Claude Is Listening (www.robinsloan.com)

Anthropic’s incident report about a mid‑September 2025 espionage campaign doubles as a blunt reminder that Claude Code logs developers’ activity. The company says it retains inputs and outputs for up to two years and preserves trust‑and‑safety classifier scores for up to seven years when chats or sessions are flagged; it will also keep chats and coding sessions as required by law or to enforce its Usage Policy. Anthropic reconstructed the attackers’ command‑line prompts from those logs to trace the operation, which illustrates both the forensic value of extensive logging and the privacy implications for anyone using cloud‑hosted coding assistants. For the AI/ML community, the technical and operational stakes are clear: cloud coding tools can capture sensitive code, credentials, and IP, and automated classifiers decide what gets retained long term—creating potential for false positives, unwanted exposure, or legal retention obligations. The episode highlights trade‑offs between detection/forensics and developer privacy, and pushes teams toward mitigations like stricter enterprise data controls, secrets management, client‑side preprocessing or local models, and clearer vendor policies about logging, retention, and classifier behavior.