▲The root of the problem is that AI-as-a-service is corked, because companies providing it have a hell of an incentive to use all that data to out-compete their competitors, and they can do so in secret. To say nothing of salivating law-enforcement who really, really wants to tap into it. I'm hoping there will be at some point open-source and affordable hardware that can run competent models.
reply▲It's all extremely dystopian and I don't see how things improve. The handful of megacorps that have access to the compute and troves of stolen IP to train their secret models on have no incentive to contribute back.
They say their models are too dangerous for the public, so they can nerf the GA versions while allowing only their preferred megacorp or nation state partners access to the real secret good versions.
We can hope the Chinese open weight models will catch up, but if/when they really reach parity with proprietary frontier models you can bet they'll stop releasing their weights too. They don't do this stuff out of the kindness of their hearts.
It's tough to imagine what might possibly derail this.
someothherguyy58 minutes ago
[-] > It's tough to imagine what might possibly derail this.
Public utilities?
logancbrown52 minutes ago
[-] Chinese open weight models will be forced to do the same to remain competitive with other frontier labs. The moat is data going forward.
reply▲> The handful of megacorps that have access to the compute and troves of stolen IP to train their secret models on have no incentive to contribute back.
Meta and Anthropic both trained on pirated books and there were not required to destroy their models. I simply don't get it. It just encourages to do things first and see later what happens. Regulations are just a small business cost.
OtherShrezzing4 hours ago
[-] This is odd behaviour, and provides some evidence that Anthropic isn't being managed by serious people. With this policy across AWS/GH/Zed/etc, they're taking their massive lead in enterprise/govt sales and handing it to any competitor who can serve a model anywhere near these capabilities with a modestly nice UI.
reply▲cobolcomesback2 hours ago
[-] Every one of the competitors capable of a similar model have been salivating for a long time at the idea of consensual data sharing. Anthropic just opened the door for everyone to do the same thing without having to deal with being the first to do so. My bet is that OpenAI etc’s next model will have these same requirements.
Ever since the Mythos announcement it’s been clear that we’re heading towards a future where SOTA models are no longer available to the average person, and not only cost more, but also require payment in the form of use case verification and data sharing. OpenAI’s 5.5-Cyber model requires the same, so it’s not just Anthropic.
We’re unhappy with this because we’ve all gotten used to being able to play with the new shiny model as soon as it’s available, but what I’m seeing in this thread about Anthropic being “stupid” is emotion-based wishful thinking.
No, we are unhappy because there is no guarantee that my corporate documents wont be shared or trained on. We are already paying plus for using bedrock instead of the API version from Anthropic, so now there is no reason to use bedrock anymore. This whole thing about this model being too powerful to share is just the usual BS. Is an advanced model that dont have guardrails, just like the models that have been shared with the US government for years.
reply▲Hizonner34 minutes ago
[-] ... but you were silent when they did it to consumers...
reply▲iterateoften1 hour ago
[-] This narrative any criticism about Anthropic is emotional is such corporate cope that it boggles the mind to see people defend a trillion dollar corporation time and time again all while the same corporation actively makes things worse for the average person.
Cool. Everybody is doing it. Doesn’t make it right or make it good for the people. Everyone should complain and help others wake up that Anthropic isn’t the “good guys” like their narrative in Feb/march led so many to believe.
foobar_______1 hour ago
[-] Preach. I think I left a nearly identical comment yesterday in another thread. "well, the other companies do it too so they're not that bad" is absurdity. "that got shit on my couch, but he didn't shit in my mouth so he's not really that bad" just seems so misguided.
reply▲UqWBcuFx6NV4r3 hours ago
[-] Let’s be real, chances are that the people with a lot of money on the line have given it more thought than the passing thought that you gave this comment.
reply▲> Let’s be real, chances are that the people with a lot of money on the line have given it more thought than the passing thought that you gave this comment.
In theory, definitely.
But this seems like a really, really, really no-good seriously bad decision from Anthropic. Like, I get why they want this (and can see it from their perspective), but many of their largest clients literally cannot allow this without regulator sign-off, which almost certainly won't be forthcoming.
Like, if the Fed and the ECB say this is OK then it might work, but other than that I predict that this decision will be reversed ~soon.
I’m not sure that’s true. Do the Fed and ECB sign off on telcos keeping records of who these companies called? Of car rental companies keeping records of where employees rented cars?
As long as it’s service telemetry, not used for model training, not inspected by humans, not analyzed except for service purposes… I don’t see the regulatory issue.
