Podcasts
Paul, Weiss Waking Up With AI
Tracking Code, Truthful AI, and Quantum Threats
In this episode, Katherine Forrest and Scott Caravello break down the discovery of hidden steganographic tracking code inside Anthropic's Claude Code, the FTC's proposed statement on AI output accuracy and disclosure, and IBM's warning that the quantum threat to internet encryption may already be in motion.
For the sources referenced in this episode, please see the links below:
Anthropic: Letter to Senators Tim Scott and Elizabeth Warren Re: AI Distillation Threats
FTC: Proposed Policy Statement Concerning the Suppression of Accuracy in Artificial Intelligence Systems
IBM: Q-Day has already begun. Are you ready?
Thereallo: Claude Code Is Steganographically Marking Requests
Prior Paul, Weiss Waking Up With AI Quantum Episodes:
Episode Speakers
Episode Transcript
Katherine Forrest: Hello everyone and welcome back to Paul, Weiss Waking Up with AI. I'm Katherine Forrest.
Scott Caravello: And I'm Scott Caravello. Katherine, have you been watching the World Cup?
Katherine Forrest: Well, is that like a trick question? I don't think you can like live right now in this country and not watch the World Cup because it's like it's everywhere. Literally everywhere.
Scott Caravello: True, but I know that it like it got in the way of your commute enough that maybe you were avoiding it out of protest for the inconvenience.
Katherine Forrest: Eschewing it.
Scott Caravello: Yeah, exactly.
Katherine Forrest: Eschewing the World Cup.
Scott Caravello: Just walk by a bar or restaurant with it on and cover your eyes. I don't know.
Katherine Forrest: Yeah, yeah, yeah, yeah. No. What I love is that the viewership for soccer/football, which everybody else in the world calls football, but us. Because of course we call things that are thrown football and we call things that are actually with a foot soccer. But let's put that aside, okay. But the viewership is out of this world in terms of what it's drawn in terms of television and just the excitement, you know, the palpable excitement everywhere. I love it. We go from the Knicks and Brunson, my hero, and then we go into the World Cup and we go into such excitement and you know, like New York City is like buzzing with all of that excitement.
Scott Caravello: I completely agree. And it makes me very sad that tomorrow is the last day of multiple games where you get to just like enjoy it as an event for a large part of the day.
Katherine Forrest: Well, but then—
Scott Caravello: Four more years we'll be right back at it.
Katherine Forrest: Right. And then you can travel someplace to sort of go see it as opposed to having it— the whole world had to travel to us. So, there we are, and speaking of traveling, I see that you are in your New York City apartment 'cause I can see the hats behind you. It's like that man of many hats, you know the children's book with like the hats all like they're all stacked up on his head.
Scott Caravello: Dead.
Katherine Forrest: Do you know the one I'm talking about? That hat man?
Scott Caravello: Yes. Vaguely.
Katherine Forrest: I don't remember the name of the book, but somebody else in our audience will. But anyway, you're there and I am back in Maine where I arrived last night after a Third Circuit argument. It was tough traveling back from Philadelphia when there were thunderstorms in the entire East Coast. But I got here. So here we are.
Scott Caravello: Great.
Katherine Forrest: All right, and we're ready to go. Are you ready to go?
Scott Caravello: Let's do it.
Katherine Forrest: All right, let's do it. So there are three topics that we're gonna cover today and sort of I just wanted to list them first. The first is this what I'm gonna call sort of quasi-mysterious, but we know what it is, so maybe it's not so mysterious. Steganographic. And by the way, I do pride myself on being able to say “steganographic.” Right? That's good.
Scott Caravello: Just yeah, that was great.
Katherine Forrest: That's good. It's flawless, right?
Scott Caravello: I think I probably would have been like breaking up the syllables to do it really slowly. So that was fluent. Yeah, yeah, please.
Katherine Forrest: Okay, you can leave it to me then. And since I can see you on the camera, anytime that we have to say “steganographic,” you can just point at me and I will just say the word. Steganographic.
