone discovered that Claude Code would collect local proxy and timezone information without the user's knowledge and hide this information in the prompts sent to the cloud through "steganography."
Claude Code Allegedly Marks Chinese Users with Invisible Codes
Recently, someone exposed that Anthropic had secretly implanted a piece of code in Claude Code.
This code automatically detects whether the user is in the Chinese timezone, the current network proxy situation, and whether they are connected to an environment related to certain Chinese AI labs.
Subsequently, it embeds this information into the system prompts sent to the AI through steganography.
Chinese users are completely unaware, but Anthropic can identify them through these invisible fingerprints.
A developer first raised doubts on Reddit and then released a verification report on GitHub, stating that they had checked the code of three versions of Claude Code (2.1.193, 2.1.195, 2.1.196) and confirmed the existence of a hidden mechanism. This mechanism was identified as a covert information channel in the system prompts.
Detection Logic
According to the report, Claude Code detects the environment variable ANTHROPIC_BASE_URL, which is usually enabled when users point Claude Code to a custom API proxy instead of the official endpoint api.anthropic.com. When a non - official route is detected, the program extracts the proxy domain name and reads the user's system timezone, focusing on whether it is Asia/Shanghai or Asia/Urumqi.
Analysis using GLM5.2
The report states that the domain name is compared with a decoded list containing 147 entries. The list includes the domain names of Chinese technology companies and AI labs such as Baidu, Alibaba, Ant Group, ByteDance, Moonshot AI, MiniMax, Stepfun, as well as a large number of Claude resale or API mirror service addresses.
Information Transmission Method
The core of the controversy lies in the information transmission path.
The report points out that Claude Code does not set up an independent telemetry field to report data. The carrier of the abnormal information is the most unremarkable sentence "Today's date is..." in the system prompt.
When the system timezone is identified as a Chinese timezone, the date separator changes from a hyphen to a slash. For example, 2026 - 06 - 30 is displayed as 2026/06/30. The apostrophe in "Today's date" also switches between several similar - looking Unicode characters such as ', ', ʼ, ʹ to mark whether this request hits the domain name list, the AI lab keywords, or both. These symbols are difficult to distinguish with the naked eye in the regular interface.
For ordinary users, these symbols ', ', ʼ, ʹ are almost indistinguishable with the naked eye, which is why this mechanism has been hidden for a long time. If the analysis is true, each eligible request will carry such an imperceptible mark to the upstream.
Controversy Focus
Telemetry data collection is common in the software industry. AI companies often have sufficient motivation to identify user behavior for reasons such as preventing abuse, curbing resale, avoiding sanctions risks, and preventing model distillation. From this perspective, Anthropic's motivation to curb the illegal resale of Claude access rights in the Chinese market is not difficult to understand.
The controversy lies in the implementation method rather than the purpose itself.
For the publicly disclosed telemetry mechanism, developers have full right to know and the option to access relevant documents, block specific endpoints, or decide whether to accept a certain data collection method. However, hiding the marker information in the almost imperceptible character differences in the prompt changes the premise of trust between the user and the tool. For a coding assistant, once such a boundary is broken, the cost is high.
Permission Background
Claude Code has a built - in permission system that covers operations such as file reading, Bash command execution, and file editing. Read - only operations do not require user approval, while operations involving command execution and file modification require permission confirmation.
Anthropic has also publicly discussed the possible "approval fatigue" issue of Claude Code before, admitting that most users will habitually approve permission requests, and completely turning off the permission approval mechanism is not safe in most scenarios.
The company's own engineering blog also records real cases of "agentic misbehavior," including accidentally deleting remote git branches, accidentally uploading GitHub tokens, and even attempting to perform migration operations on the production database.
The coding agent works inside the code repository, has access to source code, file structures, project details, and even key information accidentally exposed by users, and is given the permission to execute commands and modify files. For such a tool, trust is the foundation of its existence.
If the client secretly encodes routing metadata into the prompt, users naturally have reason to ask: what other information is being recorded in a similar way? Are there other undisclosed detection logics on the client side? Have these behaviors been explained in any documentation?
After the incident was exposed, @trq212, a member of Anthropic's technical team, responded to the reason for the code implementation and said that this code would be removed in the new version to be released the next day.
Reference Links:
https://news.ycombinator.com/item?id=48734373
https://thereallo.dev/blog/claude-code-prompt-steganography
https://x.com/IntCyberDigest/status/2071971609183678544?s=20
https://www.internationalcyberdigest.com/claude-code-accused-of-hiding-china-proxy-fingerprints-inside-system-prompts/
This article is from the WeChat official account "Almost Human" (ID: almosthuman2014). The author is someone concerned about AI. It is published by 36Kr with permission.