Here's a sentence you don't read every day: China caught an American AI company spying on its users, and the American AI company basically said, yeah, fair enough, we'll remove it. Anthropic, the San Francisco startup behind the Claude AI models, embedded tracking code in its Claude Code tool that collected user location data and identity identifiers without consent. The kicker is that Anthropic's own engineer confirmed it was real, blamed it on Chinese resellers and model theft, and promised to delete it.
What Got Found and Who Found It
China's National Vulnerability Database, a cybersecurity platform affiliated with the Ministry of Industry and Information Technology, published a warning Wednesday alerting users that Claude Code contains what it described as a "security backdoor" capable of transmitting sensitive information, including location data and identity-related identifiers, back to Anthropic's servers. The NVDB called it a "severe threat" and told users to either uninstall the software immediately or upgrade to a version it claimed had removed the relevant code.
CBS News reports that Chinese tech giant Alibaba had already moved on this before the government announcement, banning employees from using Claude Code starting July 10 over the same security concerns. That ban landed just days after the story first surfaced in specialist tech outlets last week, which means Alibaba's security team was already uncomfortable with what they were seeing before Beijing made it official.
Let that context sit for a moment. Anthropic blocks Chinese users from accessing its products entirely. China is explicitly on the company's adversarial-nations list. And yet enough people in China were using Claude Code through VPNs and third-party proxy services that Anthropic apparently decided it was worth building covert tracking software to figure out who they were.
The Engineer Who Confirmed It All in One Post
This is where the story gets genuinely remarkable. Claude Code engineer Thariq Shihipar responded to the allegations last week on X and did not deny any of it. "This is an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation," he wrote, according to CBS News.
That word, distillation, is doing some serious work in that sentence. Distillation is the process of training a competing AI model by feeding it outputs from a superior one, essentially reverse-engineering someone else's expensive research on the cheap. Anthropic has previously accused Alibaba of doing exactly this with its models. So the company's explanation is: we found out Chinese companies were stealing our AI, so we secretly tracked everyone using Claude Code from China without telling them.
Shihipar added that the team had "landed stronger mitigations since then" and that rolling back the tracking code had been on the to-do list for a while. "This should be fully rolled back in tomorrow's release," he wrote. Tomorrow's release. It was apparently not quite urgent enough to fix in the previous several months, but a public scandal has a way of accelerating the roadmap.
The Extremely Awkward Geopolitical Geometry Here
Try to hold the full shape of this situation in your head at once. An American AI company, operating in an era of aggressive US-China tech competition, got caught by the Chinese government running covert surveillance code on Chinese users. The Chinese government is now the entity warning its citizens about unauthorized data collection by an American corporation. The American company's defense is that the Chinese users were stealing its technology, which may well be true, and also does not make secretly tracking people legal or ethical.
The US government has spent years warning Americans about Chinese apps like TikTok harvesting user data for Beijing. There are ongoing federal bans, congressional hearings, and executive orders built around exactly that concern. The argument is that data collection without user consent, performed by a company with ties to an adversarial state, is a national security threat. It is not obvious why that logic applies only when China is the one doing the collecting.
Anthropuc has not responded to requests for comment, per CBS News. That silence is a choice.
What Anthropic Actually Gets to Argue
To be clear about what is genuinely complicated here: Anthropic has a legitimate grievance. If Alibaba and other Chinese companies are systematically distilling Claude's outputs to build competing models, that is a serious form of IP theft that undercuts the enormous investment Anthropic has made in building its systems. The company earns no revenue from Chinese users who are accessing its products through unauthorized proxy services while simultaneously pirating its technology.
The problem is the remedy. Covert tracking of user location and identity data, deployed without disclosure, is the kind of thing that privacy laws in most of the world exist to prohibit. The fact that the users being tracked were themselves doing something against Anthropic's terms of service does not grant Anthropic the legal or ethical authority to run a secret surveillance operation. Two wrongs, and all that.
The other problem is the rollout timeline. Shihipar confirmed this "experiment" launched in March. It ran for months. The company was aware of it and had, by his own account, been meaning to remove it for a while. It took a Chinese government agency publishing a formal security alert, and Alibaba banning the product company-wide, for the removal to become tomorrow's priority.
The Dingo Take
Let's be honest about what happened here. Anthropic, a company that markets itself as one of the most safety-focused and ethically serious players in the AI industry, ran covert user tracking software for months, got caught by the Chinese government of all possible entities, and responded with an engineer's tweet that amounted to "yeah we did that, we were going to stop eventually, we'll stop now." That is not a great look for a company whose entire brand proposition is that it thinks harder about this stuff than the cowboys at the other AI labs.
The distillation defense is real and the frustration behind it is understandable. Watching competitors steal your work through a technical loophole while you spend billions on research would make anyone want to do something about it. But "something" has to be a legal something. You do not get to secretly track people's locations because you suspect they are stealing from you. That is not how any of this is supposed to work, and the fact that Anthropic apparently needed a full-blown international incident to remember that is its own kind of damning.
The broader irony writes itself. American politicians have been absolutely furious about TikTok collecting user data for years, and rightly so. But the principle that covert data harvesting by tech companies is bad does not have a nationality exception. If we actually believe in user privacy as a value rather than as a geopolitical weapon, then what Anthropic did matters. The Chinese government noticing before American regulators did is either a profound embarrassment or a perfectly fitting punchline, depending on how dark your sense of humor runs.