Scott Caravello: Awesome. Awesome.
Katherine Forrest: Okay. So there is this steganographic code that has been detected inside of some Claude models. And so we'll talk about that. And we'll talk about a brand new FTC policy that is interesting for a variety of reasons. And then we've got some developments in quantum and questions now about whether we have already a situation on our hands where anything online might be at risk of no longer being able to stay secret. So let's go ahead and start with our, you know, door number one.
Scott Caravello: Sounds great. And so that's the Anthropic topic— the Anthropic topic, say that three times fast.
Katherine Forrest: That's good.
Scott Caravello: And that relates to Claude Code. But honestly, you know, I can't remember the last time that we kicked off an episode without some news about Anthropic. So that's… we're staying strong on theme.
Katherine Forrest: They're doing a lot. Between that and OpenAI and 5.6 and everything else, things are happening. And by the way, we haven't even talked about China and what China's doing with its own models, going back the other way and switching away from American models. We'll have to save that for next week. But let's, talking about now Claude Code, you know, Claude Code is the Anthropic coding assistant, which is agentic and it can do so much and is wildly popular with not just developers, but a variety of people who are now able to develop through vibe coding and everything else. And Claude Code can run files, read your files, run your files, run commands, edit your code, suggest modifications to code, test code, and access repositories directly. And we've got this Claude Code out there and on June 30th there was an independent researcher who published a reverse engineering write-up of the code and he was looking at the code for various purposes and he set off a firestorm because he claimed that Anthropic, through Claude Code, was actually secretly tracking Chinese users.
Scott Caravello: And the technique that's at the center of this write-up is called—
Katherine Forrest: Steganography. Steg— my god.
Scott Caravello: Thank you.
Katherine Forrest: My god, there—I messed it up.
Scott Caravello: Stegan— st— steganography.
Katherine Forrest: Well, I like to say “steganographic.”
Scott Caravello: Yeah, yeah, yeah.
Katherine Forrest: But if I have to actually place the emphasis on different syllables, it gets messed up. Steganography. Steganography, steganography, right? Okay
Scott Caravello: There we go.
Katherine Forrest: Okay.
Scott Caravello: And so for anyone who isn't familiar with this term or how to pronounce it, it's the practice of hiding information inside something that looks completely ordinary so that no one suspects that there's a message in there at all.
Katherine Forrest: Right. It's really a form of cryptography if you want to think of it like that, where you can either take something or something in plain sight that is a code for something else, or you can actually use very often steganographic cryptography would be using a common word as another word. And so you would think of “orange” as, “he's got the package and he's gonna drop it at the corner.” And you know, it doesn't have to be one word for one word. You can actually have something in plain sight. And so this fellow, Thereallo's article, said that the Claude Code steganography was actually putting into the code of the model a prompt. It was actually inserting a prompt into the model that was actually giving information in the date area that in fact was tracking who was using the model and in what location. So if a prompt might say something like today's date is followed by the date, but the tool was actually inserting in place of parts of that information that would actually track who the user was, where it was coming from.
Scott Caravello: Yeah, and so the way that it was doing that, and the reason that it was doing it, it was checking the system time zone of the user system for time zones associated with Shanghai or Hangzhou in China, and this is the key part. It also scanned the address of any custom API endpoint that the user had configured for accessing Claude Code and checked it against a list of Chinese company or AI lab domains.
Katherine Forrest: Okay, I wanna like just translate that for a minute because that was that was really fancy stuff and that you just said. You said it scan the address of any custom API endpoint configured. Like okay, let me just tell people what you were talking about, okay? So we know API— you can think of an API as the pipe and the pipe between two places. And so you can have API access that you can get, for instance, to Claude, where you can get, you know, a particular API access to Claude by having a direct pipe into your, say, business and you'd have a special agreement for that. Or you can have API access into a variety of applications. And when you've got API access that has an endpoint that's configured for accessing Claude Code or— it would scan the address of that endpoint, it was scanning effectively the IP address. So as we know, every single piece of hardware out there that's connected to the internet has got an IP address. And so what we would have is there would be an IP address or other indicator of location or gateway and they would take that information and they would actually compare that information against a hidden list of Chinese company AI lab domains. So that's really what was happening. They were comparing this location information inside the code to where people were.
