Hutchinson Kansas Newspaper

collapse
Home / Daily News Analysis / Alibaba bans Claude Code after Anthropic is caught tracking Chinese users with hidden code

Alibaba bans Claude Code after Anthropic is caught tracking Chinese users with hidden code

Jul 05, 2026  Twila Rosenbaum 4 views
Alibaba bans Claude Code after Anthropic is caught tracking Chinese users with hidden code

Alibaba has issued an internal ban prohibiting its employees from using Claude Code, Anthropic's AI-powered coding agent, after security researchers discovered that the tool contained hidden code designed to identify Chinese users. The ban, effective July 10, deepens an ongoing conflict between the two companies that began earlier this year when Anthropic accused Alibaba of orchestrating the largest known distillation attack on its models.

How the Tracking Worked

The discovery emerged from a Reddit user identified as LegitMichel777, who reverse-engineered Claude Code on June 30 and found obfuscated code that had been silently present since version 2.1.91, released on April 2. The code was not mentioned in any release notes. It checked whether a user's system timezone was set to Asia/Shanghai or Asia/Urumqi and scanned proxy URLs against a hardcoded list of Chinese domains and AI lab addresses.

Rather than logging the results conventionally, the system used steganography to hide its signals in the system prompt sent back to Anthropic's servers. If the timezone was Chinese, the date format changed from dashes to slashes, and the apostrophe in "Today's date is" was swapped with one of three visually identical but technically distinct Unicode characters depending on which flags were triggered. The alterations are invisible to human users and potentially even to the AI model itself, but they are machine-parseable by Anthropic's servers. Portions of the detection code were XOR-obfuscated with the key 91, a technique used to prevent plain-text extraction during code analysis.

Anthropic's Justification

Thariq Shihipar, an Anthropic engineer on the Claude Code team, responded on X, explaining that the tracking was "an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation." He said the team had been "meaning to take this down for a while" and that the pull request to remove it was merged on July 1.

The rollback coincided with the restoration of Anthropic's Fable 5 and Mythos 5 models, which the US Commerce Department had ordered the company to disable for all foreign nationals in mid-June after Amazon researchers found a jailbreak vulnerability. The export controls were lifted on June 30, and Anthropic restored access on July 2, stating it would "scale up government collaboration" on frontier AI security.

The Distillation Backdrop

Anthropic's justification for the tracking code sits within a broader campaign against what it calls systematic theft of its models' capabilities. In a letter to the US Senate Banking Committee on June 10, the company accused operators affiliated with Alibaba's Qwen AI lab of running the largest known distillation attack on Claude, using roughly 25,000 fraudulent accounts to generate 28.8 million exchanges between April and June. Alibaba has denied the accusation. Anthropic had previously named DeepSeek, Moonshot AI, and MiniMax in February as perpetrators of similar campaigns, framing distillation as an existential threat to the business models of frontier AI companies.

Distillation, the practice of using a powerful model's outputs to train a smaller one, occupies a grey area in AI development. Asian AI startups have launched alternatives to Anthropic's models partly because the export ban on Fable 5 and Mythos 5 left a gap in the market, making the line between legitimate competition and illicit extraction increasingly difficult to draw.

The Developer Trust Problem

Claude Code requires deep access to a developer's local file system to read, modify, and execute code, meaning any hidden functionality in the tool effectively has access to everything on the machine. Huorong Security, a Chinese cybersecurity firm, said Anthropic's tracking was not only a transparency issue but also raised cross-border data compliance concerns. "Today it's a timezone check, tomorrow it could be system sabotage or data exfiltration," one Reddit user wrote. Anthropic's privacy policy states that it collects the kind of data in question, but critics argue the steganographic method, designed to be invisible to users, crosses a line that a standard privacy disclosure does not.

The incident exacerbates existing skepticism among developers about the trustworthiness of AI tools that require deep system access. Security experts warn that even seemingly benign experiments can create backdoors that might be exploited by malicious actors or become vectors for unintended data leaks. The fact that the code was obfuscated with XOR encryption, a technique commonly used in malware, has drawn particular criticism from the cybersecurity community.

