I'm sure they've had complex server-side detections for a while. But for the client parts: it should only contain the parts that must be on the client (while some of this probably could've been done more fuzzily/broadly on the client, for plausible deniability, and narrowed on the server), and it could be done in a more benign-looking way.