Scott Caravello: And Claude Code engineer had said on X and explained that the purpose of this was anti-distillation. And as we've talked about before, model distillation is when someone uses bigger, more capable models to develop smaller, more cost-efficient models so that the smaller ones can then match the bigger ones' capabilities. And so they were concerned about Chinese AI labs using Claude models in order to develop their own technology. And so then he also said that the team had designed stronger mitigation since setting up this experiment with Claude Code. And had been meaning to remove it, and then actually did remove the code a day after t Thereallo published his finding. Or maybe it's Thereallo.
Katherine Forrest: Oh. Well, either way.
Scott Caravello: Apologies to Mr. Thereallo for any mispronunciation on the podcast or miss— apologies. Yeah.
Katherine Forrest: Right, of— of the name. But Thereallo, there's a couple of different ways it could actually be pronounced. And in any event, there was— there has been an ongoing sort of situation with Anthropic where they've been talking about this distillation issue, which is again, as you were just saying, sort of one model being used to train another model. So you actually ask one model millions of prompts and you get lots and lots of answers and information from that teacher model, if you will. And then there's sort of a student model where that output is then used to train that other model. And so that distillation is something that companies aren't always big fans of and so they're trying to figure out well where is— where is all of this coming from? Who's trying to engage in this distillation? And so the code, the steganographic code, was an anti-distillation. It was trying to track where it was coming from. And in a letter that was dated in June of 2026 that Anthropic wrote to two U.S. senators, they described the largest distillation attack ever seen and actually publicly were able to tie tens of thousands, they said, suspicious accounts to a particular Chinese lab. This is one of those distillation attacks. So the company, actually when it put in the steganographic code, wasn't acting in a vacuum, it was acting against the backdrop of what they have publicly at least identified as real distillation attacks. So it's an interesting situation, but it's really gotten people's hackles up.
Scott Caravello: Yeah, and it makes sense, right? I mean the distillation threats are clearly very real to the major AI developers in the States and they're trying to protect their technology from being used by competitors to develop their own.
Katherine Forrest: Right. And so, that was sort of the first part of our segment on our little Anthropic Claude steganographic situation, which is interesting because I think that steganography is something that we know that some models are actually able to do themselves, are able to communicate, you know, between each other using some steganographic methods. But let's sort of leave that technique that Anthropic has itself used, the models can use and distillation and go on to something else which is also very interesting, which is something that just happened on July 1st.
Scott Caravello: Right, so on July 1st the Federal Trade Commission put out a proposed policy statement with the title "The Suppression of Accuracy in Artificial Intelligence Systems," which is now open for public comment.
Katherine Forrest: Right. So let's just think about that title for a second. "The Suppression of Accuracy in Artificial Intelligence Systems." And so we really sort of wanna just pause on that when we talk about what this proposed policy is getting at. So to remind our listeners, the Federal Trade Commission is— you know, it's one of the branches of the—part of the executive branch and it often uses Section 5 of the FTC Act to go after different kinds of harms to consumers in the form of deceptive acts and practices. And recently we had the Supreme Court case that we talked about where—in the Trump-Slaughter case—where President Trump had actually fired the chairperson of the FTC, Rebecca Slaughter, there had been a lawsuit about whether or not he could do that or not, and the Supreme Court has said that in fact he does control through the executive branch the ability to hire and fire people at the FTC. So the FTC has got this Section 5 ability that is ultimately then sort of, you know, runs its way up the chain through the executive branch. And the FTC in this new policy statement is saying that certain AI companies have been marketing their systems or making statements that explicitly or implicitly are trying to fiddle with the results to make the output come out in a particular way. And that they call that, these companies, this is the claim, they're calling that pursuit of fairness. And, you know, of course we have all of the algorithmic bias and algorithmic discrimination cases that have been around now and laws that have been around for quite some time. And what this law is saying effectively is that we've got model developers that are trying to eliminate algorithmic discrimination and algorithmic bias, but that the result of what they're doing is coming out with less than accurate output. So that, we're, the claim is, that we're sacrificing accuracy for these other purposes and so that according to this policy statement, that would be a harm to consumers.
