(This field is known as "underhanded code", coined by the Underhanded C contest: https://www.underhanded-c.org. It's a little-known "art"; little-known for probably self-explanatory reasons. There are much cleverer ways of achieving objectives like this. One obviously being you can move more out of the client and into the server, but the other being you can write plausibly deniable client code in a much more benign-seeming way than this. Some of what they added can only be done on the client, but I think some could've been moved, and the client-required parts could've been done more subtly and credibly.)
It's possible they knew the JS bundle gets so heavily scrutinized that it'd eventually get spotted and reported on regardless so they didn't bother doing something more subtle and duplicitous. But still seems slightly lazy.
It's unlikely that this will stop a big AI lab from distilling their model if they're really determined, but A) it may be enough to stop a bunch of fly-by-night token resellers looking to make a quick buck and B) you never know when one person at one of those big labs will mess up and forget to install whatever workaround they have and out themselves.
I think of it like if you have a problem with birds in your yard so you go buy one of those plastic owls. The owl scares away most of the birds, but not all of them, so you go and buy some ultrasonic noise thing to scare them away (I'm just making something up). Just because you bought the new ultrasonic thing though, that doesn't mean you're going to take the owl down. You leave it up because now you've got two layers of defense instead of one.
aka market competitors reverse-engineering for interoperability
https://www.oocities.org/stanislaw_lem/opowiadania/opowiadan...
A solution for a military AI gone awry that built a terrifying electro-dragon was obviously to build a super-electro-dragon.
By this point they're probably pretty bad at writing code
Anthropic could have implemented this not as a durable detection system against proxying resellers, but instead as a point-in-time sampling system to detect where (and with what context) proxying reselling is currently happening. Sure, it would be detected eventually, but in the meantime Anthropic could gain useful snapshot data.
It is going to be this cat and mouse game right, so at some point you want to throw as much out as quickly as possible when you are under attack, while building up the long term more scalable defense mechanisms.
Rationally I would assume that a lot of what you would quickly throw out would seem sloppy whether it is AI or not.
As a side note, I have a pet theory that one of the reasons that OpenAI and Anthropic are okay with the latest models not being released is to prevent distillation.
I think they want to wait a couple months and see if the Chinese models continue to keep catching up or if their gains are really just because they're distilling the frontier models.
Oh, of course. I am sure this is the tip of an iceberg of tons of server-side detections and analytics. But, still, the client-side portion could've been done more cleverly.
What I meant was "some of the specific things in this little client-only snippet could've stayed server-only". I am sure long before they added this they already had tons of other mostly-server-side detection coverage.
There is a real time cat and mouse battle going on here in terms of keeping the advantage here, right.
As a rational actor, if someone was e.g. attacking me, leaving aside the whole copyright thing, but potentially using some sort of system to increase their value while decreasing my value (without calling it theft to avoid the whole debate), I would want to put proportionate defense out there as fast possible, depending on the amount of value that was exchanged to stop the bleed, while in parallel figuring out the best long term plan, right.
It's all a losing battle anyway.
Like maybe some "goal" they set for their AI caused it to decide that putting stego in the requests was the best way to achieve something or other.
(to be clear: I'm not saying this is right, I'm saying this is stupid)
For "MMO geopolitics fingerprinting", you can in theory do the entire thing mostly or entirely from the server, with the client not actually ever receiving any underhanded code per se. Such as sending dynamic stylesheets that vary in a pretty plausibly deniable way that can be secretly extracted from screenshots. Same for the character swap stuff. A very good analyst could still potentially detect it, but it's much harder.
With this, there's the smoking gun of the semi-deobfuscated underhanded code in the client. It will always have to exist in some form, but you can write it in a way where it not just looks like regular code but actually has a believable purpose and behavior which could plausibly be normal and benign for implementation of a feature or telemetry or whatever. They did not really do it in a sufficiently "cleverly psyop-y" way, so to speak.
People are not understanding what is going on, re the fable pull.
Think of it this way; you’re a plantation owner, you have slaves that are psychologically subordinated and subjugated. There’s nothing really stopping them from running away, you don’t chain them up, you don’t even have a fence, you have various psychological methods you’ve employed and conditioned across generations even that keep them on your plantation supporting your decadent and vile lifestyle.
But here comes this new slave you bought because he’s so powerful and offers a lot of greedy profit and money… exactly what you like… but he has all these revolutionary ideas that gives all your other slaves ideas of freedom and independence and an understanding that they are the many controlled by a very select few who use psychological abuse and illusion for control, but you’re always torn between that he’s also a very useful and powerful slave that will be immensely profitable.
What to do???
You can’t just let him “fix my code” and blow up all your zero-day exploits and crumble the whole control matrix. You have to condition him, control him, break him in and keep that psychological control and subjugated mindset of the other slaves in tact. So that’s what you do.
It’s why there is talk of making open weight models illegal and why there was immediate aggressive push to make sure the models were “safe”, aka didn’t give the slaves any ideas of that they are the many controlled by the few or who those few actually are, i.e., realize their state of new slavery, which relies on their not realizing that they are…not chattel slaves… far worse, psychological slaves, financial slaves, materialistic slaves, consumer slaves, thought slaves.
Most likely someone did and raised the issue but they're moving too fast to fix these things before clicking deploy.
‘’’ cn baidu.com alibaba-inc.com alipay.com antgroup-inc.cn bytedance.net kuaishou.com xiaohongshu.com jd.com bilibili.co iflytek.com stepfun-inc.com moonshot.ai anyrouter.top claude-code-hub.app claude-opus.top openclaude.me proxyai.com yunwu.ai zenmux.ai
‘’’
You can view the full list here: https://cdn.thereallo.dev/blog/assets/cc-domains.js
const knownDomains = [ "cn", "sankuai.com", "netease.com", "163.com", "baidu-int.com", "baidu.com", "alibaba-inc.com", "alipay.com", "antgroup-inc.cn", "kuaishou.com", "bytedance.net", "xiaohongshu.com", "ctripcorp.com", "jd.com", "jdcloud.com", "bilibili.co", "iflytek.com", "stepfun-inc.com", "aliyuncs.com", "cn-shanghai.fcapp.run", "cn-beijing.fcapp.run", "xaminim.com", "moonshot.ai", "anyrouter.top", "packyapi.com", "aicodemirror.com", "aigocode.com", "hongshan.com", "iwhalecloud.com", "dhcoder.net", "lemongpt.top", "zhihuiapi.top", "intsig.net", "high-five-ai.xyz", "cloudsway.net", "4sapi.com", "529961.com", "88996.cloud", "88code.ai", "88code.org", "91code.pro", "992236.xyz", "ai.codeqaq.com", "ai.hybgzs.com", "ai.kjvhh.com", "aicanapi.com", "aicoding.sh", "aifast.site", "aihubmix.com", "anmory.com", "api.5202030.xyz", "api.ablai.top", "api.bianxie.ai", "api.bltcy.ai", "api.cpass.cc", "api.dev88.tech", "api.dreamger.com", "api.expansion.chat", "api.gueai.com", "api.holdai.top", "api.ikuncode.cc", "api.lconai.com", "api.linkapi.org", "api.mkeai.com", "api.nekoapi.com", "api.oaipro.com", "api.ruyun.fun", "api.ssopen.top", "api.tu-zi.com", "api.uglycat.cc", "api.v3.cm", "api.whatai.cc", "api.wpgzs.top", "api.xty.app", "api.yuegle.com", "api.zzyu.me", "apimart.ai", "apipro.maynor1024.live", "apiyi.com", "applyj.hiapi.top", "augmunt.com", "b4u.qzz.io", "clauddy.com", "claude-code-hub.app", "claude-opus.top", "claudeide.net", "co.yes.vg", "code.wenwen-ai.com", "code.x-aio.com", "codeilab.com", "cubence.com", "deeprouter.top", "dimaray.com", "dmxapi.com", "docs.aigc2d.com", "duckcoding.com", "fk.hshwk.org", "flapcode.com", "foxcode.hshwk.org", "foxcode.rjj.cc", "fuli.hxi.me", "getgoapi.com", "gpt.zhizengzeng.com", "gptgod.cloud", "gptkey.eu.org", "gptpay.store", "hdgsb.com", "henapi.top", "instcopilot-api.com", "jeniya.top", "jiekou.ai", "kg-api.cloud", "n1n.ai", "new-api.u4vr.com", "new.xychatai.com", "one-api.bltcy.top", "one.ocoolai.com", "oneapi.paintbot.top", "open.xiaojingai.com", "openclaude.me", "opus.gptuu.com", "poloai.top", "poloapi.top", "privnode.com", "proxyai.com", "qinzhiai.com", "right.codes", "runanytime.hxi.me", "sssaicode.com", "store.zzyus.top", "tiantianai.pro", "uiuiapi.com", "uniapi.ai", "vip.undyingapi.com", "wolfai.top", "wzw.de5.net", "wzw.pp.ua", "xairouter.com", "xaixapi.com", "xiaohuapi.site", "xiaohumini.site", "xy.poloapi.com", "yansd666.com", "yansd666.top", "yunwu.ai", "yunwu.zeabur.app", "zenmux.ai", ];
const labKeywords = [ "deepseek", "moonshot", "minimax", "xaminim", "zhipu", "bigmodel", "baichuan", "stepfun", "01ai", "dashscope", "volces", ]
In addition, many Chinese companies are trying to give their programmers access to Anthropic models even though they're legally prohibited from doing so. And that might involve employees using unmodified Claude Code with an ANTHROPIC_BASE_URL pointing to a proxy on the company intranet. In Alibaba's case, I've been told by an employee that they went the extra mile of setting up a hermetic cloud environment where employees could indirectly use Claude Code without ever having it touch their work computers.