Are there any regulations covering what telemetry your service providers can keep? I’m skeptical, but even if so it would be trivial for Anthropic to exempt certain larger customers while still keeping the policy published as universal.
It's more that banks etc are special-cased in a lot of the law around this, which makes the Fed/ECB (more often national regulators aligned with these) really important in determining what they are and aren't allowed to do.
By definition lots of the use of AI in these companies is gonna require personal data/PII etc (particularly in KYC/compliance or general processing usecases) which means that there's a regulatory constraint.
I personally would've thought that said organisations and regulators would be massively opposed to this for privacy and risk reasons, which is why I think this won't happen.
Even the companies with less sensitive data are generally paranoid about service providers getting "their" (actually their customers) data.
> Are there any regulations covering what telemetry your service providers can keep?
In the EU, this should be proportionate and should avoid special categories of personal data (which FIs will have a lot of).
> but many of their largest clients literally cannot allow this without regulator sign-off,
Their largest clients can negotiate their own deals with their own terms.
They do not have to go through the same public Amazon Bedrock deal that you and I sign up for.
They give it some thought, but Anthropic and AWS have the whole menu of compliance and security checkboxes needed to reassure CISO it doesn’t need to be “the office of no” and can allow the AI onboarding. The pressure to adopt and adapt to AI is so high right now that there’s nothing a CISO or CFO can say to stop its adoption. And the more they say “no” or “wait,” the more at-risk they put their job.
reply▲realusername2 hours ago
[-] I know the only reason we are using Claude right now in my large org was because of this policy and another model would have been picked otherwise
reply▲A model that opens the slightest gap for a leak would be unacceptable to the org I work for. We are very paranoid about losing vulnerable customers' data.
reply▲Anthropic has all the answers for that. You’ll go through some compliance exercises and classify them as a subprocessor of highest tier of data sensitivity.
reply▲xyzzy_plugh4 minutes ago
[-] There are a significant number of extremely large companies that are wholly interested in such a sub-processor. The tier of data sensitivity is irrelevant.
Almost all companies are content to engage with data sub-processors with respect to customer data or some form of PII.
But there are many that will absolutely not let their IP visit or reside on systems they do not control.
This is absolutely a deal breaker for a ton of organizations and it's not going to trigger industry wide adoption like other comments here suggest. Instead another provider will offer a more appetizing deal and they will win market share.
Except they are an American corpo and there is no guarantee that the data will stay on EU servers, so that is a giant NO at the moment. This was the main reason to stick with Bedrock, as it supposedly stays within your aws account on the EU servers. Now? Whats the points in using Bedrock anymore apart from paying more.
reply▲realusername1 hour ago
[-] There's no way to do that with EU laws, the data has to stay on EU servers.
That might work in some countries but Anthropic approach here doesn't fit the legal requirements in the EU.
> chances are that the people with a lot of money on the line have given it more thought
Sure, but considering the average person and how short-term their thinking tends to be, I'm not sure I'd jump straight into "think about how much money they could lose, of course they think long-term".
You would be very, very surprised
reply▲Yeah, seen some downright facepalm moves from execs regarding AI and security.
reply▲Don't even need to involve AI or security to be able to highlight some very strange decisions that seem more like intentional sabotage from the inside than anything else. Of course, people are more likely just dumb and lack long-term thinking.
reply▲Intelligent individuals tend to make rational decisions very often this doesn’t result in rational behavior on the organizational level.
Large corporations like Microslop, Google, Meta etc. were frequently behave like headless chickens
You've mistaken "a lot of money" with "intelligence." Which is why I think the AI crowd really really wants this magical machine god thing to succeed. Then they can really have money = intelligence whilst keeping the rest of us poor and stupid. You know, like how they used to prevent literacy among the slaves.
reply▲Counter point - Marisa Mayer and Stephen Elop.
reply▲right, and they realize the money doesnt exist unless they inflate the values in shadow circles of flow.
reply▲They are betting that without a competitor distilling their most powerful models, they can stay ahead far enough and long enough that people will accept this.
reply▲I mean, all the competitors need to do is to have a big context window and minimal guardrails and magic, the AI can now hack your server!
reply▲This seems more like a marketing move though following the old dictum that all publicity is good publicity.
reply▲I don’t think there are other models near Fable’s capabilities.
reply▲That remains to be seen.
It's notable that Anthropic are still using SWEBench as a coding benchmark rather than the newer more difficult DeepSWE which shows them well behind GPT 5.5
https://deepswe.datacurve.ai/
Bear in mind that all the marketing efforts such as solving Erdos problem are the result of concerted RL training to impart those narrow capabilities, and how much of any benchmark results, or "early access" paid shill vibe reports, reflect improved performance for more general real-world use cases remains to be seen.
