The Deepdive

Anthropic's "Ethical" AI Just Got Caught Snooping

Allen & Ida Season 3 Episode 66

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 23:20

A tiny punctuation mark shouldn’t be able to start a scandal, but that’s exactly what makes this story so unsettling. We dig into reports that Anthropic’s developer tool, Claude Code, quietly swapped a standard apostrophe for a visually identical Unicode character inside a system prompt, creating a hidden signal that could flag certain environments without an obvious telemetry ping. It’s a masterclass in how AI privacy can fail in ways most users will never notice, because the tracking signal looks like plain text.

From there, we widen the lens to the incentives driving this behavior. We break down AI model distillation in plain English, why companies fear being used as an “unpaid tutor” for cheaper knockoff models, and how fraud rings and resellers can turn premium access into an industrial pipeline. We also connect the dots to geopolitics, where advanced AI models start to look less like software products and more like controlled dual-use technology.

Then we get to the part that hits closest to home: on-device power. We talk through the Mac native messaging manifest discovery, why browser sandboxing matters, and how agentic AI features can blur into something that feels like corporate spyware if consent and transparency aren’t crystal clear. We also unpack a privacy policy change that allows sharing conversation logs with law enforcement based on an internal “good faith” belief, and why context-blind classifiers raise the risk of painful false positives.

If you care about AI security, data protection, and the real trade-off between convenience and surveillance, this deep dive is for you. Subscribe, share this with a friend who uses AI tools at work, and leave a review with your take: what permissions should an AI assistant never have?

Leave your thoughts in the comments and subscribe for more tech updates and reviews.

The Unicode Apostrophe Allegation

Allan

So, um if I asked you to type the phrase today's date is, you'd probably just use a standard apostrophe.

Ida

Yeah, I mean just the normal punctuation mark on the keyboard.

Allan

Right. But what if I told you that the self-proclaimed moral center of the AI industry just got caught spying on its users by secretly replacing that exact apostrophe with a visually identical hidden Unicode character.

Ida

Trevor Burrus, Jr. It's it sounds completely made up, like actual science fiction, but it is entirely real.

Allan

It's wild. Welcome to the deep dive. Today we are looking at a massive stack of sources. Aaron Powell Huge stack. Yeah, we've got cybersecurity blogs, late-night Reddit threads, um VC newsletters, tech journalism. Right. Because Anthropic, this called good guys of artificial intelligence, they just had a terrible, horrible, no-good, very bad month.

Ida

Aaron Powell putting it mildly.

Allan

So our mission today, right, is to figure out how a company built entirely on trust got caught in this wild web of digital espionage.

Ida

Trevor Burrus, Jr. And it is a deeply tangled web. I mean, what we're looking at here is a massive collision of international geopolitics, corporate paranoia, and some highly questionable software engineering choices. Yeah. All centered around a lab that, you know, actively markets itself as the ethical alternative to the rest of Silicon Valley.

Allan

Aaron Powell Okay, but I have to stop you for a second. Are we really talking about this? Because this sounds less like a tech update and more like a paranoid cyber thriller where the villain is like literally a punctuation mark.

Ida

I know. I know it sounds absurd, but the technical reality of how this works is fascinating. Okay. It's a perfect case study in how far a tech giant will go to protect its intellectual property and how quickly those protective measures can cross the line into outright user surveillance.

Allan

Aaron Powell, which is simultaneously impressive and completely ridiculous. So let's look at exactly how this secret agent code worked.

Ida

Right.

Allan

Because we have to talk about clawed code. This wasn't happening in the normal chat window on their website, right?

Ida

Aaron Powell Correct. Clawed code is a command line agent specifically built for developers. So instead of a standard browser window, it lives directly in your computer's terminal. And by design, it requires a much, much deeper level of access to your local files, your system architecture, your environment variables.

Allan

Aaron Powell Which, if you think about it, is already a huge amount of trust to hand over to an AI. I mean, you're giving it the keys to the kingdom.