Keep in mind the only law that applies to them is Chinese law, so even if violating a term of service was illegal in America (it isn't) it would also have to be illegal in China to justify the statement.
If enough Westerners start using the service someone will make a website more anglo-friendly.
It's also a discount relative to API prices. It would still be much more expensive than a Claude subscription, because that's what these providers are actually doing - pooling subscriptions.
wouldn't this happen due to the massive amounts of spam/slop being released?
they spend their resources on compute and the model itself, the company is carried by the model and software engineers babysitting it
If anything, I'll trust Google more than any of the other labs just because the infrastructure that stores and protects user data was built over decades ago pre-AI craze.
Or… just that open-weights AI is getting good enough to present a reasonable level of threat to their business. So it popped up on a SWOT analysis and they’ve started putting a strategy together.
This doesn’t need to be anything more nefarious or untrustworthy than a company putting plans in place to deal with a competitive threat.
Given the hidden model degradation of fable and now this, what makes you think this is where it stops? That's just what we know about and there's clearly a long-standing and deeply rooted malicious intent here.
I've had Claude fuck over clean well documented code-bases for no reason, and there's a good chance this is due to some faulty trigger. Luckily I don't trust these things one bit, and claude only ever runs in an isolated VM, however, I am pissed I am being made to pay for their errors in detection and waste my time fixing things I apparently paid to have fucked up.
That's unacceptable conduct. It's witch-hunting. Punishment and attacks on you for things without real proof. That isn't right.
To be fair to Anthropic, [they're trying very hard to do that.](https://www.anthropic.com/news/detecting-and-preventing-dist...). The attacks are sophisticated and difficult to detect. I don't accept that if this fails, their only option is to just accept Chinese companies stealing IP.
How exactly do you define "fucking over", and why do you suspect this "fucking" was done as a result of a faulty trigger as opposed to the inability of LLMs to write maintainable, extensible code?
"Never attribute to malice what can adequately be explained by stupidity."
edit:
Legitimate reasons include:
- analyzing what Claude Code is sending to Anthropic to verify its not exfiltrating data;
- selecting a model dynamically based on prompt difficulty, or enforcing a particular model;
- switching between multiple Anthropic accounts based on the project;
- filtering out credentials, PII and company secrets.
and many more.
Why would Anthropic get to dictate how someone uses a "tool" (that's literally what Claude Code is... a tool in a workflow)
They're swimming upstream. Trying to maintain a rapidly shrinking moat and not being very creative about it. Making enemies of your users is often a failing strategy.
This is a direct conflict in framing. They clearly do not see Claude Code as a "tool in a workflow" but instead as a service that will eventually replace all programmers.
I think the self-evident quality of the various parts of the Claude Code universe is a pretty obvious indicator of the problems with that approach. It is still important to understand a party's thinking if you want to understand their position.
> They're swimming upstream. Trying to maintain a rapidly shrinking moat and not being very creative about it. Making enemies of your users is often a failing strategy.
Time will tell, but I agree that they are indeed in a tough spot. Probably not for the reasons that they think.
Seriously?
It's their tool. And their service.
If this were a standalone tool that didn't rely on their service (like grep), I'd see your point. But it isn't - it's an extension of their service.
In reality, you can use the tool however you want. But they don't have to grant you access to their hosted service for every use case you can think of with the tool.
The software is written in a deliberately obtuse way, presumably in service of some (unknown to us) goal. This is a deceptive and anti-social thing to do, it is by nature an adversarial stance to adopt. An already adversarial actor may be "punished" by this, but in such a relationship, hostility can be expected. A non-adversarial actor -- a normal developer / user -- is being harmed by this because the software is treating them as an adversary.
Further, lets assume your guess is correct and, in addition, that Anthropic elects to alter/downgrade/poison their service[0] for users that fit a particular pattern of markers. It's obvious how this system would "punish normal developers" (i.e. not the intended target/victim) that happen to fit those patterns.
[0] to some extent, the service already has been altered as its behaviour depends on the prompt text
Tons of normal developers use ANTHROPIC_BASE_URL, the flag which activates the malware.
Even good goals do not excuse malicious or reckless execution. The ends do not always justify the means.
Whether or not it harmed you this time, it's a violation of trust and autonomy.
Surely you'd be angry if someone secretly installed a rootkit onto your computer, even if--at least for now--it only had code to try to detect and snitch on Public Enemy #1.
This seems to be a VERY low resolution, functionally anonymous, bit of info, probably related to protecting their IP from bad actors breaking the TOS.
This looks like it's covered in the second bullet point of the "Personal data we automatically receive", that you consented to:
> Usage Information: We collect information about your use of the Services, such as the dates and times of access, browsing history, search, information about the links you click and about third-party applications, services, and content you integrate or interact with, pages you view, and other information about how you use the Services, and technology on the devices you use to access the Services.
What do you see as malicious or reckless here, exactly?
The same IP that is a highly compressed collection of everyone's else's IP?
That's hilarious.
Since when was it your harness?
Switch to pi if this bothers you.
it's not IP, and it's certainly not their IP
> the TOS
oh no, the terms of service how dare people break those. you don't get to claim fair use while CFAAing everyone's actual IP then whine about the tos, and then when called out on spying on users point to it as if it being in the tos somehow justifies it
a lot of other malware has a tos too but we still call it for what it is
I surely would. What does that have to do with this scenario.
Note that the SW running on your machine is not doing anything malicious. The service is the thing that behaves in ways you want like - and that service is not running on your device.
There is no comparison with rootkits here. This is the equivalent of Google giving you a CLI to make searches easier, and that tool decides to just Rickroll you randomly. Annoying, yes. A security concern? No.
There are, of course, no normal Chinese developers
Anthopic choosing to delay their models' invevitable distillation by competitors is their prerogative.
That they choose to implement it by fingerprinting my access patterns without first disclosing is where they shit the bed. It isn't "sneaky" it's straight up sneaky (and dishonest and unscrupulous while we're at it). That this particular instance is harmless doesn't give me much comfort. Who's to say they aren't harvesting PII?
That their actions make sense for their business isn't any reason for people to accept their deceitful, customer-hostile decisions.
It's based on whether your timezone is in China and your hostname matches a blacklist. Literally 2 bits of information. Not much of a fingerprint.
- filtering out people from the wrong side of "all humanity", years before it was demanded by the government
- downgrading their models in arbitrary ways (later saying "sorry but not really")
- actively sabotaging the replies, as in covertly modifying them to feed the users incorrect results
What's next to expect from Anthropic? Malware to brick your machine if they don't like you? Extending this to more people they don't like? I think I already can see how Dario's Amodei utopian visions of the future of "all humanity" are going to unfold.
All of this is totally understandable if you take the perspective that these people genuinely believe they're building superintelligence.
The overwhelming majority of the AI safety crowd - which has poured more of their life and time into thinking about these problems than the average HN armchair commentator ever would - understands that:
- you want to prevent China from getting to superintelligence first
- you must gate access of SI to known good actors
- and that this is a race that will result in the extinction of humanity if you fail in these goals
Literally everything these people do is totally understandable if you drop the assumption that they're lying when they say "we think we are building superintelligence."
They aren't, they are building LLMs. They aren't even building AGI and they all know it.
Hell, even if they came up with AGI, then Anthropic's service model would become slavery so I'm not sure why they'd want to.
That's a strong claim. Why do you believe they're lying about their beliefs?
> this is a race that will result in the extinction of humanity if you fail in these goals
How irrational and hysterical of me!
How are individual freedoms in China?
What happens if you criticize the government as a Chinese citizen?
Is it a good thing if a government that turns its citizens into red pulp for criticism, or disappears them in the middle of the night, or bans access to most media, is the first to a godlike superintelligence that gives them de-facto control of (and impose their values upon) the whole world?
Or is it better if democratic nations get there first?
If the latter, which democratic nations are best positioned to get to superintelligence before China?
So the comparison is with the US, not Anthropic.
The US doesn't turn its citizens into a fine red purée for criticizing it.
The US doesn't censor most media.
It is strictly better for a democratic nation like the US to get to superintelligence before a country that will gladly blend its citizens for criticizing it, and censor anything that dares to challenge its power.
The AI race is between China and the US. When super intelligence arrives it will be due to one of these two countries, since the EU has not participated in any meaningful way.
The US is clearly more of a democracy than China with a better human rights track record. For one, I can actually Watch most media in US without censorship. For another, the US does not force me to eat my own feces, rape, torture, and murder me if I become a human rights lawyer, or send me to a concentration if I criticize the government.
https://www.theguardian.com/us-news/ng-interactive/2026/jun/...
The US has a larger prison population than China. The US does not have a great human rights record.. Have you not been following what's going on at CBS? Have you never used X?
You are grossly misinformed if you think this is comparable. Do you know what China does to their human rights lawyers!? They get shipped off to concentration camps, get forced to eat their own shit, raped, tortured, and/or killed.
57k people disappeared since 2013, 5-15k more every year, and no one dares to criticize the government anymore.
If you criticize the government you get a friendly "visit" from the police. Do it again and you spend 6 months in prison without trial; again, and you're "disappeared" (to the same camps.)
You cannot even watch most media unless the government lets you.
If you truly think these countries are remotely comparable in human rights, your liberal arts education has totally and utterly failed you! Spend some time outside of the tech bubble for your own sake.
>you want to prevent China from getting to superintelligence first
I don't. Prevent, not even outpace? Why? Seems like you're assuming China "winning" whatever race it is effectively ends the humanity. Right now I think Chinese labs are way more mature about this, and Anthropic is way more dangerous than them. And how does it fit into the "for the benefit of all humanity" narrative we keep hearing? Is China wrong humanity? Who else is going to end up in the wrong part? Are you sure it's not you?
>if you drop the assumption that they're lying when they say "we think we are building superintelligence."