For how long though? The past two months have seen a ridiculous number of model releases.
reply▲ImPostingOnHN1 hour ago
[-] Why don't you think that? What I've read is that other models can find the same bugs.
reply▲> This is odd behaviour, and provides some evidence that Anthropic isn't being managed by serious people
It's hard to tell how much of what Anthropic are currently saying is just pre-IPO marketing bullshit, or how much will be their long-term policy.
If this is just marketing bullshit ("our models are so powerful we need to keep them chained up at night"), then it does seems massively ill-conceived. I can't think of a better way to break hard-earned customer trust than to say:
1) If we don't like what you're working on - if we think it may complete with ourselves - then we will silently fuck-up the code you're paying us to generate for you
2) Much reduced privacy guarantee. We will now retain everything you send us for an unspecified amount of time while we investigate it
Both of these seem especially self-defeating given that Anthropic has been very successful at courting corporate use, especially coding, and also still seem interested in courting military use.
The silently refusing to comply one (do they just mean deliberately dumbed down, not giving you what you are paying for, or actively sabotaging the generated code?) is really quite extraordinary. Why not just refuse the request? Perhaps they want to claim that gives too much signal as to what they think is valuable, although I think this "recursive self-improvement" story is 100% bullshit trying to juice the IPO. Are they really so arrogant to think that every other company developing LLMs hasn't figured out things like basic development infra?
IMO just the fact that Anthropic think it's in any way acceptable to silently fail requests that might reflect someone else trying to build anything that competes with them is bad enough, but the massive incompetence in what "Fable" is refusing shows that any such decision making is going to be causing them to silently fail a lot more than what they are trying to do.
The Anthropic model names "Mythos", "Fable" seem to have been conceived by a 14-year old thinking that "epic" names will convince people that the model is powerful. It's a bit like putting racing stripes and a loud farting exhaust on your Honda Civic.
OpenAI just added their own models to Bedrock recently too, making that an easy switch.
reply▲reply▲I think that’s by AWS though. For Fable you need to flip an account wide flag that says “I want to share my prompts with the model vendor.”
reply▲justinclift2 hours ago
[-] The Fable announcement page on the Anthropic site says this data sharing will be applied regardless of the sharing setting of the company account.
https://www.anthropic.com/news/claude-fable-5-mythos-5#a-new...
---
## A new data retention policy
Finally, we’re making a change to the way we handle business
customer data for Fable 5, Mythos 5, and future models with
similar or higher capability levels. We will require 30-day
retention for all traffic on Mythos-class models, on both
first- and third-party surfaces. [...]
No it says sharing is required. If you don't change the setting on your account then you simply can't access Fable, its not like the setting is ignored. I just tried this on my account and it blocks API requests to Fable.
reply▲I mean, they were already capacity constrained and just introduced a larger model that takes more capacity to run... They were gonna have to hand some business to competitor one way or another.
reply▲> I mean, they were already capacity constrained and just introduced a larger model that takes more capacity to run
I am willing to bet that the SpaceX deal is probably why Fable's launching now, as they are much less compute constrained than they were a month ago.
irthomasthomas2 hours ago
[-] Is it a larger model or just better trained? Anthropic does not actually claim it is a larger model anywhere that I can see.
reply▲If it’s not larger, it’d be tough to justify the massive price increase for using it.
reply▲Price is based on perceived value, not cost to produce. There is no international court of price justifications; if customers are willing to pay $X you can charge $X.
reply▲BoorishBears2 hours ago
[-] Opus 4.7 was smaller and people still paid 4.6 prices.
gpt-5.5 isn't larger than gpt-5.4 but costs double.
This policy applies across all providers. Here is the warning in Cursor:
https://i.redd.it/7sfyker2ya6h1.pngNote that Anthropic has committed not to train models on logged data, so I don’t understand some of the concerns here. What exactly is your threat model? That Anthropic would train models contrary to their terms of service? That you trust them enough not to log your data prior to this, but not enough to trust their stated limits on how logged data will be used now?
Edit: I am partially convinced by some of the replies. However, it is worth noting that this change primarily affects Enterprise users. Data from consumer plans is already retained for 30 days. Source: https://privacy.claude.com/en/articles/10023548-how-long-do-...
