Privacy consultant Alexander Hanff alleges Anthropic's Claude Desktop violates EU law by pre-installing browser integration files without consent, creating security risks through pre-authorized access to Chromium-based browsers.
Anthropic's Claude Desktop application for macOS has come under scrutiny for silently installing files that modify browser settings and pre-authorize browser extensions without user consent, raising significant privacy and security concerns.
Undisclosed File Installation and Browser Integration
The controversy centers on Claude Desktop's installation of a Native Messaging manifest file named com.anthropic.claude_browser_extension.json. This file gets installed automatically when Claude Desktop is set up, even for browsers that users haven't installed yet. The manifest pre-authorizes three different Chrome extension identifiers, allowing associated browsers to run a local executable when they are eventually installed.
According to privacy consultant Alexander Hanff, this behavior constitutes a violation of European privacy law, specifically Article 5(3) of the ePrivacy Directive. The directive requires service providers to obtain clear consent before accessing a user's data, unless access is strictly necessary for the service being requested.
Hanff discovered this undisclosed installation while debugging another application that used Native Messaging, an API for communication between Chrome and other applications. Claude Desktop relies on the Electron framework, which bundles a version of Chromium, creating the pathway for this silent integration.
Security Implications of Pre-Authorized Access
The security concerns extend beyond the lack of disclosure. Browser extensions typically request broad permissions, and the Claude extension has authenticated session access that allows it to read web pages, fill out forms, and capture screens. More troubling is that the binary bridge application runs outside the browser's sandbox at user privilege level without surfacing any permission prompts.
Hanff points out that Anthropic's own safety data indicates Claude for Chrome is vulnerable to prompt injection attacks, with a 23.6% success rate without mitigations and 11.2% even with current protections. The pre-installed bridge creates a direct path from browser extensions through the bridge to a helper binary running outside the browser sandbox.
Multiple Violations of User Trust and Privacy Standards
Hanff identifies numerous problems with Anthropic's approach:
- Forced bundling across trust boundaries by writing configuration files for other vendors' browsers
- Invisible installation by default with no opt-in mechanism
- Difficult removal process for the pre-installed files
- Pre-authorization of browser extensions that haven't been installed
- Unclear naming that fails to clarify the scope of permissions being granted
- Pre-authorization of non-present browsers to use the Native Messaging binary
This behavior breaks widely understood trust boundaries, as users don't expect desktop applications to silently modify other applications, especially across vendor lines. European regulators particularly expect explicit opt-in, installation scoped only to user-selected integrations, and clear persistent controls with real revocation capabilities.
Expert Analysis and Legal Implications
Noah M. Kenney, founder of advisory firm Digital 520, acknowledges the technical validity of Hanff's findings while pushing back on the "spyware" characterization. Kenney notes that the technical claims are largely testable and reproducible, with identical Native Messaging manifests being written across multiple Chromium-based browser paths.
From a legal perspective, Kenney explains that Article 5(3) of the ePrivacy Directive clearly applies to storing information on a user's device, making the act of writing these manifests in scope. The critical question becomes whether this action is "strictly necessary" for a service the user actually requested. While vendors might argue this is part of a unified product experience, European regulators tend to interpret "strictly necessary" narrowly.
Kenney emphasizes that silently installing cross-application integrations, especially into browsers the user hasn't opted into, is likely to fall outside the exemption and carries credible regulatory risk. European enforcement is moving toward demonstrable, user-visible control rather than implied or deferred consent.
Technical Issues and Ongoing Concerns
The situation is further complicated by an unfixed bug in the Claude Desktop native messaging host. The Claude Code and Claude Desktop native messaging host registrations conflict with one another, causing the associated Chrome extension to fail with Claude Code. This bug was auto-closed on February 28th by a GitHub Actions bot, leaving the issue unresolved.
Anthropic has not responded to requests for comment on these allegations. Hanff indicates he hasn't filed a formal complaint yet but intends to do so if the company fails to address the installation process concerns.
The controversy highlights the growing tension between AI companies' desire for seamless integration and users' expectations of privacy and control over their systems. As AI applications become more deeply integrated into users' workflows, the methods used to establish these connections will face increasing scrutiny from privacy advocates, security researchers, and regulators alike.
The case also underscores the importance of transparency in software installation processes, particularly for applications that position themselves as privacy-conscious alternatives in the AI space. The gap between Anthropic's safety-focused branding and the reality of its installation practices could have lasting reputational consequences, regardless of the legal outcome.
Comments
Please log in or register to join the discussion