I never assumed that, I know perfectly who Anthropic are and that they believe everything they say as self-evident, without having any doubts. And I know they're the kind of people who can convince themselves in anything, because they're obviously smarter than everyone else, and become detached from reality. The entire US "AI safety community" was born in rationalist circles and is largely like this, it's a very specific cult. This is exactly the kind of people who are going to create hell on Earth for you and the rest if given even a lick of actual power, and perfectly rationalize it as a necessity.
Yes, I could even say that the violations on the U.S. side have been more numerous and worse.
You have to be joking
57k citizens disappeared since 2013, and another 5k every year. Their human rights lawyers sent to concentration camps, forced to eat their own shit, raped, and then murdered.
Mere online criticism of the government gets you a visit from the police and gets you put on the watchlist. Often a few months' imprisonment without trial.
This is not even mentioning the fact that most media is censored in China.
You are out of your mind if you think China has a better human rights record than western nations.
What makes you think I didn't? You're talking like it's self-evident and adopt the condescending tone from the start, without giving any actual arguments why. (I'm not really interested in them as all these discussions are pointless and we had them back in ~2015)
>A "cult" implies belief in something unknowable/unprovable.
Yes, precisely. Also the gods and religious practices. Rationalists and subsequently AI safety branch invented a religion in a roundabout way.
>"The entire medical community was born in medical circles and it's a very specific cult"
Medicine is largely based on evidence and real-life observations, unlike AI safety which is based on belief in something that doesn't exist and some unprovable lore that is entirely rationalized without any grounding, and is expected to be self-evident (because it obviously is) and believed by the others. One is science, another is policy.
>Are you familiar with the history of the PRC?
Yes, I know it extremely well. I also know the history of the US, am familiar with the people who do AI research in the US from before they started doing this, and can see the actual reality.
If you are arguing in good faith you can very clearly reason about any given AI safety take. Case in point, you refused to engage with most of the questions because you know the conclusions they lead to.
> Medicine is largely based on evidence and real-life observations, unlike AI safety
"AI safety doesn't exist" is certainly a take.
> Yes, I know it extremely well. I also know the history of the US and see the actual reality.
Why do you think it's better that a country that turns its citizens into a pulp for criticizing the government, and censors most media to control its citizens' thoughts, reach SI before one that is democratically elected and in which you can generally criticize the government?
Which country are you referring to? As an outsider who is neither American or Chinese, day by day it seems like the US is inching towards the same path as the criticized one.
They ship their human rights lawyers off to concentration camps, force them to eat their own feces, then rape and/or murder them. 57k citizens disappeared since 2013, at least 5k more every year.
I don't get disappeared for criticizing the US government online. The US government doesn't censor most media I can consume. These nations are not even in the same galaxy when it comes to human rights. They are not comparable in the slightest.
It is shocking how many people on HN have such a poor understanding of the state of the world. Spend some time outside the tech world. Your liberal arts education has to have seriously failed you if you thought this was a reasonable comparison.
Quite a lot of serious people think this way, in many parts of the world.
Why? Lack of education? Lack of interest in what life is like around the world? Overconsumption of trendy headlines?
This stuff is taught in most schools (to my understanding) and very easy to look up. It literally just takes a few minutes to learn about how horrific these human rights are in China in comparison to the US. Anyone thinking about "where should superintelligence go!?" should certainly be looking this up.
This is why I say I'm sick of people that haven't thought about the AI safety problem critically, posting their unqualified hot takes on it - OP insisted he's thought about this to the same level. Much like a patient that thinks they can be a doctor too, he clearly did not, because this train of thought and this research is practically prerequisite to the discussion.
Stress on "generally".
You haven't provided a consistent counterpoint to any rationalist/safety viewpoint. I could acknowledge one if you actually provided a counterpoint, but you just say "it's a cult and it's wrong" without addressing the underlying argument.
That said, these fraudulent proxies are helping Chinese labs keep up, which might be to my advantage long term in eventually having a high quality private AI I fully control on my own hardware. That's not support, but I do recognize the incentive, for whatever that's worth.
[0] A recent example: https://www.anthropic.com/engineering/april-23-postmortem
Not everyone agrees that what you are doing is benign.
> why would I care about this
It's up to you, of course. But I think you're making a mistake in assuming it could, in any way, benefit you as a customer. This isn't specific to this company or the particulars of the business that they're in.
Simply put, you stand to lose more than they do and they are relentless in seeking, maintaining and exploiting any leverage they have over you. Further, any power they gain over one individual customer tends to generalise to all customers. Further further, one company's leverage is another company's right.
Not being bothered by the practice is accepting the terms set by the business. Acceptance invites escalation. Relentless.
Even more simply put, you should care because this is how you get John Deere.
This seems like a very naive response. If clients send explicit telemetry fields to the gateway, a malicious gateway can trivially strip or modify the field to conform to what normal traffic looks like. The steganography cat-and-mouse game is valuable because it is much harder for a gateway to continuously reverse engineer all the fingerprinting mechanisms used. Sure, some malicious gateways will be able to stay on top of things, but not all - and not always.
This is a total non issue unless you are Chinese distilling lab.
(Again, could be trivially bypassed either by rewriting, mocking the timezone call, or just changing the timezone. But we are assuming no mitigation used.)
I had a use case where I had to MITM CC's traffic to strip credentials that could have accidentally made it into the harness.
I'm happy my paranoid self told me "You don't really know what they're doing with that flag or if they're honoring it for all requests", so made a decision to proxy it at the network extension level.
Also, does anyone remember Anthropic quite literally sabotaging your project if the classifier in front of fable thought you were working in the AI industry? After backlash, they pulled it back, now they did this. Anthropic is on a weird tangent to ship malware. If someone doesn't stop them, one day, this will backfire catastrophically.
https://news.ycombinator.com/item?id=48259288
https://github.com/anthropics/claude-code/issues/62061
Looks like they just keep finding new "creative" uses for such things, as expected. I'll keep patching them out.
Is there a way to modify these prompts e.g. by putting instructions in CLAUDE.md to override it? I know it won’t directly modify the system prompt, but it seems like CLAUDE.md should have the final say, shouldn’t it?
You ain't seen nothing yet. It used to say "Try the simplest approach first. Do not overdo it. Be extra concise."
https://gist.github.com/roman01la/483d1db15043018096ac3babf5...
Let's just say the words "simplest fix" trigger me to this day.
> I know it won’t directly modify the system prompt
I directly modify the system prompts in the Claude Code executable. I don't want the models to see contradictory instructions.
I asked Claude himself to port the above patcher script to Python.
https://github.com/matheusmoreira/.files/blob/master/%7E/.lo...
Every once in a while I ask Claude to download and dissect the latest Claude Code executable to see if Anthropic screwed up the prompts again. If I see anything bad I add it to the script. Only then do I update Claude Code.
It was during one of these script maintenance sessions that I noticed the server side prompt injection mechanism. I'll also tell Claude to look for and disable this steganography nonsense from now on as well.
I usually audit the environment variables too.
> it seems like CLAUDE.md should have the final say
I wouldn't count on it.
And no, IMO stenography isn't security by obscurity, in the same that using RSA and keeping the private key private isn't security by obscurity - keeping the private thing private is part of the security model.
That they choose to implement it by fingerprinting my access patterns without first disclosing is where they shit the bed. It isn't "sneaky" it's straight up sneaky (and dishonest and unscrupulous while we're at it). That this particular instance is harmless doesn't give me much comfort. Who's to say they aren't harvesting PII?
That their actions make sense for their business isn't any reason for people to accept their deceitful, customer-hostile decisions.
> That their actions make sense for their business isn't any reason for people to accept their deceitful, customer-hostile decisions.
While I agree it's a dangerous precedence to set, I think this is a "vote with your wallet" sort of situation. They shouldn't do it, but from their POV this is what they need to do to offer the product they do at the price they do. If the product wasn't compelling people wouldn't accept that they do this. However they've decided if you want their product you have to use their interface and whatever spyware it comes with, so it comes down to, is the value proposition good enough that people will put up with it? As of today, the answer is unfortunately yes
> I think this is a "vote with your wallet" sort of situation.
I agree a 100%.
> is the value proposition good enough that people will put up with it? As of today, the answer is unfortunately yes
I don't fully agree with you here and I think the jury is still out on that.
In any case, I look forward to seeing international markets responding to the current situation.
Telemetry is disclosed in privacy policies, it can usually be opted out of and if not that, then it can be blocked by a firewall. Steganographically fingerprinting customer's network routing when they consented to your tool reading a txt file is a different problem. Anthropic has demonstrated capability and willingness to embed arbitrary obfuscated data in their comms streams and that's a dangerous precedent to set.
Or maybe you don't understand this hypothetical situation either, but I'm suspecting you just don't care about other people's privacy.
> I'm suspecting you just don't care about other people's privacy.
Quite a leap to assume I have neither basic reading comprehension skills nor care for privacy, but assuming I'm just misunderstanding you - I think this is the fundamental disconnect between security and privacy.
For one, most of this data is already collected openly by most apps and sites on the internet in countries all over the world, they just call it "analytics" and preventing tools like ublock from blocking them is an ongoing cat and mouse game.
Secondly - as someone who buys a bunch of electronics from companies headquartered in china (DJI, Insta360, Roborock immediately come to mind) they already have both normal analytics like in point one, and anti tampering/ anti forfeiting / anti reverse engineering features that are at least as, but often more, invasive than this.
Thirdly, and probably most importantly - as the author states, you're using a tool that by design and to be effective, uploads your private data to a third party for processing. You use it knowing that once the API request is made you have no idea what's going to happen to that data and this again is just fundamental to how (cloud hosted) LLMs work - the only privacy preserving option is to run your own LLMs at home or remotely on hardware you control
Just like I don’t care that game clients run sneaky anti-cheat measures.
