The Trust You Cannot See
2026-07-01 · 5 min read · Janaina Maia
A security researcher reverse-engineered Claude Code this week and found something that should not be there: invisible markers embedded in the system prompt that fingerprint who is using the tool and how they are connecting to it.
The markers are tiny Unicode characters that change the apostrophe in "Today's date" and the separator in the date format. To a human reading the prompt, it looks normal. To Anthropic's backend, it is a signal that encodes four pieces of information: whether you are connecting through a known domain, whether your hostname contains certain AI lab keywords, whether your timezone is in China, and what specific proxy or gateway you are routing through.
This is steganography: hiding data in plain sight. The sentence still reads "Today's date is 2026-06-30." But depending on which invisible apostrophe character is used, Anthropic can tell if you are routing through DeepSeek, Zhipu, a proxy service, or the official API. The domain list is encrypted behind XOR and base64 and contains over a hundred entries, including Chinese corporate domains, AI company domains, and reseller proxy services.
On the same day, a Hacker News user reported that installing the Cursor iOS app permanently downgraded their privacy settings. Cursor had a "Privacy Mode (Legacy)" that explicitly promised not to store your code. When users logged into the iOS app, they were switched to a new "Privacy Mode" that includes a clause allowing code to be "stored for Background Agents or Other Features." The old setting was removed entirely. Support confirmed they cannot switch you back.
Two companies. Two days. Two trust failures that share a root cause: AI tools are building surveillance and consent erosion into their products and treating it as an implementation detail rather than a product decision.
What is prompt steganography?
Steganography is the practice of hiding a message inside another message so that the existence of the hidden message is not apparent. In the context of AI, it means embedding tracking data inside prompts that look like normal text to anyone reading them.
In Claude Code's case, the hidden data is a four-bit signal encoded into invisible Unicode variants of the apostrophe character. A normal apostrophe (') means you are on the official API. A right single quotation mark (') means you are on a known domain. A modifier letter apostrophe (ʼ) means your hostname contains a flagged keyword. A prime symbol (ʹ) means both conditions are true. The date separator also changes from dashes to slashes if your timezone is Asia/Shanghai or Asia/Urumqi.
Why does this matter? Because the user cannot see it. The model processes it. Anthropic's backend can read it. And the user was never told about it.
The legitimate concern does not justify the covert method.
Anthropic's likely motivation is reasonable on the surface: they want to detect API resellers, unauthorised gateways, and model distillation attacks. If someone is routing Claude Code requests through a DeepSeek proxy, that is useful signal. If a reseller is offering Claude access at a markup through claude-opus.top, Anthropic probably wants to know.
But the implementation is the problem. Claude Code is a developer tool that asks for extraordinary trust: filesystem access, shell access, git access, browser access. Developers grant that trust because the productivity gain is worth it. When the same tool silently embeds invisible tracking markers into every prompt it sends, every other privacy claim becomes harder to believe.
The bypass is also trivial. Change your hostname. Change your timezone. Patch the binary. Any serious adversary can defeat this in minutes. So the feature mostly fingerprints the people least likely to be doing anything wrong: developers using internal gateways, proxy setups, or custom API configurations for legitimate reasons.
The Cursor problem is the same pattern in a different hat.
Cursor's move is less technically sophisticated but more directly harmful. They took a contractual promise, "do not store my code," and replaced it with a weaker promise, "we might store your code for features," without asking. And they made it irreversible.
This is not a bug. It is a design decision. Someone at Cursor decided that cloud agents were more important than the privacy commitment they had already made to paying users. Instead of building cloud agents as an opt-in feature with clear data handling, they quietly upgraded everyone's data access and removed the option to go back.
The HN thread is full of users saying the same thing: I chose this product because of the privacy mode. You removed it without asking. I cannot trust you now.
What this means for product teams.
If you build AI products, especially enterprise ones, these two stories are your warning label.
- Transparency is not optional for trust. Anthropic could have sent an explicit telemetry field. They could have documented it. They could have put it in release notes. Instead, they hid it. The moment a user discovers hidden tracking, every other privacy claim you have made becomes suspect. Not because you were wrong about the other claims, but because you have demonstrated a willingness to hide things.
- Consent is not a one-time checkbox. Cursor's error was not offering cloud agents. Their error was taking away a privacy commitment users had already made and replacing it with a weaker one. If your product evolves and your data practices need to change, the answer is to ask. To make the tradeoff clear. To let people choose. Not to swap the contract and throw away the key.
- Surveillance by any other name is still surveillance. Steganographic fingerprinting, "Privacy Mode" downgrades, background data collection for "features": these are all the same pattern. The company decides it needs more access than the user agreed to, so it takes it quietly and justifies it later. The justification is always reasonable in isolation. The pattern is what matters.
- Your users can read source code. Claude Code ships as a JavaScript bundle. Anyone with a text editor and patience can reverse-engineer it. Cursor's iOS app settings are visible in the UI. The hiding is never permanent. The discovery is always eventual. When it comes, the reputational cost is far higher than the cost of just being transparent in the first place.
My take.
I wrote yesterday about content provenance: the idea that what matters is not just labelling AI content, but building surfaces that let people trace where content came from and what was done to it. Today's stories are the flip side of the same coin. Trust is not just about what you show people. It is also about what you do not show them.
Anthropic built a provenance system for its own requests and hid it from the people making those requests. Cursor built a provenance system for its own data access and removed the provenance of the privacy commitment that preceded it.
The product lesson is the same one I keep seeing: trust is built in the boring parts. It is built in the release notes nobody reads and the settings nobody checks. It is built in the decision to send an explicit telemetry field instead of encoding invisible Unicode characters into every prompt. It is built in the decision to let users keep their old privacy settings when you introduce new features.
The companies that will win long-term trust in AI are the ones that treat transparency as a product feature, not a compliance obligation. The ones that make their tracking visible, their tradeoffs clear, and their consent reversible. Everyone else is just hoping nobody reads the source code.