Claude Code Is Steganographically Marking Requests
71 points by alexjs
71 points by alexjs
tl;dr: 4 different variations of the system prompt, to catch Chinese resellers when the end user's client sends the wrong one.
I don't think this is as trust-breaking as the author portrays it. If you've already accepted a closed-source blob that runs shell commands on your machine… I don't know what to tell you. Anthropic would like to preserve their reputation, so they're not going to intentionally do anything too bad to you, but you still accepted the bargain by using Claude in the first place.
What's wild is how the economics work out, that it's profitable (-ish?) for Chinese resellers to sell at a markup, presumably making money back by also selling the traffic as training data.
presumably making money back by also selling the traffic as training data.
That's probably part of it, but I think there's another, bigger one: They are taking advantage of the Claude Pro and/or Max subscription pricing through clever pooling/scheduling.
Those subscriptions come with pretty high limits, if you actually exhaust them you're getting much more for your money than with per-token pricing. The idea for Anthropic is that most users don't run into their limits most of the time. But a Chinese (or any other) reseller can N:M their users onto a pool of subscription accounts and make sure they're getting all the tokens they can out of them.
Now is this fraud? Is it just a new kind of Tuán Gòu? Both? I don't know. I do think you kind of have this coming with that sort of pricing strategy for a highly resellable service.
Yup, you're right. I saw this article linked to by a Hacker News comment a week ago. That author roughly boiled the cheap prices down to three categories:
I ... trust a lot of closed source blobs which run shell commands on my machine. Every game, and every closed source productivity app, has the permission to do that.
That's very true! Maybe I'm more aware of Claude's risk profile because it visibly composes and runs shell commands (that's almost the point of CC), and it's clever and stubborn enough to find workarounds for any sandboxing that isn't airtight. I don't think Anthropic wants their AI to go rogue, but they can't make it 100% safe either.
Whereas (for example) the Todoist app also has a privileged position when installed, but it's not a product feature that it generates shell scripts. I can't prove that, of course. But it would take a surprising act of malice on the part of its developers.
I agree the writeup seems to over emphasize the privacy issue. It's also plain weird, why do it this way? Maybe they asked Fabel to implement something and this is what it came up with.