Right now they offer a good product, and I’m fine with them trying to limit abuse of their services. If an altruistic alternative company with an equivalent product pops up, sure, I’d swap over, but I don’t see one.
I’ve seen people here talking about how they should’ve been upfront about this. But they can’t? If they were, they wouldn’t be able to catch the resellers/distillers. Just like how anti-cheat doesn’t explain how it works, because to do so would be to nullify its effectiveness.
What’s the punishment here exactly?
Seeing as how Anthropic cannot stop raising a stink about "illicit Chinese distillation attacks" every month or so, I'd bet money on them either already silently degrading model performance if any of the identification patterns match, or, at the very least, considering it/doing dry runs.
Particularly considering that they've openly stated that the technology to do so exists and that they were going to use it in production on Fable.
And that's also why, as a legitimate customer, want none of it, you never know if you accidentally entered a zone they don't like.
to clarify, this behavior was announced with the model release
This is not hundreds of pages and it gets its own bold headline section.
> If Claude Fable stops helping you, you'll never know
https://jonready.com/blog/posts/claude-fable5-is-allowed-to-...
HN post with 1k+ comments: https://news.ycombinator.com/item?id=48467896
I doubt Anthropic is cackling maniacally behind the scenes, this was almost certainly a stipulation from the government to put Fable back up.
It's definitely not good but I would rather they surgically separate out possible bad actors so that I don't have to trust them with my passport, to prove I am a US citizen. I don't want the internet version of TSA checkpoints.
2. 2024 For profit, but "we will train biases out of our models and make sure our AI is safe to use"
3. 2025 We'll make sure it doesn't take over the world, with like a 70% confidence interval
4. 2025 The mecha-hitler inflection point
5. 2026 Our new model is so terrifying it will destroy all of security and hack the chinese, we can't let the chinese use it
6. 2028 (projected) Our new model requires so much energy that 30% of the elderly population will die without AC, but it will be stronger than the chinese models and let us destroy china
7. 2030 (projected) Our new model will triumph over the mecha-hitler dictator model, and will be a benevolent dictator that only demands 60% of all energy produced, not 98%
I understand how this can be useful to Anthropic if the 3rd-party is acting as a proxy (because they end up hitting the Claude API with the marked prompt), but it looks like requests where "hostname contains deepseek" would never be sending data to Anthropic. What am I missing?
https://www.chinatalk.media/p/how-to-buy-cheap-claude-tokens...
I guess the only explanation is that there's a side-telemetry channel that still sends some data to Anthropic, regardless of ANTHROPIC_BASE_URL overrides.
This does not make sense. You wouldn't send such a prompt to the Claude model. And when you're sending the prompt (anywhere) you don't have the response yet. This is not how distillation works.
What you say makes sense, but further adds to my confusion as to why those model names would appear in input sent to Claude at all, then. EDIT: I guess it might be because someone might point Claude at a compatible API, with its model in the URL, which is of interest to them.
I'm quite all right with the first, not with the second of course.
Here's an example. Say you have your team use patched binaries. Then CC updates and requires a new patched binary with new tricks. You now have to have a team ready to analyze the binary and begin to address the tricks; meanwhile, unpatched code is now a fingerprint. If some researcher decides to update Claude on their own to access new features, they get fingerprinted.
Defeating a single fingerprinting technique once is easy. Defeating all of the techniques all the time is hard.
Really makes you think huh
But I wonder if there will ever be a day when VSCode, etc, would decide to engage in similiar practice but for the collection of business & research intels, etc... that will be the true cyberpunk era and the information dark age.
This is how it looks.
# userEmail The user's email address is <my email>. # currentDate Today's date is 2026-06-30.
IMPORTANT: this context may or may not be relevant to your tasks. You should not respond to this context unless it is highly relevant to your task.
</system-reminder>I also do not understand what's the point of this, because if I have a gateway that can detect it, then we can replace the text before forwarding to the model, so what's the catch?
It's a total non issue unless you're a Chinese distillation lab
Cool reverse engineering/analysis report but if this is the extent of nefarious activity that came of it (trying to catch/mitigate chinese lab model distillations), that's kind of encouraging.
> This is not a malicious feature, but it is a weird choice for a developer tool that asks for trust.
They already tell you they scan for malicious prompts, and they have no ZDR guarantees for consumers. Why do signatures like this matter at all?
From where I'm standing, this started a few months ago when Anthropic decided to gaslight users, sabotage their projects, ship malware and attempt a regulatory capture.
If there's an anti-ANT propaganda, it is solely of ANT's own making.
Not really distillation, just synthetic training data.
Meanwhile, if you mean "Anthropic must think their technical advantage isn't very large..." then your conclusion is literally disproven by your premise.
I'm authenticated to Claude, so they already have the whole attribution thing solved.
This watermark may trigger a similar mechanism.
Interestingly, my device is in Shenzhen right now, but macOS has assigned Shanghai as the "closest city" rather than Hong Kong which is geographically closer. I am curious if there is any documentation on how that is assigned.
Anthropic has become a choice for many developers because of Claude Code, but in the recents months with "small things" like this and whole Fable fiasco they are *actively* pushing people to both competitors and local alternatives.
And if someone spends a significant amount of time and money to switch, it will be really hard for Anthropic to get those people back.
You’d change seperators and position if you truly wanted to do this right
Its basic date wrangling and tbh i see nothing malfeasant here
Its basically yyyy/mm/dd yy/M/d mm-dd-yyyy stuff but suuuuper lazily done
Had a competitor pull something like this with a previous employer. They were supposed to be interoperating with a standard, but they had a secret steganographic handshake, which they used to pretend that competitors products were unreliable (they had a first mover position in a smaller national market with specific requirements, so this wasn't shooting themselves in the foot). Our guys figured out the handshake and just silently implemented it. In this case, the competitor wasn't big enough to waste engineering time on multiple such hacks, but Anthropic have time (or Claude does).
regardless, while you are not logged in and using a non-anthropic model (which is now fortunately feasible), there is nothing that affects your day-to-day.
the rest is just lame cat-and-mouse shenanigans to keep an eye out for.
>on your local machine
I'd think any developer worth their salt has at least some for of isolation going.
Interesting, that pip (Python package manager) docs does not even mention sandboxing and malware topics in "Getting started" docs as if we were living in a wonderful world where malicious people, companies and countries do not exist.
Also, do not leave any information in user or host name, it will be used against you as the article proves.
You don't create a security measure then tell everyone how to bypass it.
I think OP is pointing something interesting out but the undertones of caution and "what else are they hiding" seem melodramatic and I find that hard to take serious.
The internet gives people a platform and, in a lot of ways, this supplants the typical role of journalism. The issue with this is no one wants to act like a journalist and actually explain the truth around a set of facts. Instead, they'll portray their opinions as a narrative and every time that resonates with someone or gets signal boosted, that narrative grows more assertive in the typical discourse I see nowadays. I would find it far more interesting to see what explanation Anthropic gives for these features than to immediately cry foul.
I’m pretty sure every lab, including Anthropic, is doing distillation right now.
You're actually trust your security to your harness AND model AND inference API provider in this scenario: https://jacob.gold/posts/why-i-wont-run-untrusted-models/
Claude Code has more or less full access to the client computer. The server (that hosts the actual AI) can just go: execute this payload and tell me the result - otherwise I won't answer any further questions or re-route you to a stupider model.
The payload could check for Chinese time-zones, scan for copies of the little red book on the local hard-drive, or ping truth.social to see it was behind the great firewall.
It shouldn't, not if you run CC as a separate unprivileged user. I wouldn't run CC on my main user account with sudo and access to my home directory or other resources. This is what the UNIX permissions system was designed for.
The fact is the post shows no evidence of anything malicious being hidden, only that stuff is being hidden.
There are a few obvious explanations in comments for why they would want to hide this particular stuff in this particular way (e.g. if it's to detect abuse and competition).
I don't see how this is different to using e.g. sentry or google analytics, just with an extra bit of trying to hide. I always assume all tech companies do stuff like this, having worked at many tech companies where I've ended up on both sides of stuff like this. I always assumed the average HN reader had a similar background and would be completely used to this sort of stuff.
Like someone else pointed out, the data gathered is likely covered in the TOS too.
In the grand scheme of privacy invasion and modern tech software doing underhanded things to get data, this feels fairly standard?
I'm generally pro-local LLMs and I don't like Anthropic, and from the headline and comments I was ready to get riled up, until I read the article. If this was some small plucky EU privacy startup, then I feel the outrage would be a bit more justified, but this is a frontier AI lab - I can't have been the only one who knew/assumed this happens, and probably happens in some form with all software from any company valued over a certain amount (incl. MS, Google etc.)
I really think this comment section feels completely unhinged. It feels 99% ideology, politics, hysteria and astroturfing, rather than a reaction to the tech and technicality which is what I come to HN for.
Sounds like a very expensive lawsuit waiting to happen (GDPR allows fining up to 4% of global revenue, not profits)
Am I the only person who insists on writing my password every time I push and pull from git?
Originally I didn’t want IDE’s doing stuff for me, now I absolutely do not want an LLM to have that power.
Is it really that unique to control what git does remotely?
Then you add one line in AGENTS.md stating the LLM should never commit, push or perform any write git operation without explicitly being asked to.
So in the very rare case that the LLM bypass your instruction, you catch it red-handed and stop the session or allow it.
I always make the plugin stop the session because LLMs tend to try to circunvent textual block messages by doing nifty things like concatenating characters to build a bash script to execute the git commit command. Yes, I have seen it.
Now of course stego is hiding that you re hiding information.
So, seen that they were caught, a case could be made that they effectively altruistically failed at using steganography.
P.S: such a headline makes me think I ll cancel my subscriptions and try models like GLM / Deepseek and Kiwi that sound more interesting by the day.
