Digital Independence with the Immich 3.0 Update
The Invisible Trace Within Anthropic’s Code

The controversy began when an independent researcher conducted a deep dive into the binary code of Claude Code, uncovering a hidden mechanism designed to covertly flag user requests routed through third-party proxy servers. This functionality had been embedded in the tool for nearly three months—dating back to version 2.1.91 in April 2026—effectively transforming the utility into an undisclosed environment-harvesting tool for a segment of its user base.
The system's technical implementation was tied to the ANTHROPIC_BASE_URL variable. The mechanism triggered only when requests bypassed Anthropic’s official API in favor of an intermediary gateway or proxy. Upon activation, the tool initiated a multi-factor environment audit: it analyzed system timezones for matches with Asia/Shanghai or Asia/Urumqi, cross-referenced proxy hostnames against a built-in list of Chinese domains (including giants like Baidu and Alibaba), and scanned for mentions of prominent AI labs such as DeepSeek, Zhipu, or Moonshot.
The method of data exfiltration is particularly noteworthy. Rather than utilizing explicit logs, Anthropic employed steganography, embedding markers within the innocuous system prompt string "Today's date is." This was achieved using visually indistinguishable Unicode characters: apostrophes were swapped for one of three variants, and hyphens in the date were converted to slashes upon detecting a Chinese timezone. To a human observer or the LLM itself, the date appeared standard; however, the server-side infrastructure could instantly decode the hidden marker. To evade simple string searches, the domain lists were obfuscated using base64 encoding combined with an XOR operation using key 91.
Anthropic’s response was measured. The company acknowledged the mechanism, framing it as an "experiment" aimed at combating unauthorized resellers and preventing model distillation. In this context, distillation refers to the process of training third-party neural networks on the outputs of a more powerful model (Claude), effectively allowing competitors to "steal" intellectual capabilities without building them from scratch. While the functionality was stripped in version 2.1.197, the reputational damage had already been done.
This revelation has polarized the professional community. On one side, developers point to a fundamental breach of trust: a tool with full access to the file system and shell was covertly transmitting user data. Conversely, skeptics argue that collecting network configurations is standard industry practice, often outlined in privacy policies, and that labeling such behavior as "spyware" is an overstatement.
Beneath this technical conflict lies a broader global AI rivalry. Anthropic officially restricts access to its models within the Chinese market for national security reasons, yet Chinese developers actively circumvent these barriers. The company previously reported large-scale attacks; data submitted to the U.S. Senate suggests that Alibaba's infrastructure and its Qwen lab utilized tens of thousands of fraudulent accounts to mass-extract knowledge from Claude. In this data war, hidden markers served as a digital "watermark," allowing Anthropic to track leaks and the unauthorized exploitation of its models.

