A VPN changes your IP, but not your browser timezone or language. Learn how apps combine these signals to detect your real region — and how to check your own.
In July 2026, Anthropic announced it was widening the restrictions on who can buy access to Claude, extending the block beyond a list of unsupported countries to cover "companies or organizations whose ownership structures subject them to control from jurisdictions where our products are not permitted, like China, regardless of where they operate." The official announcement frames this as an entity-ownership check, not a technical one — but it landed in the middle of a much broader, very real trend: more and more services gate access by region, and region gating has never relied on your IP address alone. Whatever any single vendor's enforcement actually looks like under the hood, the general toolkit for figuring out "where is this connection really coming from" is well documented, and it's built into far more everyday apps and websites than most people realize.
Key Takeaways
- Your IP address, your browser's timezone, and your browser's language setting come from three unrelated sources — network routing, OS clock, and OS/browser configuration — so a VPN that changes only your IP leaves the other two exactly where they were.
Intl.DateTimeFormat().resolvedOptions().timeZoneand theAccept-Languageheader are ordinary, unguarded browser metadata — any site can read a US IP address next to anAsia/Shanghaitimezone without asking permission.- Region detection rarely stops at one signal: canvas, WebGL, fonts, screen metrics, and User-Agent/Client Hints all add corroborating (or contradicting) evidence about who and where you really are.
- A VPN or proxy that changes your IP but not your other signals doesn't hide you — it creates a mismatch, which is itself a stronger flag than an ordinary residential connection would ever raise.
- You can see exactly what your own browser currently broadcasts — timezone, language, and the rest of your fingerprint — with BrowserInsight's fingerprint check.
What the Anthropic announcement actually says — and doesn't
It's worth being precise about the source here, because the reporting around it moved faster than the facts. Anthropic's own post describes an ownership-structure rule: access can be restricted for an organization more than 50% owned, directly or indirectly, by a company headquartered in an unsupported region, "regardless of where they operate." The stated concern is national security — that such entities could be legally compelled to share data or could use the capability to benefit an adversarial military or intelligence program. The announcement does not describe checking a user's system timezone, browser language, or IP address as part of that mechanism.
Plenty of commentary since has speculated about how region restrictions like this might be technically enforced in practice — timezone, language, and IP/VPN signals are the obvious candidates, because they're exactly what any web service would reach for. That speculation may turn out to be accurate, partially accurate, or not, and treating it as confirmed vendor internals would be getting ahead of the evidence. What we can say with confidence, independent of any one company's specific implementation, is that timezone-and-language-vs-IP checking is a real, widely used, and easy-to-verify technique — one you can watch happen on your own connection in a couple of minutes.
The three signals that usually agree — until a VPN is involved
A website assembles its best guess at "where you are" from data that comes from unrelated layers of your system:
- IP geolocation is inferred server-side by mapping your IP address against registry allocations and commercial geo databases. It reflects where your connection exits — your home ISP, or a VPN server — not necessarily where you're physically sitting.
- Timezone comes from your operating system clock, exposed to JavaScript via
Intl.DateTimeFormat().resolvedOptions().timeZone(or more crudely viaDate.getTimezoneOffset()). It reflects whatever timezone your device is set to, which most people leave on "automatic." - Language comes from your browser's configured language list, sent on every request as the
Accept-Languageheader and readable vianavigator.language/navigator.languages.
For the overwhelming majority of visitors, these three signals agree, because most people browse from wherever they actually live using a device set up for that place. A VPN changes only the first one. If your IP suddenly geolocates to a country whose typical UTC offset is hours away from your reported timezone, or whose common languages don't include the one your Accept-Language header lists, that gap has no everyday innocent explanation for someone physically in that new location. Our deep dive on timezone and locale leaks walks through exactly how detectors compare these values and how proxy tools try — and often fail — to spoof them convincingly.
Why "just use a VPN" backfires
This is the counterintuitive part: turning on a VPN without touching anything else doesn't make you blend in — it manufactures the exact contradiction a detector is built to catch. Your fingerprint (timezone, language, fonts, canvas, WebGL) stays completely unchanged; only your IP moves. A residential visitor with a US IP, a US timezone, and en-US language looks unremarkable. A visitor with a US IP but an Asia/Shanghai timezone and a zh-CN language list looks like exactly what it is: someone connecting through infrastructure that doesn't match their actual device settings. How websites detect VPNs and proxies covers the full stack these checks sit inside — IP blocklists, ASN classification, WebRTC/DNS leaks, and connection-pattern analysis — timezone/language mismatch is one input among several, but it's cheap to check and hard to avoid without deliberately re-aligning your settings.