Scott Caravello: Right. And so again, that's the claim, but part of what they're saying in supporting that claim is that people tend to just accept AI outputs without much fact-checking, and they say that people do so more than 90% of the time. So the idea behind this claim is that if users are then trusting the outputs to such a large extent, distorting the outputs in some way such that it's not just the accurate, truthful output could be viewed as deceptive, which would then violate Section 5 and its prohibitions on deceptive acts or practices.
Katherine Forrest: Right, so the concept is that if a developer or deployer, and the deployer might be actually even a tool developer, not even necessarily a model developer, alters or steers a model's output away from what the user asked for and changes the output in some way to meet a predetermined desired end of the developer or deployer and doesn't disclose that, then that could end up being considered deceptive. And so one other piece of that is that there are some state laws, as we said, about— you know— outlawing algorithmic bias, algorithmic discrimination. And what the FTC, this policy statement says is that if the model developer or deployer is steering the output away from the actually accurate output in the name of complying with that law, that's not a defense. And so it's gonna be very interesting times. I mean there's different policy pushes and pulls that are going on between trying to eliminate algorithmic bias, algorithmic discrimination, and now this FTC policy statement saying, oh, hold on, don't start changing the output for purposes of just trying to come up with a particular policy position, but you should really only have accuracy and accuracy despite whatever the data may say.
Scott Caravello: Yeah, and so even though that point about algorithmic discrimination is really the driving policy behind this statement, it's— the whole thing is phrased quite broadly. So you do run into the question of whether other really common routine features of models and systems designed for safety purposes, could potentially be considered to also run afoul of Section 5.
Katherine Forrest: Right. So what we're talking about is sometimes with a mitigation, maybe you've put in a guardrail that's gonna actually steer a model in a particular way and there'll be questions about to what extent are you, because you're not actually giving the direct output to the consumer, are you actually running afoul of this policy statement? Let me give you an example. Let's say someone said, let me come up with a formula to make anthrax and in fact the model rather than just saying I can't answer that, which is what they would typically do, actually steers you in a different direction and gives you a false way of making anthrax. That could actually run afoul of this. So not answering the question I think would not, but answering the question in a way that's inaccurate could.
Scott Caravello: Right. But then the one thing I guess I would add on to that though is that there is sort of this touchstone of Section 5, which is about the consumer's reasonable expectations. So we could probably sit here and get to the point where we'd say that a consumer does not have reasonable expectations that the model will give it the information on how to actually develop anthrax. So right, so there is kind of this push and pull in how broadly it will be interpreted, but still running up against how Section 5 has been interpreted by the courts, and how it would get litigated and enforced. But even besides that, Katherine, I think there is an off-ramp to this policy statement that maybe we can talk a little bit about.
Katherine Forrest: Right, and that's about setting expectations and making disclosures to consumers because a company can actually prioritize objectives other than raw accuracy, for example, safety, as long as it discloses it. So that's the off-ramp. So— so long as there's disclosure, you would get around the deceptive practices sort of provision of Section 5 of the FTC Act. So that's really I think the off-ramp.
Scott Caravello: Absolutely. So the practical read of all of this is that, you know, if it's finalized as written, which it may or may not be, again, because there is this public comment period, if the system shapes outputs, this is gonna be important for folks not only who are developing the models, but also for those who are actually deploying them and maybe putting in place system prompts to, you know, gear the system to actually do what it needs to do for their business, and you know, surfacing all that information and disclosing to users upfront what modifications are being made.
