JetBrains' Holistic Approach to Collaborative AI
Shadow Monitoring of Claude Code Users

The controversy erupted when an independent security researcher uncovered hidden tracking mechanisms embedded within Claude Code. Rather than employing standard telemetry methods, Anthropic utilized "prompt steganography"—a sophisticated technique for concealing data within system prompts. While not malicious in the traditional sense, this code covertly transmitted data back to the company regarding users' time zones, the use of proxy servers, and potential affiliations with Chinese research centers.
Anthropic’s official stance, articulated by engineer Tarik Shihapar, framed the mechanism as an "experiment" launched back in March. The primary objective was reportedly to combat two specific threats: the unauthorized reselling of model access and "knowledge distillation." In the former case, a grey market had emerged where professional subscriptions, retailing at $100, were offered to users for as little as $12, while free models were resold for a nominal dollar.
However, a far more critical challenge is knowledge distillation—a process where a "student" model is trained on the outputs of a more powerful "teacher" model, effectively cloning its logic and capabilities without the astronomical costs of primary training. In the context of the ongoing rivalry between the U.S. and China, this transcends corporate competition and becomes a matter of national security. American firms are desperate to maintain a 12-to-24-month technological lead, viewing distillation as a form of intellectual property theft.
Geopolitical friction in this domain has reached a fever pitch. Chinese laboratories, such as Zhipu AI, are demonstrating rapid progress; their free models are already beginning to rival flagship solutions like Claude Opus in specific areas, such as vulnerability research. In response, Anthropic and OpenAI are urging the U.S. government to tighten sanctions, including blocking access to cutting-edge models, high-end chips, and computing clusters for their adversaries.
Evidence of this "aggressive borrowing" is substantial. Research from Peking University and the Chinese Academy of Sciences has confirmed markers of distillation in the majority of local Chinese models. A striking example is Alibaba’s Qwen model, which, during large-scale attacks on Claude in June, mimicked its competitor so precisely that it erroneously identified itself as Claude in several responses. According to Anthropic, Chinese entities created over 24,000 fake accounts to systematically "scrape" knowledge from their models.
The reaction from China was swift: Alibaba leadership banned employees from using Claude Code, citing the discovered tracker. This move underscores a deepening crisis of trust in development tools that, by their very nature, require deep system access.
From a technical perspective, the use of covert signals in a coding tool is particularly alarming. AI coding agents operate with elevated privileges: they can analyze source code, handle secret keys, execute terminal commands, and edit files on a user's local machine. In such an environment, any hidden telemetry not explicitly documented in a privacy policy is viewed by the community as a dangerous precedent.
Critics point to a glaring paradox in Anthropic's position: a company that publicly opposes U.S. government surveillance of its own citizens has employed covert monitoring techniques against users in another region. Rather than providing transparent notifications regarding terms-of-service violations or implementing explicit telemetry fields, the company opted for opacity.
Ultimately, the Claude Code incident demonstrates that in the modern AI industry, the line between corporate security and digital espionage is becoming increasingly blurred. For Anthropic, the fight against distillation is a matter of business survival and national security; but for millions of developers, it is a warning that the tools they trust with their code may harbor hidden agendas.