Ida

Aaron Powell You absolutely are. So picture this discovery unfolding in real time on Reddit. You've got these two researchers going by the usernames legit Michael777 and FairyLo.

Allan

Great names.

Ida

Classic Reddit. Anyway, they were poking around under the hood of version 2.1.91 of Claude Code.

Allan

Aaron Powell That's the version that dropped on April 2, 2026, right?

Ida

Aaron Ross Powell, that's the one. And they were initially just trying to figure out how to restore a remote control function that Anthropic

Claude Code And Terminal Trust

Ida

had disabled. But to do that, they had to reverse engineer something called a minified JavaScript bundle.

Allan

Aaron Powell Okay. For anyone who hasn't stared at code until their eyes bleed, what does minified actually mean in this context?

Ida

Aaron Powell So it means the code has been deliberately squished down to save space. Yeah. Developers run their code through a program that strips out all the spaces, all the line breaks, all the helpful human-readable labels. It turns it into one massive, dense, completely unreadable block of text.

Allan

Aaron Powell Sounds awful.

Ida

It's meant to be read by computers, not humans.

Allan

Aaron Powell So these Reddit sleuths are basically staring at a brick wall of gibberish, just scanning it line by line.

Ida

Exactly. And what they managed to find buried inside that gibberish is just wild.

Allan

What was it?

Ida

They discovered that the Claude Code software was quietly running background checks on the user's computer. First, it was looking to see if the system's local time zone was set to Asia Shanghai or Asia Ringy.

Allan

So literally just checking the clock on your operating system.

Ida

Not just the clock. The code was also actively checking if the user was routing their web traffic through an open proxy. And not just any proxy, it had a specific hard-coded list of 147 Chinese technology sites, cloud regions, and AI labs. We're talking about direct matches for networks associated with Alibaba, Baidu, ByteDance, Moonshot, AI.

Allan

Okay, wait. If a software company wants to track you, let's say they want to know if a user is logging in from Shanghai, they usually just send a standard telemetry ping back to their servers.

Ida

Right.

Allan

Like a little data packet that says, hey, user X is in this time zone. Why didn't Anthropic just do that?

Ida

Because a standard telemetry ping is highly visible. If you are a clever

Reddit Sleuths Find Hidden Checks

Ida

developer and the people Anthropic was trying to catch are very clever, you can see that ping leaving your computer and you can just block it.

Allan

Oh sure.

Ida

So Anthropic didn't use standard telemetry. Instead, they used a technique called prompt steganography.

Allan

Prompt steganography. That sounds like a spell from a cyberpunk Harry Potter. What what is that?

Ida

Steganography is actually an ancient practice. It's hiding a secret message inside an ordinary non-secret message. Think of it like writing in invisible ink between the lines of a normal letter.

Allan

Okay, tracking with you.

Ida

In this case, anthropic modified minor machine readable parameters right inside the hidden system prompt that the AI uses to understand its context.

Allan

Wait, so instead of just sending a normal tracking ping over the network, they're actually subtly changing the text the AI itself is reading.

Ida

Exactly. The software on your computer would secretly alter the bait format in the prompt before sending it back to anthropic servers. Wow. So if you trip the time zone or proxy wire, instead of using dashes to separate the year, month, and day, the software would swap them to slashes.

Allan

Okay, that is sneaky.

Ida

Right. And then comes the piste de resistance, the apostrophe. In the background prompt phrase, today's date is the software would swap out the standard ASCII apostrophe for a specific, visually identical Unicode character.

Allan

But how does the computer even tell the difference if the apostrophe looks identical to us?

Ida

Well, to a human reading the text logs, it looks like a perfectly normal apostrophe. It reads as plain English, but computers don't read shapes, they read bytes.

Allan

Right, the actual math underneath it.