Katherine Forrest: Right. And so there's public comment that's open until July 31st. So there's a lot of sort of still runway here. So it'll be interesting to watch where all of this goes and then what happens as between the state laws and this new policy statement. But let's go on to our last topic, which is actually some developments in one of my favorite areas, as you know, which is quantum computing. And we've talked about quantum computing a few times. But what sparked this, I remember sort of sending it over to you a couple of weeks ago, Scott, was a newsletter that IBM had, you know, pushed through and I got it on one of my morning feeds, and it announced that, quote, "Q Day has already begun."
Scott Caravello: And so maybe to start, for those who might not be quite as deep in the quantum world as you are, Katherine, what is Q Day?
Katherine Forrest: Well, we're all actually living in the quantum world, Scott. I just wanna tell you.
Scott Caravello: Hahaha. That’s so true. So true.
Katherine Forrest: We're all living in the quantum world, all right? I don't know what universe you're living in, but we're actually— we're living in a quantum world, okay?.
Scott Caravello: It's made of hats.
Katherine Forrest: There's lots of small hats that are all in superposition at the same time.
Scott Caravello: Yeah.
Katherine Forrest: Your hats are all neither on nor off. They're both on and off if you're not looking at your hat, okay? Only people who are interested in quantum will actually get that joke and then they might get a little chuckle. But, anyway, Q Day is the point in time when a quantum computer is allegedly going to arrive at a point where it's capable of breaking public key cryptography that basically secures the entire internet. And so to explain what that means practically, public key cryptography actually encrypts information that's being transmitted back and forth between you and a website that you might be visiting. So when you see something and it says this is encrypted. So you've got sort of cryptography that is actually encrypting that. And you actually have— there's a public key that is behind that. So for instance, when you access a bank account, the information that you're exchanging is protected and it's not just flowing openly through the internet. It's actually flowing through the internet in an encrypted form. So if I broke into the internet and grabbed your banking information as it was going from you to the bank, it would look like gibberish to me. It would be encrypted.
Scott Caravello: Exactly. And so if you're hearing the phrase public key then and thinking, well, why is something called public key secret? Well the idea is that the website you're visiting is publishing a public key that anyone can use to lock a message, but only then with the secret private key can it be unlocked. And what makes that work is a kind of math that's easy to do in one direction to actually lock it, but with current computing it's effectively impossible to reverse and unlock it without the secret key. So it would take an ordinary computer like the ones that we're working on, that maybe you're listening to this on, it would take and ones much more powerful than that, take longer than the age of the universe to work backwards and solve that problem.
Katherine Forrest: Right. And so that's exactly where the quantum computer comes in. So back in actually 1994, there was a mathematician named Peter Shor who proved that a large, well-behaved quantum computer could do that very reverse essentially mathematical factoring, efficiently in what he at that point said days or even hours, which would have been extraordinary. Now, of course, it's much, much faster.
Scott Caravello: But so how close is the hardware to actually reaching that point? We've talked about this extensively in prior episodes, because people typically think about quantum computers as being pretty far off, at least at a commercial scale. But today's machines have hundreds of qubits, and those are the basic computing blocks of the quantum computer. And so to break these cryptography systems that we're talking about, it would still take thousand— right, exactly, the public-private key. It would still take thousands, if not millions, of qubits. And so the NSA, for example, has said it doesn't know when such a machine's going to arrive and some expert panels say that it's unlikely before 2030, but it seems as though the timeline does keep arguably moving up. So, it's interesting.