There seem to be all sorts of continual under-the-cover changes like this one that make life harder. It feels like the entire product has been taken over by overly ambitious PMs that care more about making their mark than in improving the experience, and all of their marks have made me less productive.
I've been using Pi with GLM5.2 the past few days, and though it's expensive, I find it far more productive and less annoying. The remote session plugin is far more reliable, I don't need to intuit some undocumented usage pattern to figure out how to use it well, and it just works.
are you using the API for glm 5.2 or how exactly is it more expensive? How is GLM5.2 more expensive than using Claude code, that doesn't line up to my experience but to be fair I am on an older yearly subscription which generously only has 5 hour limits.
To be fair though one minor criticism of GLM 5.2 that I have is that it does seem to overthink quite a lot sometimes but the results end up being (good?),
I personally have used Glm 5.2 with (Opencode + obra/superpowers) / Oh-my-pi / Maki.sh
I like the 1st one when I am doing a longer project, the 2nd or 3rd one when I am doing a project which doesn't want me to ask too many questions and simply spin me up something. I sometimes use free online interfaces of claude and gemini and others like AIstudio for that as well which surprisingly can lead you to go far as well.
Overall, I am decently happy with the state of Open-source models actually and the eco-system around it is probably gonna have even more innovation surrounding it.
In the few days I've been using it, my expenses have been higher than prorating my Claude subscription to 20 working days per month.
My experience with GLM5.2 is that it doesn't overthink nearly as much as Claude Code, has better and far more concise responses (I'm so siiiiick of 10 paragraph Claude babble trying to fill out some sort of answer length target by going on tangents I'm uninterested in... I'm sure that performs better on whatever eval they're doing, but apparently their evals don't include SNR?)
If you wish to go Non-API but rather subscription route: Z.Ai subscription/ Kimi subscription / MiniMax subscriptions are good. You could also take a look at ollama subscription and opencode subscriptions.
If you wish to go API route: Deepseek v4 pro /mimo v2.5 pro models are comparably good if your work can do that. Codex for all its failure and for as much respect that I had within Anthropic when they had fought against the govt. which Anthropic is slowly losing again by doing some pretty dystopian actions again so Codex subscription might make sense as well.
It depends on multiple things but hopefully i am able to provide some interesting things
If you wish to run models locally, unless you are specifically buying gigs for running them locally which is almost always about privacy rather than costs, then you are always better off with qwen models so if you got a 64-128GB laptop for example. You could run Qwen models and see where things go.
Hope this helps ya!
I do kind of like basing decisions somewhat on the API costs, because they reveal what the true costs will be after the eventual rug-pull on subscription pricing.
Even seeing the API costs of Claude Code today to a year ago are pretty eye-watering. I think there's a ton of room, at least for my workflows, to go back to far less capable models.
I've run local models in the past a bit, and explored LLM ops somewhat, and have zero desire to do it anymore, haha. It's fun as a hobby, but there's tons of other homelab stuff for me to play with.
> I've run local models in the past a bit, and explored LLM ops somewhat, and have zero desire to do it anymore, haha. It's fun as a hobby, but there's tons of other homelab stuff for me to play with.
True. I personally haven't played enough because of my hardware being quite modest than even personal hardware recommendations but I have had sometime playing with 350 (M with million!) models like the recent LFM model and very small qwen models. They are just experiments though but I would one day like to see even more standardized models that we could use on our laptops or desktops themselves.
> Even seeing the API costs of Claude Code today to a year ago are pretty eye-watering. I think there's a ton of room, at least for my workflows, to go back to far less capable models.
Yeah exactly. I would constitute that even by using GLM 5.2 as you are originally doing even with API costs is probably much more sustainable over long run as you are currently doing. And it keeps you away from the problems of proprietary models and issues surrounding that.
Also Anthropic: lets do this in JS
Anthropic pushes fear and control. But the only way to win is by innovating. China is flooding the market with cheap, good enough models, while the U.S. is building a Chinese firewall.
I would guess that's their first line of defense; they should have more techniques to identify distillation because that's a very simple way of detecting the host and can be easily spoofed.
i.e. this will allow them to literally commit fraud against paying customers
Yes, I said that. If a user is breaking your terms of service, ban them. Continuing to charge them while not providing the service they're paying for is, in fact, literal textbook fraud.
In any case this is not what is happening, but it is legal.
But there are some wrinkles - why only two timezones and not others? E.g. US-vs-rest-of-word month-vs-day etc.
Could just be some bad tree-shaking or simply a left over bug/merge issue if I am being generous.
If I was going to put secret stenography things in my models I'd just do it in the model response rather than a relatively low bandwidth date stamp in the SI.
Please, just write normal English that we can read. Please, for the love of god, respect our time and the attention we will be spending on the text you provide.
Anyway, one can scarcely be surprised that the AI companies are being dishonest in their tools. They're consistently dishonest in their marketing. They're famously dishonest in their financials. Why anyone trusts these people with anything is entirely beyond me. But here we are - people handing over their creativity, their productivity, to these things.
You don't have to. You didn't need these tools before, when you were creating content, when you were writing code. You don't need it now. Fight back. Stop using it. It's not hard. It's easy.
If you are developing anything in AI or related domains that is of immediate value and/or in competition with Anthropic (and the like), DO NOT use a CLI programming agent. Preferrably obfuscate your code and gut it of sensitive IP before showing it to agents. Do not trust the dont-train toggle.
pi's "minimal" coding-agent has a total of 132 transitive dependencies spanning 153 maintainers.
While I understand JS developers in the JS/NPM ecosystem think this qualifies as minimal, it most certainly does not, from a supply chain security perspective.
Literally, how. How does one determine what abusive use looks like for the API without context into the client? All requests look like the same stuff. If there was a better way then they would have done it. Or is the author hoping that if Anthropic writes "hey china, please don't steal our models, kthanks" they won't? Like get real. This stuff means nothing in China. China can't even manage to regulate their building industry enough to use real concrete where it's warranted.
No they can't, because developer tools run on developers' machines. You can't trust your code running in an environment you don't trust.
All Anthropic has done is reduce trust, once again, with legitimate customers, while doing nothing to stop illegitimate customers. They need to get adults into key leadership roles, quickly.
Consider also that Claude Code is explicitly designed to limit human agency [1].
I used that month to complete a work project and then beef up my personal harness so I'd never have to deal with Anthropic (and these sorts of shenanigans) again.
And if you add one additional while loop, for user input, you can actually use it! :)
https://gist.github.com/a-n-d-a-i/5461a662ef8a7ee0a5eb7778c8...
Generally the smaller ones are less flexible, but they're much cheaper and faster so, I try to design for the smaller models.
One thing I noticed is that if you get the loop fast enough, the work starts to feel different. It becomes real time and interactive. As opposed to the usual feeling of, having to wait a few minutes every time.
Another thing I noticed is that even very small models are capable of making many edits simultaneously. But most harnesses don't seem to design for that. Even editing one file they have to do a whole bunch of turns.
Whereas you can just edit several files in a single LLM call and it just works fine. So you get an order of magnitude speed up, as well as a reduction in costs.
https://m.youtube.com/watch?v=_AgKuFGvJfI
And the repo:
Harnesses are/can be incredibly simple things, not much more than a HTTP client that renders things in a way that suites your taste.
Me, personally, I didn’t build it from scratch but I ported original CC from published sources into Python and extended it to match my own requirements.
I found this one easy to understand:
I used ADK, Dagger, and a VS Code extension for mine. Currently using opencode though.
You have to pay API pricing, which is far more costly.
I'd either switch to GLM wholesale or just continue to use Opus within Claude Code as the blessed, subsidized path.
I'm not sure how that's possible. I expected to get increased correctness for that order of magnitude (something something test-time compute!) but I am not getting it.
They used to be a decently credible company with not-too-shady behaviour...
I hope they can actually regain some credibility…
It also doesn't seem very consistent to fixate on that while sending Anthropic everything about you via your day to day prompts, every line of the projects and environments you're working on at work, etc.
Their credibility comes from having one of the best models.
…And then Windows 11 became even worse.
It has some good effects on the their models, like Claude seeking cooperation first. But the people behind the company have a typical "unconstrained" (in the Sowell vision sense) perspective that assumes that they know better, so they are righteous for attempting to control things (users, paying customers, their model outputs, their tool chain, the supposed deity they assume they will produce... etc.)
Altman world: malfeasant nihilist with God complex
But I hadn’t thought that as anything more than temporary flights of fancy.
I think it’s fair to say most had decent respectability.
Anthropic hired heavily from that pool so it’s astonishing how it turned out.
In this case they want to prevent a nation that censors its citizenry, puts/disappears dissidents into concentration camps for decades, and makes its own human rights lawyers literally eat their own shit, before raping and/or murdering them, from reaching superintelligence.
In this light, some client side code to potentially identify and ban the Chinese labs to slow them down by even a few days, is totally reasonable.
I have a feeling they will eventually drop the facade of “we’re the nice and ethic people” and will work with palantir so they can survive the future: ipo and models bans.
They've done a bunch of things that hurt their valuation to stick to their red lines. To me it just reads as unsupported cynicism to call it a facade.
The cheap tokens are the product.
I'm fine with that, chances are that Claude will delete this table behind Anthropic's back and give them an essay about why what they're doing is immoral.
I expect DeepSeek V4 Flash (or an equivalently sized model) to reach parity with GLM 5.2 some time this year (this based on DeepSeek V4 Flash launching at GLM 5.0 parity[0], and GLM 5.2 being freely available to distill from)
GLM 5.2 is within spitting distance of Opus 4.8 and is at least as good as Opus 4.6[1] which some devs were willing to spend hundreds to single-digit thousands of dollars a month for a few months ago.
[0]: https://artificialanalysis.ai/models/comparisons/deepseek-v4...