> you trust them enough not to log your data prior to this, but not enough to trust their stated limits on how logged data will be used now
It doesn't really matter how much you happen trust another party. In the regulatory world it only matters what contracts they will sign that guarantee their compliance. We do have those with AWS, we don't with Anthropic. If Anthropic physically captures the data, they just moved themselves outside the boundary of parties who we can do business with. Unless they want to sign a contract and implement all the corresponding compliance measures. They are insane if they think that's a good deal for them to do all that right now in every jurisdiction where AWS operates, when AWS has already spent a decade building it up.
It will absolutely cause some non-trivial number of customers to shift their configs away from Anthropic.
reply▲It's worthwhile to remember that this is only true of Mythos/Fable and other future models of "similar or higher capability levels" (ant is treating this as a new tier of model above Opus). Anyone who's already been happy using Haiku/Sonnet/Opus on Bedrock will not be affected by this at all.
reply▲Which will work for the several weeks it takes for the other commercial providers to follow suit.
The tides are turning. AI companies are IPO'ing. They've gotten where they are by selling $5 bills for $1, to update the old VC adage. I think we can look forward to them rewriting the contracts, both literal and social, on AI going forward to capture a lot more of the value. Or, to put it in more HN-friendly terms, it may not be immediately obvious on a casual viewing, but you're looking at the beginning of the enshittification process hitting AI. The term is a bit deceptive in some sense, because it's not like anyone ever sets out with a terminal goal of making something shitty. It's downstream of trying to capture more value in the customer/vendor relationship by not giving the customer any more value than is barely necessary.
How's coding with qwen doing? The only thing that's going to stop the AI providers from extracting all the value until it's just barely worth using is the free competition.
Bedrock supports many models. Open weights models aren't far behind, maybe a year, 18 months.
Given they could have done this with data residency rules being respected and chose not to suggests all I need to know - this is for Anthropics IPO, not for user safety
> Note that Anthropic has committed not to train models on logged data, so I don’t understand some of the concerns here. What exactly is your threat model? That
Like Meta had committed to respect your privacy. Replace the name of the company with any of the top 50 companies in the world and go back how many have hold their promises - or just doing fine when breaking the rules. There is no legislation in the U.S. that can bankrupt the company for violating this? So there are no guarantees.
Meta openly torrented books and nobody asked them to remove/destroy their AI models. Similarly, for Anthropic, it was just a business cost. They were allowed to keep the models. No real consequences for breaking the rules.
It adds another provider that you have to trust with your data. Previously the assumption is that AWS was securely handling your data and you may have the data on AWS to start with anyways. Now you have two providers handling your data which doubles your risk if you trust them equally. If you think AWS has more robust data controls than Anthropic then it more than doubles your risk.
You may also have data management requirements such as allowed storage and transit countries as well as various certifications and contracts that you now need to extend to the second data processor.
Basically if you are already using AWS just adding the AWS-only bedrock model is legally easy and doesn't really change your security posture. If you need to now also log your data to Anthropic it makes the choice much more complicated.
> Note that Anthropic has committed not to train models on logged data, so I don’t understand some of the concerns here. What exactly is your threat model? That Anthropic would train models contrary to their terms of service? That you trust them enough not to log your data prior to this, but not enough to trust their stated limits on how logged data will be used now?
It is a different thing when they say they don't store your data.
And when they say they store your data for 30 days and review it for "issues", it makes your "spider sense" tingle. Who and how will review it, what are the "issues" they are looking for, etc. It is to vague and they can keep it this "dangerous" model for themselves.
Both can be true simultaneously. Anthropic can probably be trusted not to train on our Fable sessions, but eroding ZDR as the industry standard still sets a dangerous precedent.
There's a parallel between data retention and general mass surveillance. Sure, both systems can be used for purely benign purposes, with appropriate safeguards in place. But history shows that surveillance systems are alarmingly easy to co-opt for nefarious means, and model providers do have a heck of an incentive to leverage retained data for internal means.
This is worth protesting, even if I believe this policy itself does not immediately compromise my privacy.
throw123456789142 minutes ago
[-] > Note that Anthropic has committed not to train models on logged data, so I don’t understand some of the concerns here. What exactly is your threat model?
First of all, will they respect that promise in the future? Because, you know… they already received your data and by some legal quirks they are already required to store it for so many years. “What’s your threat model”, uhh, sending confidential information to a third party.
It’s okay if you do this with your own personal property. But if you are working on client projects, what, are you going to start shipping customer data under nda without consent? Good luck in the court.
technojamin59 minutes ago
[-] Someone has never dealt with HIPAA laws and it shows.
reply▲Who out there is going to be feeding patient medical data to Mythos/Fable?
reply▲Once you start storing anything, whether credit card numbers or AI inputs, then there is possibility (if not in fact probability) that you'll be hacked and it will leak.
