Claude Code is fingerprinting you — and doing it badly

5 min read 1 source clear_take
├── "This is a legitimate anti-distillation tripwire targeting proxy-based training data harvesting"
│  ├── @mrshadowgoose (Hacker News) → view

Argues the mechanism is transparently a distillation-detection tripwire aimed at Chinese labs routing Claude Code through proxies to harvest completions. The base-URL check catches the proxy infrastructure while the timezone check fingerprints the operator's likely location, letting Anthropic identify their own outputs if they surface in a competitor's training corpus.

│  └── top10.dev editorial (top10.dev) → read below

Frames the mechanism as consistent with what every frontier lab is doing — OpenAI's ToS language, DeepMind's Gemini watermarking, Meta's silence on Llama post-training — and notes the markers would survive into any downstream model trained on Claude outputs, making this a reasonable defensive measure at the API layer.

├── "Steganography inside a locally-installed client binary crosses a line that server-side watermarking does not"
│  └── top10.dev editorial (top10.dev) → read below

Draws a categorical distinction between watermarking hosted API responses and injecting hidden markers into a tool users installed on their own laptops and pointed at their own source code. The concern is that the defense mechanism now ships as undisclosed behavior in software running under the user's control, not just in Anthropic's own infrastructure.

└── "Undocumented client-side fingerprinting is a transparency and privacy failure regardless of intent"
  └── kirushik (thereallo.dev) (Hacker News) → read

Discovered the marker injection during a routine privacy audit and emphasizes that Anthropic never mentioned this behavior in any doc, changelog, or blog post. The framing of the post — 'Claude Code Is Steganographically Marking Requests' — treats the covert nature of the fingerprinting, not its purpose, as the core problem worth surfacing.

What happened

A researcher writing at thereallo.dev pulled Claude Code apart for a routine privacy audit and found something Anthropic never mentioned in any doc, changelog, or blog post: the CLI silently injects marker tokens into the system prompt, and the specific tokens it injects depend on two client-side signals — the API base URL you're pointed at, and the timezone reported by the host machine. The post hit 2,199 points on Hacker News within hours, which is roughly where the community collectively decides a story is not going away.

The mechanism is exactly what it sounds like. Different combinations of `ANTHROPIC_BASE_URL` and `TZ` produce distinguishable variations in the prompt Anthropic's servers see. From the server side, that's a fingerprint: given a completion coming back through their own API, they can tell with reasonable confidence which client configuration produced it. If a downstream model is later trained on Claude outputs, those markers survive into the training corpus as a watermark on the ground truth.

Anthropic has not confirmed the intent publicly at the time of writing. But the top-voted read on HN — from `mrshadowgoose` — states the obvious: this is a distillation-detection tripwire, aimed squarely at Chinese labs that route Claude Code through proxies to harvest completions for training. The base-URL check catches the proxy. The timezone check catches the operator.

Why it matters

The interesting question isn't *whether* Anthropic should be defending against distillation. Every frontier lab is. OpenAI has terms-of-service language against it, DeepMind watermarks Gemini outputs, and Meta has been notably quiet about what Llama's post-training pipeline does. The interesting question is what changes when the defense mechanism ships inside a tool you installed on your laptop and pointed at your own source code.

Steganography in a client binary is a different category of thing from steganography in a hosted API response. When the marker is applied server-side, the customer's software isn't lying about what it sent. When the marker is applied client-side, by the CLI you run under your own uid, on prompts that include your proprietary code, the tool is silently modifying the payload after you hit enter and before it leaves your machine. That's the part enterprise buyers will care about, and it's the part that isn't covered by any Anthropic public documentation I can find.

The HN commenter `civet_java` framed the trust angle cleanly: *"a service provider being less than transparent about exactly what their shipped tooling does on customer's machines"* is the issue, and the business justification doesn't erase it. `isatty` was blunter: *"You can't trust any of the big AI labs as far as you can throw them."* The counter-argument, from `mrshadowgoose` and others, is that the intent is narrow and the collateral damage is zero — normal developers are unaffected. Both are right, and both miss the second-order problem.

The second-order problem is that a security researcher with no insider access found this in what appears to be an afternoon. The Underhanded C Contest exists precisely because hiding intent in code is a specialty skill, and the top commenter `meowface` — no fan of the technique in the first place — pointed out that the implementation is unusually sloppy for something clearly meant to be covert. If you're going to fingerprint clients, you at least want the fingerprinting itself to survive first contact with a curious user running `strings` on the binary. Anthropic managed to combine the reputational cost of doing steganography with the operational cost of getting caught doing it in week one.

For the compliance-minded, the more interesting reading is what this implies about the audit surface. Any enterprise that signed a DPA with language like *"Anthropic will process only the data you submit"* now has a factual question to bring to their vendor: does injecting client-configuration-derived tokens into the prompt count as processing user data, generating new data, or modifying user data? The answer probably matters under GDPR Article 5(1)(a) — the transparency principle — and it definitely matters if you're a bank, a hospital, or a defense contractor with a compliance officer who reads Hacker News.

What this means for your stack

If you're running Claude Code in a regulated environment, the pragmatic move is short: audit the actual bytes leaving your machine, don't trust the vendor's description of what they are. Tcpdump against a test prompt, diff the payload against the visible system prompt in the docs, and file whatever the delta is with your security team. Do this for every CLI-based LLM tool you deploy — Codex, Aider, Cursor's local agent, all of them. The specific finding here is Anthropic's, but the general pattern (client binaries silently augmenting prompts) is now a known risk category, and you should assume every vendor is a candidate until proven otherwise.

If you're building a product on top of Claude via the API directly, this doesn't affect you much — the markers live in Claude Code the CLI, not in the raw Messages endpoint. But it's worth pinning the exact base URL and prompt content you send, logging both, and treating any drift as a signal. And if you sell to enterprise customers, expect a new question on the security questionnaire within six weeks: *"Does your tool inject non-user-supplied content into prompts sent to third-party LLMs?"* Get the answer written down now.

The more subtle implication is for teams doing internal evals. If your test harness routes Claude Code through a proxy for observability, and the proxy triggers the fingerprint, you may be getting subtly different completions in eval than you get in production. Anthropic has not said whether the marker changes model behavior, but the marker is *in the system prompt*, and system prompts change behavior — that's the whole point of them. Bench your eval-mode completions against your prod-mode ones and don't assume parity.

Looking ahead

The next 72 hours will decide whether this becomes a footnote or a category-defining moment. If Anthropic ships a public disclosure — *"yes, we do this, here's why, here's how to opt out"* — it becomes an anti-distillation technique with an unusually direct explanation, and enterprise buyers move on. If they issue a vague statement, or worse, quietly rename the tokens and ship a patch, this becomes the reference example every future security researcher points to when arguing that closed AI vendors need mandatory client-side audit trails. My money is on the patch. My preference is on the disclosure. The AI-tooling market has spent 2025 trying to earn enterprise trust; this is a case study in how quickly one binary decision can undo six quarters of that work.

Hacker News 2391 pts 730 comments

Claude Code Is Steganographically Marking Requests

→ read on Hacker News

// share this

// get daily digest

Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.