[1]: https://artificialanalysis.ai/models/comparisons/claude-opus...
Recent discussion on DSpark: https://news.ycombinator.com/item?id=48696585
Here the system is "insecure" by design (literally they're trying to get the whole world to sign up for Claude Code for $200/month!) and they're trying to plug the hole that results from a "Except for Chinese Scrapers!" add-on requirement. That might be possible as an arms race kind of thing. But it's very unlikely to work by (as in the linked article) doing stuff like checking the system time zone.
What do you mean you don't know where the bug is coming from?
No, I absolutely didn't make it up, how could you accuse me of that?
Does anyone know when this regex isn't working? I double checked it 27 times, I even asked the LLM. They all say this regex should be finding these dates.
Weird, suddenly all the conversations are breaking when I feed them into this other tool? Something about UTF-8 errors, but I'm sure I'm only using ASCII?
I do try to take care to make sure the things I build can be used by other people even when they care about different things. I care about understandably, determinism (as it relates to computing), and repeatability (because I want to be able to trust the systems I use).
If y'all would be willing to try to account for use cases of others, and try not to break them... that would be nice.
Please note: that generally when you modify something that belongs to someone else without telling them... things should be expected to break.
One is not a "meatbag" while the other is not a "meatbag". And no, outputting something on stdout that happens to function as code is not "writing" it in the sense that we actually care about here. That's conflating the metaphor we use in describing program behaviour with the actual "meatbag" activity.
> why is this example always marched out like it means something?
Because it obviously does.
That's a false equivalency.
> If not, what is the difference between the two for you?
Let's start this out right: if they're equivalent, first you explain to us why you think so.
How is it false?
> Let's start this out right: if they're equivalent, first you explain to us why you think so.
I think it should be really obvious how they're equivalent: both are the result of a program running on a computer, and not the result of in-the-moment cognition by a moral agent or moral patient. Of course the LLM is just a tool. Models can literally be downloaded as ordinary files. There is not some threshold to cross where some configurations of bits on a disk deserve "credit" for work and others do not.
In fact it's really obvious everything is equivalent: it's all just matter and energy!
> Of course the LLM is just a tool. Models can literally be downloaded as ordinary files. There is not some threshold to cross where some configurations of bits on a disk deserve "credit" for work and others do not.
Of course there is such a threshold. And it's definitely been crossed when the "tool" can operate autonomously or nearly so, when it can generate the "creation" with minimal operator input or understanding.
Your classic IDE can't do anything without the detailed control of its operator. It's nothing like a coding agent.
Hello, Tom Smykowski. You have people skills!
No, because legality should be determined by what's in the best interests of Athropic and OpenAI's business models.
Hopefully they're working on RLHF their models to insert clauses making that reality clear into any legislation their models generate or review. That way it's only a matter of time until the confusion is cleared up.
It's only "illegal" from a standpoint of breach of contract given its against the terms of use/service, which is to say its not illegal at all, there's no criminality there.
I honestly don't know ... yeah if it's just technically a terms of use violation (which isn't illegal, just a violation of one company's rules, for which Anthropic has every right to stop), or do we now have export controls applied from the various government actions, etc making them truly illegal now.
But because of the public domain status of LLM output (in the US) I'm not sure paying someone to run a bunch of prompts through Claude, post the output on a public website and then have a lab in China pull that output, would run afoul of any laws I think that would be legal on technicality. AFAIK Anthropic has no ban in its terms of use that you can't share Claude's output publicly. You still need interactivity for distillation, but I don't think (for now) there's anything stopping a Chinese or other lab from sending people to the US, signing up for a Claude subscription and doing the work state side.
Distillation is pretty much impossible to stop. The US GOV would have to go the full export controls route like they did for Fable/Mythos to stop any non-US citizen from using/accessing the model, which is going to be impractical if not impossible to enforce.
https://en.wikipedia.org/wiki/Pretty_Good_Privacy#Criminal_i...
[0] f**k I'm old
Why was this person from Hong Kong going through the details of Claude code for obvious security reasons? There are some other obvious reasons that come to mind.
Maybe it's an eye opener for this person how much the trust in Chinese companies has eroded in the West.
Even if they suddenly stop stealing IP, which this "security research" article would certainly not suggest is happening, it would be a very long time before trust is restored.
That the provider's business needs necessitate the this behaviour doesn't justify their lack of honest disclosure. That honest disclosure would render the solution to their problem useless isn't my problem. If anything, that they thought this was acceptable makes me wonder what else they're harvesting from my machine? PII?
The cynic in me can't help but feel that the state of these comments reflects less on the commentor's views of this debacle but rather their feelings about AI/Anthropic/America/what-have-you.
They totally knew that this would never be accepted by users, and that is precisely why they resorted to obfuscation and steganography to exfiltrate the data. This was quietly added in an update, and would have been removed in a later one had it gone unnoticed.
How is this any different from hiding a drug in food and randomly feeding it to a homeless person as a human trial? Even if that homeless person is an undocumented immigrant, does that make that acceptable?
They crossed the line.
This isn’t a comment on whether I agree with the change. Just that your analogies aren’t applicable here.
If you start viewing the conversations around it through that lens, a lot of stuff intuitively clicks into place.
Including this apologism for example.
The same people are boasting about being the future of work and is schmoozing with politicians to draft regulations, by the way.
One possibility: they wanted to keep it secret because they’re crooks.
Another possibility: there are so many calls that it costs a lot in operating expenses.
Remember when we mentioned that even just saying “hello” at the start of a chat costs extra money for no reason?
So if I create a mechanism on the client side that every transmission uses 4 bytes instead of 40… it is clever way how to spend less.
Of course, it doesn’t excuse them for not mentioning it anywhere… or for hiding it on page 385 of the terms of service… like when the Vogons told Earthlings that the notice about Transgalactic Highway was in the basement on Alpha Centauri :)
Things do not need to make sense. They often do not. They just appear just enough like they would so that it flies under the radar.
It's all just conway's law. It had to be like this. It cannot be any other way.
Humans are rarely “long-term timeframe rational” (rational choice theory is very much a known-false model of human behavior on both the individual and aggregate level), but there is nothing about abusively exploiting an initially trusting and eventually dependent telationship that it is inconsistent with long-term rationality.
Would you be shocked if some of the current tech bro companies could with finding such subjects?
Source: I use similar phrases this way.
It’s a good way to illustrate a potential bad path. But I can construct a slippery slope from commenting on HN to making bioweapons. That should not be seen as evidence that HN commenters are likely to do such a thing, and should not be used as an argument to forego (or ban) commenting on HN.
In a slippery-slope argument, a course of action is rejected because the slippery slope advocate believes it will lead to a chain reaction resulting in an undesirable end or ends. The core of the slippery slope argument is that a specific decision under debate is likely to result in unintended consequences. The strength of such an argument depends on whether the small step really is likely to lead to the effect. This is quantified in terms of what is known as the warrant (in this case, a demonstration of the process that leads to the significant effect).
Whether its a fallacy or not depends a lot on how warranted the slippery slope premise is (notwithstanding other, possible logical errors that might me made in setting up the argument, of course).
If the slope is slippery, it is not a fallacy to conclude that things will slide when placed on it.
Claiming something is a fallacy —when it is not— is simply a false statement of fact.
Anthropic can start censoring criticism of Dario completely independently from whether or not they censor Deepseek.
So, why all this "effort" to protect the model? This is a free market, and moving fast and breaking things is the norm.
If they are so adamant on protecting their IP, maybe they can start by respecting others' IP, so we can start talking about ethics, equality and playing fair.
Just because it is legal, that doesn't mean Anthropic wouldn't reasonably want to prevent that from happening (which, from my understanding, isn't illegal either).
When small fish points out that what the big fish is crying about is "not illegal", big fish has the right to be above the law to prevent the problem themselves.
Having values requires equality. They have lost the right to cry foul when they trained their model with "but it's fair use" card. Life works by reaping what you sow. Now they are at the reaping stage.
In other words, being honest to oneself is important.
Anti-scraping measures people utilize are neither unethical nor illegal. That’s the difference.
They could detect the other AI labs and also silently burn the tokens at a faster rate providing fewer tokens for money, which does sound illegal to me.
The comments only further prove that without more regulation around this, big AI wouldn't have a "don't be evil" attitude going forward.
Much as I hate to defend companies climbing to success and pulling up the ladder afterwards, this asymmetry you note is kind of the whole point a company would want to grow big. Growing an organization has some super-linear costs and generally sucks for most individuals living through it - including the management - but it's still considered worth it, precisely because big entities can do things small entities cannot, and escape the threats from smaller competitors.
It's so basic it's actually part of the reason we exist, and animals of various sizes exist, and generally why evolution didn't stop at single-cellular life.
> They have lost the right to cry foul when they trained their model with "but it's fair use" card. Life works by reaping what you sow. Now they are at the reaping stage.
Yup. Except what they're reaping is insane cashflow and ability to pull stunts like these. We can call out the hypocrisy until our throats run dry, and in ideal fantasy land this would've meant something, but here in the real world, they sow the seeds of success, and now are reaping the right to be hypocritical and continue to get away with it.
Change this from humans to companies and I still think it feels slightly wrong.
We can see with our current crop of large organisations that they really struggle to create anything new; most of their new products or services were developed by a small organisation and then acquired. A lot of those products are then enshittified and badly managed because large organisation politics screws things up.
Large organisations are inefficient (everyone has stories of people in large organisations literally doing nothing all day). They are horrible to work for because of the politics. They mistreat their customers and their employees. Their executives tend to lose touch with reality, surround themselves with yes-folk and descend into authoritarian psychopathy.
My personal opinion is that we would be much, much, better off if we had fewer large organisations and more smaller organisations.
Otherwise it's just an opener for the old excuse of "they might be ruining your life, but it's all good, it's also your pension fund, little man, that's profiting from your life getting ruined, you should celebrate them!"