Beyond timezone: the rest of the fingerprint surface
Timezone and language are only the two easiest signals to reason about — they're not the whole picture. The same request also carries your User-Agent and Client Hints, screen resolution and color depth, installed font list, and — for anything that runs JavaScript on the page — canvas and WebGL rendering output, which can reveal your GPU vendor down to the model. None of these are region signals on their own, but they combine with timezone and IP to build a much stronger, much harder-to-fake picture of a single, consistent device. Our browser fingerprinting guide covers how these signals combine into an identifier that's frequently unique to one browser, and why fixing only the timezone and IP while leaving everything else untouched still leaves you inconsistent.
Comparison of region-detection signals
| Signal | Source | Changed by a VPN? | Region-detection strength |
|---|---|---|---|
| IP address | Network routing | Yes | High (the baseline claim being checked) |
| Timezone | OS clock, read via JS | No, by default | Medium–High |
Accept-Language | Browser config | No, by default | Low–Medium |
| Canvas / WebGL / fonts | Device + browser rendering | No | Low as a region signal, high for device identity |
| User-Agent / Client Hints | Browser config | No | Low–Medium |
No single row proves anything by itself — travelers, expats, and multinational teams produce real mismatches every day. What makes region detection effective is that it's rarely just one row: a system that gets the IP "right" but everything else inconsistent looks far more like a patched connection than a person who genuinely lives with a foreign-language OS.
Ordinary users, not just evaders, get caught in this net
None of this machinery is built to single out any specific policy or company — it's the same general-purpose signal stack that flags automated traffic, fraud, and abuse everywhere on the web. That means real people with entirely legitimate reasons for a mismatch — travelers who haven't updated their clock, immigrants still browsing in their native language, remote workers on a company VPN — routinely trip the same checks as someone deliberately trying to misrepresent their location. See bot detection techniques for how these same coherence checks feed into broader anomaly scoring, often with no way for an ordinary user to know why they suddenly hit a CAPTCHA or a region error.
Check what your own browser is broadcasting
You don't have to take any of this on faith — you can see exactly what a site would see from your current connection:
- Read your own signals. BrowserInsight's fingerprint check shows your reported timezone, language list, and full device fingerprint in one place.
- Read what your IP claims. The IP intelligence and VPN/proxy check tools show the country your connection geolocates to and whether it's flagged as a known VPN/proxy range.
- Compare them. If your IP points to one country and your timezone or language clearly points somewhere else with no travel-related explanation, that's the exact contradiction this whole detection category exists to catch.
Frequently Asked Questions
Does Anthropic's Claude actually check my timezone to detect my region?
Anthropic's own announcement describes an ownership-structure rule for who can purchase access — it does not state that timezone, language, or IP checks are part of the enforcement mechanism. Reports speculating about specific technical checks go beyond what the official source confirms, so treat those specifics as unverified rather than established fact.
Does a VPN hide my timezone and language automatically?
No. A VPN only changes your IP address and network path. Your operating system's timezone and your browser's language settings are independent of your network connection and stay exactly as configured unless you change them separately.
Is a timezone or language mismatch enough to get me blocked on its own?
Usually not by itself. Detection systems combine timezone and language signals with IP reputation, leak checks, and fingerprint consistency into a single confidence score. One mismatch raises suspicion; it rarely triggers a block alone.
How can I see what a website sees from my browser?
Run BrowserInsight's fingerprint check to see your reported timezone, language, and full fingerprint, then compare it against your IP intelligence result to spot any contradiction yourself.
Conclusion
Region gating on the modern web was never just about your IP address — timezone, language, and the rest of your browser fingerprint all feed into the same picture, and a VPN that touches only the IP leaves the rest of that picture untouched. Whatever the exact mechanism behind any single company's policy turns out to be, the underlying technique is well understood, easy to verify on your own connection, and worth knowing about regardless of which service is doing the checking.
Recommended Reading:


