When Alibaba banned Claude Code this month, the interesting part was not the ban. It was the list.
Start with the object itself. A 高风险软件名单, a "high-risk software list," is an internal roster of software a company bars from its own machines. On its face that is routine corporate IT housekeeping, the sort of list any large firm keeps. What makes this one worth an issue is that the phrase is also the vocabulary of state software governance: once a company writes a foreign AI tool onto such a list, the state can read it, adopt it, and extend it.
The internal notice did not say the tool was a competitor's product, or a legal liability, or collateral in a dispute over model distillation. It said Claude Code had been evaluated and placed on a 高风险软件名单, a list of high-risk software. Five days later, a vulnerability platform run by China's industrial ministry issued a formal advisory saying much the same thing, with version numbers. A corporate compliance decision and a state security instrument, speaking the same language, in the same week.
This issue is about that language: where the list came from, what it does, and why the vocabulary of software risk is doing the work that the word "ban" only appears to do.
What is sourced. On 3 July, multiple Chinese outlets (Zhidx claiming the exclusive, Guancha, Southern Metropolis Daily, Sina Finance) reported, citing internal sources, that Alibaba had placed Claude Code on a 高风险软件名单 (high-risk software list) following a "comprehensive evaluation" (综合评估), with a workplace prohibition effective 10 July and Qoder recommended as replacement. The key sentence is consistent across outlets as reported paraphrase; SCMP reported separately that it had seen the notice itself, in which the tool was described as carrying "back-door risks." Chinese coverage adds that the directive extends beyond Claude Code to the full Anthropic product line, framed as "preventive isolation" (预防性隔离) at the vendor level.
The following separates the record from my reading.
What is assessment. The notice's vocabulary is the vocabulary of state software governance, not internal IT policy. "High-risk software list," "comprehensive evaluation," "security vulnerabilities": each phrase has a home in China's regulatory architecture. The 2021 Provisions on the Management of Security Vulnerabilities of Network Products (网络产品安全漏洞管理规定) established the reporting infrastructure that includes the NVDB platform; the Cybersecurity Review Measures (网络安全审查办法) normalized "comprehensive evaluation" as the procedural register for excluding foreign technology. The open question this issue cannot yet close is whether Alibaba's list is a standing internal mechanism with published criteria and other named entries, or a category constructed for this decision. We assess the distinction matters less than it appears: either way, the notice performs regulatory legibility, describing a business decision in terms the state system can recognize, adopt, and extend. Within five days, the state system did exactly that.
The sequence, sourced. The public record of the nine days:
The sequence, assessed. The load-bearing interval is 3 July to 8 July. A firm made a security determination in regulatory vocabulary; a ministerial platform then issued a formal instrument matching it in substance and citing the same version range that appeared in the public reverse-engineering. Per Key Judgment Six we do not assess coordination. We assess, with low confidence, that the direction of information flow ran from public disclosure and corporate action toward state validation, because that ordering requires the fewest unobserved steps. The alternative, that NVDB analysis was underway independently and the timing is incidental, strengthens considerably if the advisory's technical detail proves to be its own rather than derivative of the Reddit analysis.
What it means / what's next. For Chinese firms with a compliance function: the organizational channel to Anthropic products is effectively closed, whatever individual developers do. For Anthropic and other foreign vendors: the durable risk is not the single ban but the category: once a foreign AI tool is an evaluable object on a list, the next placement is procedural, not headline, news. For analysts: the sharpest question, whether the state advisory rests on independent analysis, still turns on primary documents not yet public. Indicators to watch: (1) whether NVDB's technical findings show independent analysis or mirror the public reverse-engineering, the pivot for Key Judgment Six; (2) other named entries surfacing on Alibaba's list; (3) other major firms adopting the 高风险软件名单 framing.
内外有别, "inside and outside are treated differently," is this publication's standing section on what changes when an account crosses a line. Here the line runs between languages and between institutions: the same detection code received three names in nine days, each doing work for its author, and the question is which name the Chinese system kept.
Anthropic: an experiment. The company's public framing, via Shihipar, called the detection code an anti-abuse experiment already slated for removal. The word does the work of minimization: an experiment is temporary, bounded, well-intentioned. What it does not address: the code shipped in a production tool with file-system access, undisclosed in release notes, for roughly three months.
Alibaba: a backdoor. The notice's term, 后门, is maximal in the other direction. A backdoor implies covert access capability, not covert telemetry; the reported findings describe environment inspection and identification signaling, which is surveillance vocabulary, not access vocabulary. The stronger term serves the compliance function: backdoors have an established home in Chinese security-review criteria, and telemetry disputes do not.
NVDB: unauthorized transmission of sensitive information. The state instrument is, notably, the most technically precise of the three. It specifies conduct (transmission of region and identity information without consent), scope (versions 2.1.91 to 2.1.196), and remedy (audit, uninstall, upgrade). It adopts the backdoor frame (安全后门隐患) while grounding it in data-protection conduct. This is the description with legal architecture behind it, and the precision is itself a signal: the platform is showing that the state instrument rests on findings, not on Alibaba's characterization.
The read. None of the three descriptions is neutral, and this issue does not adjudicate the technical truth among them; that requires the underlying code analysis. The analytical point is the migration. A term, 后门, entered through a corporate notice, was validated by a ministerial platform within five days, and is now the durable Chinese-language name for the episode. The English "experiment" stayed in English and did its minimizing work there; the Chinese "backdoor" is what crossed into the institutions. Vocabulary, once institutionalized, sets the terms for every subsequent case.
Satellite terms this cycle. 后门 (backdoor), the category-trigger; see One code, three descriptions above for the work it does. 预防性隔离 (preventive isolation), the vendor-level quarantine frame in Chinese commentary; commentary vocabulary, not notice vocabulary, as far as sourced. 自主可控 (independent and controllable), the policy telos the episode serves, present throughout the Chinese commentary and in Qoder's positioning as auditable and sovereign by design.