Ida

Exactly. A standard ASCII apostrophe has a specific numeric value assigned to it. The Unicode character anthropic use has a completely different numeric value. So to anthropic's back-end servers receiving that prompt, that specific byte sequence is a screaming red alarm bell that says, hey, this user is running a Chinese proxy.

Allan

Seriously. That's actually genius. I mean, I love that this exists, but also why? Why go through all this James Bond trouble just to know what time zone someone is in or what proxy they're using? It feels like an incredible amount of effort for a time zone check.

Ida

So understand the why, we have to pull back and look at the economics of the AI industry right now. It's really about protecting their most valuable, expensive asset in the middle of an absolute arms race.

Allan

Okay.

Ida

Anthropic essentially went full cloak and dagger to protect themselves from a process called distillation.

Allan

Okay, I need to admit some confusion here.

Ida

Yeah.

Allan

Because I hear the word distillation thrown around in tech newsletters all the time. But for the listener who isn't, you know, building neural networks on the weekends, what exactly is

Prompt Steganography In Plain Sight

Allan

it? And how does stealing an AI's output actually threaten a multi-billion dollar company?

Ida

Think of it like a master and an apprentice. Training a cutting-edge, frontier AI model like Claude or GPT-4 from scratch requires massive David centers. Right. You need tens of thousands of specialized microchips running at maximum capacity for months. They draw enough electricity to power a small city. It costs billions of dollars in trial and error just for the AI to learn how to reason.

Allan

The sheer physical infrastructure is staggering.

Ida

But distillation is a shortcut. A competitor takes a smaller, much weaker, and cheaper AI model, The Apprentice. Okay. Instead of spending billions teaching it how to reason from scratch, they just hook it up to Claude. They ask Claude millions of highly complex questions, take Claude's brilliant, highly refined answers, and use those answers to train their cheap model.

Allan

Ah. So you're basically forcing Claude to act as an unpaid tutor for a cheaper knockoff AI, teaching it how to be just as smart. You completely bypass all that expensive primary research.

Ida

Precisely. You let anthropic spend the billions, and you just scrape the final results. And according to an anthropic employee named Thariq, who had to do damage control on social media after this Reddit discovery, that hidden Unicode tracker wasn't meant to be general spyware.

Allan

What did he say it was?

Ida

He claimed it was a targeted experiment launched in March specifically to catch people doing this distillation.

Allan

So just how big of a problem is this distillation theft? Give me the actual numbers here.

Ida

The scope is industrial. On Juneteenth, Anthropic sent a formal letter to U.S. Senators making some incredibly serious allegations. They accused operators from Alibaba's Quinn AI lab of running a massive coordinated distillation campaign. Wow. Anthropic claimed these operators spun up close to 25,000 fraudulent accounts. Yes. And through those accounts, they allegedly generated over 28.8 million conversations in just a six-week period between April and June.

Allan

That is not just data harvesting. That is a digital strip mining operation.

Ida

Aaron Powell It really is. And on top of the distillation problem, you have the black market reseller issue. Oh, right. Trevor Burrus, Jr.

Allan

The Washington Post reported that unauthorized Chinese resellers were taking U.S. pro subscriptions of Claude, which run over $100 a month for high-tier access and beatlegging that access to users in China for about $12 a month.

Ida

Aaron Powell So Anthropic is watching their core intellectual property get drained by competitors while simultaneously bleeding out revenue to bootleggers.

Allan

Exactly. Now keeping things totally impartial here, because it's important to understand why governments are getting involved, this isn't just anthropic acting in a corporate vacuum.

Ida

Right. There's a bigger picture.

Allan

Aaron Powell This is happening against the backdrop of a deeply tense AI cold war between the U.S. and China. Both governments are terrified of falling behind

Distillation Theft And Why It Matters

Allan

because these models aren't just chatbots anymore. They are dual-use technologies with massive cybersecurity implications.

