The discovery bears the signature of a web developer known as Thereallo. While researching privacy issues in Claude Code, he stumbled upon something unexpected: Anthropic had planted a tracker hidden in plain sight through a prompt steganography technique. The code – not malicious per se – was designed to silently flag information like timezone, proxy, and possible connections to Chinese AI labs that the company accuses of distillation attacks.

The move, confirmed by engineer Thariq Shihipar as a “March experiment,” aimed to curb abuse from unauthorized resellers and prevent distillation. Washington Post numbers paint a shadow market: free models resold for one dollar a month, pro subscriptions originally priced at $100 going for as little as $12. A real problem, which Anthropic tried to fix with a technological secret.

Prompt steganography, here, is simply the insertion of cryptic markers directly into the conversation flow with the user: signals that the normal interface does not display but that the system can read to trace the origin of the request. For those trying to protect model intellectual property, it is a powerful instrument. But when activated without transparency, it backfires. Thereallo called it a “serious breach of user trust,” and he is right.

This isn’t just a communications slip. The case opens a deeper rift: that between defending models against misuse and the user’s right to know what happens with their data. On specialized forums, the debate polarized immediately. On one side, those who recall that distillation is a concrete danger, capable of depleting billion‑dollar research investments. On the other, those who see these practices as yet another reason to avoid opaque cloud services.

For organizations evaluating where to run their Large Language Models, the incident acts as a catalyst. When a provider can inject undeclared tracking code, the entire edifice of GDPR compliance and data sovereignty wobbles. Contractual promises are no longer enough: technical assurance is required that no single bit leaves the corporate perimeter without control. This is exactly the ground on which on‑premise and self‑hosted deployments thrive, where audit is possible because the infrastructure sits under direct IT team control.

Producers of hardware for on‑prem inference – from high‑VRAM consumer GPUs to specialized servers – may read this episode as a demand accelerator. Organizations handling sensitive data, from banks to healthcare, now have one more argument to shift budget from cloud subscriptions to local capacity purchases. It is not an ideological question but one of Total Cost of Ownership and legal risk: with a hidden tracker, the data controller loses the ability to demonstrate compliance.

Of course, model security remains crucial. Self‑hosting is no magic wand: it protects privacy but makes it harder for providers to block systematic attacks. The tension between these two needs will become a central theme for those designing inference pipelines in the coming years. Anthropic’s swift removal of the tracker does not close the discussion; on the contrary, it raises the uncomfortable question: how many other silent surveillance features inhabit the AI tools we use every day without us noticing?