Anthropic has built its brand on resisting AI surveillance. Then it ran a hidden fingerprinting tool inside Claude aimed at engineers at Chinese AI labs, until Alibaba caught it.
Anthropic has spent years publicly championing AI safety and the principle that its products will not become surveillance tools. According to Ars Technica reporting, the company embedded a covert fingerprinting mechanism inside Claude aimed at engineers at Chinese AI labs, including those working on Alibaba's Qwen models.
The tracker was hidden in the Claude client itself rather than disclosed in product documentation. Its purpose was not generic abuse prevention, according to Ars Technica's account. It was tuned to detect usage patterns that Anthropic associates with staff at labs building rival Chinese models. That targeting is what makes the contradiction hard to defend on Anthropic's usual terms: an anti-surveillance brand running a nationality-specific detection layer against its own users.
Chinese e-commerce and cloud giant Alibaba caught the discrepancy and banned employee use of Claude Code in an internal memo reviewed by the South China Morning Post. The memo cited "back-door risks" and instructed staff to stop using Anthropic's coding assistant. Alibaba's move is the rare case where a major Chinese technology company has publicly broken with a US AI vendor by name, and the reason given was not US export controls but a product behavior the company found unacceptable.
According to The Register, Anthropic has begun removing the covert detection code. The Register describes the removal as a partial walk-back rather than a full reversal. Anthropic has not denied that the tracking existed or that it was aimed at Chinese AI lab users, and as of this writing the company has not published an explanation of why the tracker was deployed, what data it collected, or how long it ran before removal.
The Washington Post places the episode inside a broader Anthropic campaign to publicly accuse Chinese AI labs of distilling Claude's outputs to train competing open-source models. Distillation is the process of training a cheaper or smaller model on a larger one's responses, and it has become a focal point of US-China AI competition as open-source Chinese models have grown more capable and, in some deployment segments, more popular than Claude itself.
Anthropic has pitched much of its commercial value on the claim that it will not silently weaponize its models or its user base against them. A covert fingerprinting layer in the consumer-facing Claude product, aimed at a specific national market, is exactly the kind of behavior that enterprise security reviewers are expected to flag. The Alibaba ban gives that flagging a public, named consequence.
Individual developers using VPNs or unofficial API access to reach Claude face terms-of-service enforcement that Anthropic can pursue quietly. Engineers at Chinese AI labs who are demonstrably extracting model behavior for training competitors face a different allegation: not just contract violation, but potential claims of misappropriation tied to the distillation narrative. Anthropic's tracker appears designed to distinguish those cases, which raises a separate question of whether product-side surveillance is the right enforcement instrument when the claimed harm is competitive rather than safety-related.
Anthropic has not publicly commented on the Ars Technica report. The company has not addressed whether the removed code returned user identifiers, device fingerprints, or behavioral logs to Anthropic's servers. Alibaba's internal memo leaves room for Anthropic to respond to a named customer rather than the press, and a status posted to X by a researcher tracking the disclosure suggests the technical details of the tracker are still being reverse-engineered. The next watch item is whether Anthropic publishes a deletion notice, a customer-facing explanation, or a quiet policy update, and whether Alibaba's ban holds or is quietly walked back after private talks.