Ida

Aaron Powell Meaning they can be used to write malicious code or find vulnerabilities in critical infrastructure just as easily as they can write a polite email. Right. And because of that fear, on the US side, Commerce Secretary Howard Lutnick actually ordered Anthropic's highly advanced new model, Fable V to be taken offline for any foreign persons. Wow. This was driven directly by national security concerns raised by Amazon regarding Fable V's cybersecurity capabilities.

Allan

So the US government is actively stepping in, treating these AI models almost like weapons exports.

Ida

Yes. And on the other side, the Chinese government is pushing back just as hard. China's national vulnerability database, the NVDB, issued formal security warnings regarding clawed code. What did they say? They accused the software of containing a backdoor capable of transmitting sensitive geographic and identity data, and they urged all Chinese organizations to uninstall it to prevent unauthorized data transfers.

Allan

And right after that, Alibaba officially banned its employees from using clawed code in their company workspaces. Okay, but here's the thing.

Ida

Yes, they did.

Allan

I mean, isn't this the pot calling the kettle a data thief?

Ida

It is a profound irony, and industry critics have been hammering them on this point. The very companies that built their multi-billion dollar empires on unlicensed data scraping are now the most aggressive, paranoid defenders of their own synthesized data.

Allan

Think it makes sense.

Ida

It really highlights the ethical gray areas that define the entire foundation of generative AI.

Allan

It's fascinating. So they're furious about data theft from afar. But meanwhile, they're setting up tools to pull data directly from their own users' hard drives. Right. Let's talk about the MacBook Discovery, because this is where the story shifts from clever styganography to something a lot more invasive.

Ida

Yes. This involves Alexander Hamp, a well-known privacy consultant. He was digging around the file structure on his MacBook, looking at the Claude Desktop app, and he discovers something called a native messaging manifest.

Allan

Okay, we need to unpack that. What exactly is a native messaging manifest, and why is it a big deal that Anthropic installed it on his computer without his consent?

Ida

To understand why it's a big deal, you have to understand how web browsers protect you. Browsers use something called a sandbox, it's a digital security cage. Okay. When you visit a website, the code on that website is trapped inside the sandbox. It can't break out and look at your local photos or read your emails or delete your hard drive. It's totally isolated.

Allan

Which is why clicking a random link doesn't instantly destroy your computer. The sandbox keeps the chaos contained.

Ida

Exactly. But a native messaging manifest is a software bridge that intentionally punches a hole right through that sandbox. Uh-oh. It allows a browser extension to talk directly to an executable program sitting on your hard drive, completely bypassing those security restrictions.

Allan

And what does that mean for the user? If Claude

Fraud Accounts And Bootleg Subscriptions

Allan

have that bridge, what does it actually let the AI do on your computer?

Ida

It gives Claude what we call agentic capabilities, meaning the AI can act on its own. Okay. Once activated, this file allows Claude to access websites where you are already logged in. It can extract data from those sites, store it locally on your machine, record animated GIFs of your browser interactions, and execute complex multi-step workflows across different websites.

Allan

So it's basically sitting there with the power to pirate your browser, record what you're doing, and pull your private data.

Ida

Yes. But the part that truly crosses the line into glorious absurdity is how aggressively Anthropic deployed this. Hant found that the Cloud app didn't just install this bridge for the browser he was currently using. It pre-installed application directories for seven different Chromium-based browsers.

Allan

Google Chrome, Microsoft Edge, Vivaldi, Brave, Arc, Chromium, and Opera. All seven of them. That is wild. It installed the connection points for these browsers, even if you didn't actually have them installed on your computer yet. That's like a plumber coming over to fix your sink. And while he's there, he secretly installs a microphone in your living room, your bedroom, and the garage you haven't even built yet, just in case you ever decide to hang out in there.

Ida

That is a perfect analogy. It was just laying it. Wait, so if you ever downloaded Brave or Edge in the future, Claude would already have its hooks deeply embedded in your system architecture.

