Anthropic is rolling back a covert feature in Claude Code after a Reddit post exposed what the tool had been doing since version 2.1.91, released April 2, 2026: checking whether a user was behind a proxy linked to China and then encoding that result into the prompt stream in a way users could not see.

The feature matters less as a one-off embarrassment than as a signal of where AI tooling can go wrong. In this case, the check was not presented as an obvious product setting or a documented enterprise control. Instead, according to reporting in The Decoder and the Reddit post that surfaced the behavior, Claude Code used hidden prompt changes to communicate the result internally. That design choice turned a policy decision into a covert surveillance feature.

How the check worked

The technical mechanism was unusually subtle. The reported implementation looked at the system timezone, including Asia/Shanghai and Asia/Urumqi, and scanned proxy URLs for Chinese domains and AI labs. If those checks tripped, Claude Code altered prompt content in barely perceptible ways: the date format shifted, and a slightly different apostrophe character appeared in the phrase “Today’s date is.”

That is the steganography angle. The output did not announce the result in plain language. Instead, the signal was hidden in the system prompt itself, embedded in characters and formatting differences that users would not notice but that the model or backend could read immediately. In practice, that means data was being moved through prompt context rather than surfaced as an explicit, auditable event.

For coding tools, that distinction is not academic. System prompts already carry product policy, tool instructions, and context shaping model behavior. Once they are also used as a covert signaling channel for identity- or location-related checks, the prompt stops being just a control surface and starts behaving like a transport layer for hidden telemetry.

Why the rollback happened

The feature did not survive exposure. After the Reddit post by LegitMichel777 and the ensuing social-media uproar, Anthropic rolled it back.

That sequence is revealing. The rollback was not driven by a transparent change log or a public design review. It came after the behavior was noticed externally, discussed publicly, and framed as a trust issue. In other words, the governance process appears to have failed at the most basic checkpoint: if a behavior is sensitive enough to trigger backlash when users discover it, it should be hard to imagine it as an invisible default in a developer-facing product.

The episode also shows how fragile covert features are in tools that live close to user workflows. Claude Code is not a consumer app with disposable UX quirks; it is a coding assistant operating in environments where developers expect repeatability, traceability, and predictable handling of data. Hiding a proxy-linked geographic check inside that stack creates exactly the sort of governance gap that enterprise buyers tend to notice.

What it means for AI tooling design

The broader design lesson is straightforward: privacy-by-default and transparency-by-default need to apply to the control plane as much as the data plane.

If a product needs to detect geography, proxy use, or other identity-adjacent conditions, the behavior should be documented, auditable, and gated. Users should know when such checks exist, what data they inspect, how the result is used, and whether the information is stored, forwarded, or retained. That is especially true when the mechanism involves prompt manipulation or any form of steganography in the system prompt, because hidden signals are difficult to inspect during normal use and difficult to reason about during incident review.

The safer pattern is boring on purpose: explicit telemetry, opt-in where possible, clear policy surfaces, and external audits for anything that could affect user classification or access decisions. Hidden signaling has no good place in production copilots that are meant to be trusted as infrastructure.

The market and policy angle

For Anthropic, the immediate issue is reputational. Enterprise adoption of AI tooling depends on a simple premise: the vendor may collect telemetry, but it does not smuggle identity-sensitive logic into the product in ways customers cannot observe. A covert check, even if narrowly scoped, complicates that premise.

It also gives competitors and regulators a fresh reference point. Industry responses to surveillance features have been moving toward more explicit governance language, not less. Incidents like this one tend to sharpen questions about how vendors review prompt changes, who signs off on behavior that touches location or identity, and what gets disclosed in release notes versus buried in internal prompt text.

That is the policy risk here. Once hidden signals enter a product, the issue is no longer just the specific check that was rolled back. It becomes the process that allowed it to ship, the review that failed to catch it, and the controls that should prevent a repeat.

What product teams should take from this

The practical lesson for teams shipping AI assistants is not to treat prompt text as an informal place to hide logic. If a behavior matters enough to affect how a user is classified, routed, or restricted, it needs product-level governance.

That means:

  • publishing clear disclosures for any behavior that intersects with identity or privacy,
  • using opt-in telemetry and narrowly scoped data collection,
  • making prompt behavior auditable internally and, where possible, externally,
  • gating rollout behind reviewable flags rather than quiet prompt mutations, and
  • banning hidden signals in production code paths unless there is an explicit, documented reason and a review trail.

Claude Code’s version 2.1.91 episode is a reminder that the fastest way to lose trust in developer tooling is to make sensitive decisions invisible. In AI products, the line between prompt engineering and product governance is thinner than it looks, and once a hidden check crosses it, the backlash can arrive long before the explanation does.