Media coverage since the initial post
In the few days since my initial post, the story has received widespread coverage across both the technical and mainstream privacy press, and has sustained continuous discussion across the online communities that follow issues of this kind.
English language coverage has included The Register, Malwarebytes Labs, Neowin, AskWoody, and Patrick Gray's Risky Biz newsletter. International pickup has spread to Golem.de in German, pplware.sapo.pt in Portuguese, SecurityLab.ru, OpenNet.ru, and Anti-Malware.ru in Russian, ComputerWorld.dk in Danish, ittechblog.pl in Polish, innovatopia.jp in Japanese, and CyberSec Brasil in Brazilian Portuguese.
Beyond the press, the story has circulated on Hacker News, Reddit (including r/LocalLLaMA and r/france), Menéame in Spain, LinuxFR in France, Lobsters, and dozens of Mastodon instances in the Fediverse.
At the time of writing, the original post has been read well over 150,000 times, and the traffic continues to climb.
Anthropic's Silence is Deafening
Despite this level of public attention, and despite Malwarebytes Labs noting in their own coverage that they could find no response from Anthropic, the company has maintained complete public silence on the matter and they have failed to respond to my correspondence either. That silence is why I am now compelled to take the formal step that follows.
In order to be as transparent as possible, given that Anthropic have failed to get in touch over the issues relating to Claude Desktop installing Native Messaging Bridges, I have been forced to issue them with a Cease and Desist notice, which you can read below. I will continue to update the blog until the matter is resolved as clearly (given the traffic) this is of significant public interest.
Dear Anthropic,
Please consider this email as a Cease and Desist notice and understand that if the demands are not met, legal action will be commenced.
The nature of my complaint, I am sure you are already aware of given that it has gone viral on the Internet. You can find everything you need to know here:
https://www.thatprivacyguy.com/blog/anthropic-spyware/
To be clear, the installation of these Native Messenger bridges is illegal under EU law as follows:
Directive 2002/58/EC Article 5(3) clearly states that storage of information or gaining access to information already stored on the terminal equipment of an end user is only permitted if the end user is fully informed and has given their explicit consent - unless it is strictly necessary for the provision of the requested service.
I have not installed Claude Chrome (which is what these manifests are for) and as such you need to ensure that you push an update to Claude Desktop (and Claude Code) which removes the manifests and does not install them again until the user installs the Chrome plugin for Claude Desktop (or Claude Code) - it is not ok to start pre-emptively installing shit on my machine, it is in fact not just a breach of the ePrivacy Directive but also a criminal breach of Article 337C of the Criminal Code (Chapter 9 of the laws of Malta) which criminalises installing, altering, erasing, or destroying data or software without authorisation.
I am not anti Anthropic (I use your services every single day) but I am anti malware/spyware and quite frankly, shitty behaviour; and this was shitty behaviour and you need to fix it. So I am giving you a chance - I expect to see a new update within 72 hours that removes these manifests and if that does not occur, I will file criminal and civil complaints against Anthropic and I will be exceptionally public about it.
Don’t do a Google, don't be evil, you have an opportunity to build trust - don’t break it.
Sincerely, Alexander Hanff LLM, CIPT, CIPP/E, FIP