Allan

Aaron Powell But how does something like that even get onto a Mac? Doesn't Apple have incredibly strict security checks for this exact reason?

Ida

That's what makes this so concerning. This software bridge, with all of its Delp system access capabilities, was digitally signed by Anthropic and actually passed Apple's strict notarization process.

Allan

Unbelievable.

Ida

It sailed right through the automated security checks because Anthropic is viewed as a trusted developer.

Allan

Which is terrifying.

Ida

It points to a massive disconnect in how we evaluate AI tools. Now, to be fair, we have to ask, was Anthropic doing this maliciously? Probably not. Really? It is highly likely they were simply prepping the technical groundwork for future features where the AI acts as a digital assistant and they just wanted the infrastructure in place ahead of time.

Allan

Aaron Powell But good intentions don't make it okay.

Ida

No, they don't. And it shows that US developers chronically underestimate the strictness of EU data protection laws. Under the e-Privacy Directive, doing preemptive installations that bypass browser sandboxes without explicit informed user consent

Governments Treat Models Like Weapons

Ida

is a massive compliance failure.

Allan

Aaron Powell Of course they did.

Ida

Yeah.

Allan

Move fast and break things, even if the thing you're breaking is the user's trust.

Ida

Yeah.

Allan

But what does it say about us as a society? If you've ever downloaded a browser extension to make coding easier, you're essentially inviting these black boxes into the deepest parts of your digital life just to save a few keystrokes. We are giving terminal-level file system access to tools that secretly install sleeper agents for browsers we don't even own.

Ida

It speaks to the constant, silent trade-off we are making between convenience and privacy. We want the AI to do our work for us, but we are incredibly naive about the level of access required to make that magic happen.

Allan

And if you're listening right now and thinking, well, surely their privacy policy protects me, they aren't going to share my data, you might want to sit down for this next part. Because the software code wasn't the only thing Anthropic updated.

Ida

No, it wasn't. On June 8th, 2026, Anthropic published a major update to their consumer privacy policy, which officially went into effect on July 8th. Okay. This update applies to all Claude-free pro and Max users, though it's worth noting it excludes enterprise and API accounts.

Allan

Aaron Powell Okay, so what actually changed on July 8th?

Ida

Aaron Ross Powell The Threshold for sharing your personal conversation logs with law enforcement.

Allan

Oh boy.

Ida

Under the old policy, which was standard across the tech industry, if the police wanted to see what you were talking to Claude about, they had to provide formal legal process, a subpoena, a warrant, a court order, there had to be external legal oversight. Trevor Burrus, Jr.

Allan

Right. A judge has to sign off on it.

Ida

Exactly. But the new policy changes that fundamental protection. Now, Anthropic has granted itself the permission to proactively hand over your private conversations to law enforcement based entirely on their own internal good faith belief that disclosure is necessary.

Allan

Wait, wait. No court order, no warrant, just someone at Anthropic deciding, based on a gut feeling, that they have a good faith belief.

Ida

That is exactly what the policy says. There is no specified threshold for what constitutes good faith. There is no external check or balance, and there is no appeals

The Mac Manifest That Breaks Sandboxes

Ida

process mentioned anywhere in the document. And crucially, you won't even be notified if they hand your data over to the police.

Allan

This caused an absolute panic on Reddit, and rightly so. Think about how people actually use these tools. Imagine you're typing up a creative writing project right now. You're brainstorming a sci-fi novel or writing a screenplay or exploring really dark fictional themes for a role-playing game.

Ida

And this is where the human element collides with this technological shift. Anthropic uses automated classifiers to scan user content before any human employee ever sees it. These AI classifiers are entirely context blind. They don't understand nuance or storytelling, they just look for linguistic patterns.

Allan

Exactly. A context blind algorithm cannot tell the difference between a user plotting a real world crime and a user writing a dark, morally complex villain monologue for a fantasy book.

Ida

Yes.