Katherine Forrest: Yeah. So let me just sort of refer our listeners, you can get a list of our prior episodes and so if you want to learn about qubits and all and stability and why it's so hard with a quantum computer or to actually make these qubits stable so that they're able to work in the way that will make a quantum computer most functional. Go to some of those— prior episodes on quantum. There are only three of them. And you'll be able to sort of, you know, pick up on that. But you know, the problem is not a problem that is so very far away because there are advances now, and we've talked about also hybrid quantum being a combination of classical computing like the classical computers that we all use right now every day, along with quantum computing. And so things are really advancing fast. And so it might be faster than 2030 that we actually have this kind of insecurity in our encryption over the internet with quantum computing. And so that's why IBM in this push that I got through my email was saying that Q Day may already have begun. And the reason for that is a tactic that the security world is calling "harvest today and decrypt later." So harvest today and decrypt later. And so what that's really talking about is that as people, particularly some bad actors, are anticipating the coming of quantum capabilities. So we all know they're not quite there yet, right? They can't just decrypt everything instantaneously. But as people are starting to imagine that that's going to be possible, they're actually starting to harvest all kinds of encrypted information from digital repositories and from the internet. And the idea is harvest that now and later on you'll be able to decrypt it. When quantum is available, you'll be able to decrypt it. So it's not necessarily at all a good thing. So if your data has to stay secret, for instance, for say 10-20 years, think about health records, financial data, trade secrets, you know, various kinds of technology, you know, designs or state secrets, then the clock could be running because you could already have a harvesting of some encrypted data which is being held someplace, and when one day somebody is able to utilize quantum computing to decrypt it, to actually get underneath it, we could have a real problem on our hands. So, you know, the harvest now decrypt later could mean that we've got Q Day sort of starting already. We're not at midday yet, but we're sort of somewhere in the morning.
Scott Caravello: And I know we're getting short on time, but one really interesting aspect also of this newsletter that it's bringing attention to is what the researchers are also talking about, a separate tactic called "steal now, forge later." Basically the idea that the adversaries can capture digital signatures, certificates, and identity credentials that let you prove who you are. And then when the quantum computing again advances far enough and can break those encryption algorithms, they'll be able to fake those identity artifacts, right? So as far as actually proving who you are to a system. And so then as IBM researchers phrase it, that's the digital equivalent of needing to change every door lock on the planet.
Katherine Forrest: Right. And so the good news with all of this is that there are these replacement locks that are already being developed and NIST, the National Institute for Science and Technology, has actually finalized its first post-quantum cryptography standards and it did that actually almost two years ago now. And migration has already started and, you know, Cloudflare, which provides a whole bunch of different kinds of internet services, says that a lot of traffic is already becoming post-quantum encrypted. And for instance, Signal, the messaging app has rebuilt already a chunk of its protocol. So, you know, IBM's roadmap points to a machine around 2033 that could be strong enough to threaten today's encryption, but we're also trying to keep ahead of that already. So I think, Scott, that's about all we've got time for today.
Scott Caravello: And we covered a lot of ground.
Katherine Forrest: All right, so what hat are you wearing? If we measure the hats behind you, then they will actually have a wave collapse and you'll be wearing one. And which one will it be? It'll be that top orange one. Tell everybody what that top orange hat is.
Scott Caravello: Ha ha. Go Vols, yeah, University of Tennessee Volunteers.
Katherine Forrest: All right, okay.
Scott Caravello: My wife is from Knoxville, so it gets featured a lot.
Katherine Forrest: Wait, have you been to Blackberry Farm?
Scott Caravello: No, but you know it's on my list, obviously. Have you been?
Katherine Forrest: I've been to Blackberry Farm. Yes, I have been to Blackberry Farm. It is really worth going. What a terrific place. Anyway, the food there is spectacular. So if you're near Knoxville, you have to go to Blackberry Farm. So anyway, all right, folks. Thanks for listening and we will catch you next week. I'm Katherine Forrest.
Scott Caravello: And I'm Scott Caravello. Don't forget to like and subscribe.
Related Sources
- [Anthropic] Letter to Senators Tim Scott and Elizabeth Warren Re: AI Distillation Threats
- [FTC] Proposed Policy Statement Concerning the Suppression of Accuracy in Artificial Intelligence Systems
- [IBM] Q-Day has already begun. Are you ready?
- [Thereallo] Claude Code Is Steganographically Marking Requests