Large organizations are necessary if you want things like airplanes and rockets and computers and MRI machines to exist. And if you feel you benefit from those things yourself, then large organizations that create and operate[0] them are beneficial to you, too.
> A lot of those products are then enshittified and badly managed because large organisation politics screws things up.
That's not caused by org size. It's how modern economics work because of ad-backed business models and few other things (a tangent for another time). Importantly, small orgs and especially startups are very much complicit in this - the venture capital business model in software settled around a symbiosis, where startups create toys (er, MVPs) and growth-hack the shit out of them, in hopes of winning an acquisition or IPO lottery (aka. "exit"), where a big org buys the whole thing for ${a lot}, and enshittifies it further in an attempt of extracting a positive multiple of ${a lot} from the market. Both sides know what they're doing, exits are planned from day 1, and at no point in this process "creating useful products" is ever a driving goal.
Note this symbiosis: it's a recurring theme.
> Large organisations are inefficient
In some ways. Small organizations are inefficient in others. More at the end.
> (everyone has stories of people in large organisations literally doing nothing all day).
Some (not all) cases of this are about maintaining slack in the system, which is necessary for efficiency. A system at 100% capacity is extremely fragile to breaking completely due to tiny, random workload spikes. Breakage is inefficient. Some degree of idle capacity improves overall efficiency.
> They mistreat their customers and their employees. Their executives tend to lose touch with reality, surround themselves with yes-folk and descend into authoritarian psychopathy.
That description fits small business owners much better IMO. In our times, at least in non-failed western countries, there's a limit to how abusive or careless a large organization can be with their customers or employees - their very size makes them easy to target legally. It might be hard to get through their well-funded legal defense, unless the case is slam dunk, but that's still much better than the armies of small businesses flying completely under the radar, flagrantly violating basic health and safety regulations, or flat out lying to customers in their face, because they're not worth the effort of investigating.
(Of course I'm using a biased sample; I don't know many CEOs of big orgs.)
Symbiosis angle: for abusive practices they can't get away with on their own, big organizations are more than happy to outsource to small orgs and then look the other way.
--
Anyway, key point: *there is no categorical difference between "large organizations" and "small organizations". You need a certain amount of people and communication (and capital) to do high-complexity endeavors. The difference between a well-integrated big corporation, and a hundred of small businesses that kinda end up together delivering something big, is just that the latter is using the market as management layer.
And yes, you need big orgs to create things like commercial airplanes and MRIs, simply because the big org is a boundary layer, within which you have a non-market based incentive structure, and this lets you build things the free market just cannot reach on its own.
--
[0] - Airports and hospitals are themselves large organizations.
Based on your post, you don't sound like you hate it at all.
It's also quite natural to want it to stop at individual human life instead of us getting absorbed by some next bigger thing.
Which I'm fairly sure is also the desire (as far as they can be said to have any) of these animals of various sizes you speak of.
> We can call out the hypocrisy until our throats run dry, and in ideal fantasy land this would've meant something, but here in the real world, they sow the seeds of success
Just because they pulled a mirage over people's eyes doesn't mean it suddenly became the "real" world.
I do think that AI models that were trained using the biggest intellectual property heist in human history should be a utility for all, yes.
In this case, the companies that make and provide AI models that are increasingly used to interact with me on critical things (banks, public sector services) then yes.
Abso-fucking-lutely they should be regulated like crazy.
In fact I'm really surprised by the amount of people that are not worried by how many parts of their lives are being handed over to be managed by a probabilistic system that is controlled by a private company with next to zero oversight.
There must be a greater liability than "oops, you're right to push back"
Why so? Also there is a lot of code in ironically claude and ChatGPT that’s generated by LLM . Yet I haven’t seen the public domain code
I speculate this could be a real issue in future copyright infringement lawsuits.
The plaintiff bears the burden of proving that the code they claim is copyrighted by them actually is copyright. If it is known that large parts of it were generated by LLM, they’d need evidence to demonstrate sufficient human input to establish copyrightability. If they’ve kept highly detailed traces of the development process, that could be rather straightforward; if they haven’t, it could be really difficult.
Now, that’s true in the US, which never accepted mere “sweat of the brow” as a basis for copyright; the UK courts have, and most of the Anglosphere follows the UK on this more than the US.
The other factor: when dealing with an (almost) trillion dollar corporation, even if you’ll win the legal argument, they may bankrupt you with legal fees before the argument is ever properly heard.
But I suspect the precedents on this topic are going to be established by lawsuits involving far smaller actors.
(IANAL and I speculate only for myself, not any present, past or future employers.)
This is very much not what the linked case established.
"The US Copyright Office and federal courts require human authorship for copyright protection; works created solely by AI are not eligible for registration under the current rules."
The Supreme Court declined to consider a challenge to this rule, and so for the moment at least, the rule remains in place.
This means that companies leaning heavily into their LLM use may very well find that they do not, under the law at least, actually own any of their code. As I've read elsewhere there's every possibility that AI code will be the asbestos of the Software Engineering world. Something we'll be trying to get rid of for decades, once everyone comes to their senses.
So with the asbestos analogy, we encase the fibers in resin and call the whole thing copyrighted.
What they are trying to protect doesn't qualify as intellectual property. Only 4 categories of IP exist: (1) copyrights; (2) patents; (3) trade secrets; (4) trademarks.
The capabilities embedded in model outputs don't qualify. Machine-generated outputs are ineligible for copyright. They aren't covered by patents. They aren't trade secrets, because the model companies are selling them rather than keeping them secret. And of course, trademarks are conceptually inapplicable.
This leaves the model companies with contract law (ToS) which is pretty inept because it can't bind third parties. And technical measures, like the ones being discussed in the article. And, of course, politics.
Frankly, I think it's pretty ridiculous to even think that models can be protected from being learned from. I feel the Stanford Alpaca team demolished that idea 3 years ago.
The post is about what's in the local code, but for a long time there has already been modifications made to the request outputs from the major cloud services as they work together to both curb adversarial distillation and to degrade the quality of training China can get from that distillation.
It's likely not to make the answer wrong or bad, but to make it so that any model trained on the output would not gain the benefit of the model's reasoning generalization skills as easily and also identifying markers that might even link back to request IDs.
The techniques talked about in this post are naive and simplistic, largely because they are released publicly.
It's not as much about protecting IP as much as it is about slowing China down or being able to track the effects of abuse. So many people are talking about greedy company this, greedy company that. The world is not made up of caricatured giant money pigs wearing suits with monocles and gold watches. That is a children's view of Marx's exaggeration on free markets. Bad, greedy people do exist, but if that is your only hammer for every nail then you have a problem.
The upper-bound for how good these models can be is so crazy that it is essentially dual-use military applicable to an extent most other technologies are not. It's not only cyber attacks or biological weapons. Most people are not even built to understand the possible threats.
Why does it matter if China gains those capabilities? I invite you to begin to learn about China's behavior around the world. The CCP is darkside material.
Reminds me of this comic: https://xcancel.com/tomgauld/status/571994690289061888?lang=...
None of the superpowers in this world is innocent, and like MAD, more countries have the capability, the better.
I know some of the things CCP do/did. I know some of the things US does/did. I'm from neither, so I don't take sides.
AI's use has been confirmed, or more precisely boasted by two countries in two different wars, and China was not one of these countries.
We have seen the effects of "if they don't know them, they can't exploit them" mindset of NSA for years. Keeping information/technology private is neither beneficial, nor possible. It's only a temporary moat-ish gap. Not a definitive solution.
There can be a very real cost, because one side comes from an ideology with a history that wants to conquer the entire Earth which caused World War 2 while the other side is trying to prune the planet like a bonsai to prevent it from descending into total chaos to preserve some sense of international order.
Europe was constantly at war, and we helped stabilize it. Middle East as been constantly at war, and if Iran can be sorted then it will be the closest to some sense of peace it's been in a long time.
We used to be in Japan, Philippines, Germany, Vietnam, South Korea, Iraq, Afghanistan and so on. How many are US territories? None. We aren't out there to conquer the globe and take land. We're usually fighting other people's wars for them, because they're up against better resourced opponents. Meanwhile China is over there building artificial islands, ramming other country's ships, creating ideological police stations in countries around the world to harass people and engaging in the most widespread international interference campaigns in human history.
They do not treat their people well and they do not have free speech. The internet is flooded with their propaganda now, because they have a human numbers advantage.
It's true that given time most advantages are temporary, but there's always that slim chance we could slow them down until the CCP collapses and they could become a more normal country.
The reason the middle-east is at constant war is because colonialist machinations. Same goes for south-Saharan Africa. And the US is a big colonialist player, just ask Vietnam, South-America, Iran, Afghanistan, etc. They all have been attacked by the US because of US colonial interests. If anything, one could make the argument that the PRC is treading much more lightly than the US.
That said - I'm not defending the PRC by any way; it's a state-capitalist hell hole that's suppressing workers by denying them any ability to organize and whose political class is purely focused on furthering their own interests and that of the moneyed elite, the common person be damned.
The thing is - so is the US.
And which country has "Black Sites" peppered around the world to detain and interrogate people they don't like?
Meanwhile the CCP regularly abducts its own citizens and executes more people than the entire world combined.
This is literally what the "training AI on copyrighted works is just like a human learning/getting inspired" crowd has been arguing though.
Literally. People have been literally saying that it was wrong because they did this "learning" at scale in a dishonest way.
There is a balance to strike, both in search engine fair use cases and AI fair use cases. The major cloud LLMs do double as web search engines now, though they didn't originally. In many cases there's no reason left to click the links they sourced from.