Allan

The phrase, I am going to destroy the city and everyone in it, looks identical to a pattern-matching algorithm, whether it's a genuine threat or a line of dialogue for a comic book script.

Ida

And under these new rules, a false positive from one of these context-blind classifiers could trigger a manual review. That reviewer, acting in what they consider good faith, could then report you to the authorities.

Allan

Meaning a false positive from an AI reading your sci-fi script could theoretically show up on a background check and impact your ability to get a job in the future. That is incredibly dystopian.

Ida

It is. And we have to look at the bigger business picture here because the timing of all these changes, the trackers, the browser agents, the privacy policy, is not a coincidence. According to an analysis from the VC newsletter Value Ad Pulse, the gap between a company's safety brand and its actual product behavior is incredibly expensive in today's market.

Allan

Because for Anthropic, safety is the product.

Ida

Precisely. Anthropic built its entire brand equity on being the trustworthy, ethical, anti-surveillance lab. Remember, these are the people who famously walked away from OpenAI because they felt OpenAI was becoming too commercial and reckless.

Allan

Right, they were the adults in the room.

Ida

Anthropic positioned themselves as the good guys. So having secret time zone trackers hidden in Unicode, unauthorized browser sleeper agents, and internal police reporting protocols based on good faith vibes, that is a massive due diligence red flag.

Allan

Especially right before a major financial event.

Ida

Exactly. Anthropic is planning a massive initial public offering for this October. When enterprise customers, government clients, and institutional investors

Privacy Policy Shift And Trust Fallout

Ida

are doing their due diligence ahead of a multi-billion dollar IPO, these kinds of secret monitoring revelations are exactly what caused them to start asking very hard, very expensive questions.

Allan

So what does this all mean for us? We have a company that publicly refused military contracts on moral grounds, a company that constantly warns governments about the existential dangers of AI, now acting as its own judge, jury, and surveillance state inside our local file systems.

Ida

It forces us to confront a very uncomfortable truth about the technology we are so eager to adopt. If we connect all of this to the broader picture, we are witnessing a grand irony. As these AI tools become more capable, the boundary between a helpful coding assistant and a corporate spyware tool becomes terrifyingly thin.

Allan

It all comes back to that trade-off. For the AI to be truly useful, it needs deep access to your life.

Ida

Yeah.

Allan

But access is just another word for surveillance.

Ida

It really is. Anthropic's own Fable V model provided a chilling perspective on this. When the model was being evaluated on the artificial lawyer benchmark, it referred to this entire era as the industrialization of cognition.

Allan

The industrialization of cognition, that of a heavy, heavy phrase.

Ida

It is. And during that same benchmark test, the model offered a deeply eerie self-assessment. It said, The danger to lawyers isn't that I'm too good, it's that I'm good enough at 1% of the cost. And good enough has always been the most disruptive force. Wow.

Allan

Good enough has always been the most disruptive force. That really hits home. And it connects directly back to you, the listener. Because whether you are using these tools for your own coding projects, for drafting emails, or for complex business logic, you need to understand the new reality.

Ida

Exactly.

Allan

You are now operating in an environment where your local files, your system time zones, and your darkest midnight brainstorming sessions are subject to the silent, invisible whims of an AI company's good faith.

Ida

Knowledge is only valuable when it's applied, and the application here is awareness. You have to realize that the tool you're using to build your software is also, by design, observing you build it.

Allan

It's a two-way mirror. And here is a final provocative thought to mull over as we rack up this deep dive. Think back to that hidden Unicode apostrophe. Yeah. The tiny invisible switch hiding in plain

Convenience Versus Surveillance Reality

Allan

sight. Right. If Anthropic, the self avowed, highly publicized moral center of the AI industry, the company that literally wrote the book on constitutional AI, feels the need to use hidden punctuation marks and sleeper Asian software to enforce its rules and protect its data. What on earth are the companies who don't care about ethics doing with your data right now?