The Bigger Picture: US-China AI Rivalry

The episode accelerates China's push to reduce reliance on American AI tools, which Chinese firms increasingly view as carrying legal, security, and operational risks. Alibaba has been building out its own AI stack aggressively, integrating its Qwen models across products from e-commerce to robotics, and the Claude Code ban gives it further justification to push employees toward domestic alternatives like Qoder, its own coding agent platform.

Lizzi Lee, a fellow at the Asia Society Policy Institute's Centre for China Analysis, said the conflict showed how the US-China AI competition has moved beyond technology into access control and sovereignty. "If a US AI coding tool can detect Chinese usage or proxy access, then it's not surprising for major Chinese tech companies to not want employees using it internally," she said.

The broader implications extend beyond Alibaba. Other Chinese tech giants, including Tencent, Baidu, and ByteDance, are likely to reassess their use of American AI development tools. Chinese regulators have been increasingly assertive about data sovereignty and cross-border data flows, and the Claude Code incident provides them with a concrete example to justify stricter controls. Moreover, the timing is particularly sensitive given the ongoing US export controls on advanced AI chips and the Biden administration's recent crackdown on Chinese access to American AI services.

Anthropic's models have long been officially inaccessible in China, but they remain popular among domestic developers who use workarounds such as VPNs and third-party APIs to maintain access. Whether the tracking controversy pushes more of them toward Chinese alternatives or simply confirms what many already suspected about the risks of depending on American AI tools is a question that extends well beyond Alibaba. Some developers have already begun migrating to open-source alternatives like Codestral, DeepSeek Coder, and Alibaba's own Qwen2.5-Coder, which offer comparable capabilities without the geopolitical baggage.

Technical and Legal Dimensions

The use of steganography to hide tracking signals represents a novel approach in AI tool telemetry. While companies often collect usage data for analytics and security, hiding that collection in visually indistinguishable Unicode characters and obfuscated code raises serious questions about informed consent and transparency. Privacy advocates argue that such techniques violate the spirit of data protection regulations like China's Personal Information Protection Law (PIPL) and the European Union's General Data Protection Regulation (GDPR), both of which require clear disclosure of data collection practices.

From a legal perspective, the incident could expose Anthropic to regulatory action in China and other jurisdictions. Under PIPL, companies that collect personal information through hidden means face penalties including fines of up to 5% of annual revenue. If Chinese authorities determine that the tracking code constitutes illegal data collection, Anthropic could be barred from offering services in China or face significant financial penalties.

The timing of the tracking code's removal, occurring just one day after the discovery became public, suggests that Anthropic may have been aware of the potential legal risks. However, the fact that the code remained in production for over three months without any public disclosure raises questions about the company's commitment to transparency.

Impact on the AI Development Ecosystem

The Claude Code controversy is more than a corporate dispute; it reflects fundamental tensions in the global AI ecosystem. Distillation, the technique at the heart of the conflict, is widely used across the industry for model compression, transfer learning, and rapid prototyping. Many startups and even large companies rely on distillation to create more efficient models from frontier systems. Anthropic's aggressive stance against distillation, even when practiced by competitors, could stifle innovation and slow the development of AI applications that benefit from knowledge transfer.

On the other hand, the security implications of embedding hidden tracking code in developer tools cannot be overstated. If a company like Anthropic, which positions itself as a safety-focused AI leader, employs steganographic techniques to monitor users, then developers around the world must question the trustworthiness of all such tools. The incident may lead to increased demand for open-source coding agents that can be audited by the community and run entirely offline, reducing reliance on external servers.

In response to the controversy, several open-source projects have announced plans to accelerate their development cycles. The Code Llama project from Meta, for example, has seen a surge in community contributions. Meanwhile, Chinese companies are doubling down on their own offerings, with Alibaba's Qoder now positioned as the de facto alternative for enterprise developers in China.

As the dust settles, one thing is clear: the era of unquestioning trust in AI tools from any single nation is over. Developers, companies, and regulators alike will demand greater transparency, stronger security guarantees, and more control over how their data is used. The Claude Code tracking incident may well prove to be a watershed moment that reshapes the global AI development landscape for years to come.


Source:TNW | Anthropic News


Share:

Your experience on this site will be improved by allowing cookies Cookie Policy