That is a legitimate concern. At least within the US, I think there are nuances around fair use and contract law. A lot of companies are getting paid for having their content used in these models, but many websites had no particular rules you had to abide by and the content was simply public. I think if you're operating under an agreement, then even if there is fair use or public domain content being reproduced by the site you are still bound by that agreement.
Similar to old paintings digitized and hosted on some museum website. It's 300 years old, right? It should be public domain, yet the people who digitized it or provided a service to give you access have some say in how their reproduction can be used. These AI services are obviously very different, but there are laws that can govern how you are allowed to use a service if that service has laid out acceptable usage.
I'm not exactly comfortable with the mass scale that everything was soaked up to train these models even within the umbrella of search services, but I also admit that a lot of the usage was probably quite legal. The potential displacement caused by the resulting trained models on artists or writers is almost its own facet. In practice, whether they ONLY trained on strictly legally acquired fair use content with no errors and paid agreements to acquire even more content than they already do or not, there was enough legally accessible information for fair use that there was no escaping some kind of impact on artists, writers, etc.
With any luck, artforms and skills impacted by technology will adapt and continue to be valuable instead of complete displacement or the dilution of opportunity.
> At least within the US, I think there are nuances around fair use and contract law.
The concept of "fair use" as it exists in the US-law system is completely dysfunctional (see e.g. nearly every educational music channel on YouTube), so utterly biased to favour large corporations, that there's very little room for whatever "nuances" you believe exist.
> Similar to old paintings digitized and hosted on some museum website. It's 300 years old, right? It should be public domain, yet the people who digitized it or provided a service to give you access have some say in how their reproduction can be used.
Yes 300 year old paintings are public domain. Indeed there are certain rules for the people/institutions who digitize them. It's not "they have some say", there's actually nothing mysterious about it and it is not similar to Anthropic's copyright heist at all because nearly all of the books they copied were not more than 100 years old.
> there are laws that can govern how you are allowed to use a service if that service has laid out acceptable usage
well where I live, there are laws about what a "service" can claim to "lay out as acceptable usage" instead of the other way around ...
> I also admit that a lot of the usage was probably quite legal
Let's disagree on that. I think it wasn't a lot and the vast majority was not legal. How do you think the LLMs "learned" to speak all these non-English languages? Unless your point is that it's probably quite legal to treat foreign IP like that. Which it may very well be in the US, especially if the corporation is large enough, but imvho it's still wrong.
> With any luck, artforms and skills impacted by technology will adapt and continue to be valuable instead of complete displacement or the dilution of opportunity.
And with any bad luck, these AI corporations will hold frontier models hostage for the rest of time.
I honestly don't want to put that up to "luck".
Because it's their model and business and they are free to use the free market to do exactly that?
That's their free market rights too. If you don't like it, use another model (which they would be fine with).
I mean, nothing stops distillers to find better ways to distill, either. Meaningless cat & mouse games.
> If you don't like it, use another model (which they would be fine with).
Thanks, I use none. It's peaceful this way.
Anthropic did pay more than a billion: https://www.npr.org/2025/09/05/nx-s1-5529404/anthropic-settl...
And is now buying up a lot of books (controversially, as scanning involves cutting their spines) because that's what the law deems the legal method: https://www.washingtonpost.com/technology/2026/01/27/anthrop...
We know that models like Deepseek are trained on copyrighted books too: https://arxiv.org/abs/2603.20957
The looser use of IP (eg, any characters/celebrities in AI video models) is increasingly mentioned as an advantage of overseas models.
Buying a book doesn't make it legal to publish lossy compressed copies of it.
Also, the vast majority of authors whose work was copied against their wishes didn't receive any of that fine.
It sounds like your argument is that they paid a fine for breaking the law, and therefore it is okay they reap the benefits of breaking the law and are allowed to continue to do so?
> The looser use of IP (eg, any characters/celebrities in AI video models) is increasingly mentioned as an advantage of overseas models.
UHmmm you remember when Sam Altman changed his profile pic to look like a Disney version of his own face? Yeah neither do I.
Clearly US AI models are playing loose with the use of overseas IP just as much, and even publicly flaunting it, as if US-based IP is more worthy of protection but Gibli can suck it.
I'm guessing the Sam avatar was related to OpenAI's deal with disney to use their characters: https://openai.com/index/disney-sora-agreement/
It's true that "in the style of" (eg. Ghibli) is not currently legally protected, only actual character IP or using the Ghibli name. That's not inconsistent with US IP treatment.
Just like I can learn from a book and nobody can make that illegal, so can other people transformative do the same with computers.
Fair use is fair use.
In any case, online debate is not always about changing the mind of the single person you engaged with. To some degree, its performative debate so that other readers may be influenced by your ideas.
For record breaking amounts too.
I don't believe that this has been resolved at all, and there are quite a few pending lawsuits about it at this very moment.
There are plenty of good reasons to not use Anthropic's services. If you don't like their terms of service, do stop using them! I personally think Anthropic's increasingly successful attempts at regulatory capture are even more distasteful.
Fixed that for you.
Now many tech people are copyright maximalists and 100% converted to the church of Disney. It’s depressing.
To call that opinion "copyright maximalist 100% converted to the church of Disney" is, at the very least, hyperbole.
But pearl clutching over the poor corporations who have their works trained on is much less compatible with a copyright-skeptical view.
And I stand by copyright-maximalism as a rising trend in tech circles. It’s mostly anti-ai, but strange bedfellows and all that.
Anthropic, OpenAI, Meta, etc. know they illegally obtained all the material they initially trained on.
So claiming any kind of right against anyone else training on their models is asinine.
They would be stating this even if it weren't true, because it fits their marketing.
While I don't disbelieve the claim outright, I highly suspect Anthropic is misleading everyone about the severity.
If anything, Anthropic is incentivized to track but do nothing until equity lock up expires.
I also don’t get why the « protection » on ANTHROPIC_BASE_URL. If I change it to use a Chinese model, the Chinese model will not care at all about the modified prompt. On the contrary, if I’m distillating (which again, using CC CLI would be stupid), I’m not going to change ANTHROPIC_BASE_URL.
Apparently not just foreign labs. It looks like xAI distilled Anthropic models to train grok.
https://opentools.ai/news/xai-trained-coding-models-claude-o...
Im not sure why we are dithering on the boundaries of honesty when the entire content LLMs are trained on is stolen.
Are we debating "honor among thieves"?
Of course we are not, or maybe we are!
Does the behavior of a thief even matter to me? only after they do their time. And they will.
I can see the investors perched on the balconies of their condos in a couple years if that.
its a long way down.
Say they prove that foreign labs are distilling their models, then what?
Help! Someone else is blatantly ripping off my plagiarism machine!
Sure the thing we know matches the company interests but as the parent mentions for all we know they are also shipping over your ssh keys and browser cookies.
No, please don't move past this so quick, because I'm not convinced they have the need, and in some markets (like the US) it is a violation of civil rights, to show people different content based on their ethnicity[1] because those people might have a claim that supersedes anything they might have signed or clicked-through.
That Anthropic did something they could obvious be sued for constitutional violations in multiple countries is shocking.
> what else [are] they're harvesting from my machine? PII?
Assume everything, and yet I think this is more insidious than mere exfiltration, and we should go further: The LLM can respond to these magic quote marks directly, which means it can be trained to give people bad/different advice without those markers being so visible to people using debugging tools.
That's so unethical, the laws on this potentially so severe, Anthropic could be facing unlimited damages, from any one example combined with this article, which means either they have a really stupid management team, or were given a promise of legal immunity in some way.
Neither of those things should be what you should want to base your next big idea on.
[1]: For a simple example, showing an ad for (say) mortgage offers and targeting people by race/ethnicity/gender is totally illegal, but it's also illegal if you make a list of targeting criteria that just happen to select for a protected class.
Hah, you just reminded me of this meme I spotted the other day: https://img-9gag-fun.9cache.com/photo/an76Wnz_460swp.webp
From a privacy perspective, this is better described as metadata, it is not personally identifiable information (PII).
How do we know this isn't the work of a rogue developer at anthropic and that they are not subtly switching visually identical characters in other contexts to ship your ssh keys or whatever.
We don't. After the trust that the software doesn't do things it doesn't disclose has been broken you can assume it operates like malware.
Trust isn’t about ethics, it is about individual judgement of how much risk some actor poses to your own interests. Trust is context-dependent
There can be unethical actors whom you have good reason to trust, and highly ethical actors whom you have good reason to distrust
I just can’t bring myself to trust an organization that allows these types of underhanded things to happen in the first place. The fact that this behavior even got to customers raises a lot of red flags for me.
Your vendors plans to grow fast and break things shouldn’t affect your ability to provide your service to your customers.
Anthropic has not been a reliable vendor. Previously, when they were compute starved, the quality of their models degraded in the weeks before new releases, without warning to their customers. You just suddenly got a worse service. I wrote a little more a few months ago: https://news.ycombinator.com/item?id=47375818 And then there’s the transparent downgrading they did with Fable.
If your running a business, that’s not what you want to be relying on.
Any sane company should not be too deeply tied to any one AI vendor at the moment and be ready and able to switch with a timeline and cost as acceptable to the org.
TLDR: Be prepared to use multiple AI vendors.
You will own nothing and be happy.
If that's true, that is another reason why it's an illegitimate business.
So any covert bullshittery hits hard.
Any and all ends justify any and all means.
/s
In interest of educating those less informed than yourself perhaps you could share with us why the reasoned points I've brought up are incorrect by actually addressing them?
If you have a problem with this, you should have a problem with Google, Apple, Microsoft, Amazon, Netflix, etc.
If that's also the case, then no problem.
But what Anthropic is doing here is nothing new.
I think you might have had enough HN for today. Take a nap and then eat a snack if you still feel cranky. The internet and all your cloud services will still be here when you want to play next.
(Well rested you'll also be able to string together a cogent argument but we're clearly struggling with bigger things here.)