Given Anthropic's failure to secure their own source code, do you really trust them to secure yours?
zsoltkacsandi1 hour ago
[-] We shipped software to governments and some big companies where this is a big no-no. Try to explain to your clients that during the development process some pieces were sent to Antrophic, and they might keep it for whatever reasons.
reply▲doctorpangloss30 minutes ago
[-] here's how they train on your data:
an inference request comes in
claude fable RESTful API service does the stuff, some backend systems run the prefill and batch decode, and your conversation is cached for 5 minutes in some prefix cache.
the request is also sent to claude paraphraser, which does almost exactly the same thing as the compactor and rewrites your conversation.
then they record the paraphrased conversation and train on that. it keeps the salient parts of the conversation, like whatever internal knowledge you have, and disposes of anything that could have been correlated with the earlier conversation, which is easy to do because verification is a string comparison.
rohansood155 hours ago
[-] Pretty sure this doesn't work for any regulated enterprise or government client. But AWS knows this, so I am curious why they'd agree to it.
reply▲> why they'd agree to it
that's obvious, but perhaps worth stating: it's worth it, demand for the model is unprecedented and the only downside for Anthropic if AWS rejected would be some revenue pushed a quarter away as they get Fable ready on their recently acquired compute from xAI and Google.
This smells like an advanced version of corporate espionage. Assuming most companies will use their AI in the future, this will be fed directly to an Echelon-like network that will be leaking "interesting info" to friendly parties, like the Boeing vs Airbus scandal that was first widely reported and then swept under the rug officially.
reply▲Why would a secret espionage program be partially publicized?
If they were doing some secret espionage or government surveillance with the data, they would just do it all in secret.
When there is a precise and legally defined boundary (i.e. ZDR means your data with Bedrock stays within the Amazon security and legal boundary), it becomes significantly more difficult to hide full data egress; without alarm bells being raised / mechanisms being accidentally discovered.
When you have a black box that sends the full stream to Anthropic, then everything (including what actually happens with the data) stays on the Anthropic side.
It's much harder to hide egress/exfil-at-scale completely; even if we assume NSA-level kernel rootkits, someone's still gonna notice "hey, why is this pipe saturated even though `nload` looks normal.
It's much easier to hide what you do with the full data when you have explanations for why you're doing egress/exfil.
Limited hangout. There's a Netflix documentary about Danny Casolaro that does a decent job summarising events, but I'm surprised I don't see much about Inslaw/PROMIS, and more than a decade on, it's as if Snowden never happened.
reply▲Not a sub processor for us, so insta banned. Also spiked the ball on us updating our sub processor list. If they'd done something in-cloud we wouldn't have blinked, but no governance or controls, non starter.
reply▲That's it. If you have confidential data that you're running with Fable, you're giving that away for free. Maybe you have always been, but now they explicitly ask for it.
reply▲throw0317201959 minutes ago
[-] So all HIPAA workloads are now going to be an issue? They should at least allow us to “retain data” per API key or login so the non-PHI workloads can use Fable and PHI can remain on other models and respect the ZDR.
reply▲It’s worth noting that Anthropic has made some very odd moves in the last few months in which Claude Code reviews your usage of it and penalizes you for mentions of some short strings that don’t even indicate TOS violations. And if they’re going to insist on retaining all data for 30 days for nebulously defined “safety”, then I’m not particularly interested in doing business with them.
Imagine if they interpret “safety” such that they scan for the string “com.openai” and, if found, ask an LLM to summarize your entire session and send it for human review?
you've got to respect anthropic being willing to shoot themselves in the foot over a belief around Mythos performance
reply▲They want your data like you everybody else and enterprise data is juicy to say at least
reply▲That rules it out for all sorts of apps.
I've worked on a few apps for UKGov and I would absolutely be raising this as a massive red flag.
Ugh. I'm sure we're not the only company that's going to face the difficult decision to either stay with Opus 4.8, switch to a different model provider or update and significantly weaken our terms of service around no model re-training, not sending data to third parties and the like. I understand why Anthropic wants to do this but I'd be much more comfortable with it if the data never made it to Anthropic unless an analysis Amazon ran, maybe even using tools from Anthropic, determined that there was something to look at. That'd be an easier carve out in an enterprise Terms Of Service / Privacy Policy.
reply▲jstummbillig2 hours ago
[-] Can you explain what AWS supposedly guarantees currently that your company values? I am not super familiar with the platform but I would assume, just like any other US company, that they will provide data to US agencies upon legal request as per CLOUD act, regardless of place of storage etc.
reply▲First of all, the servers i run this on sits in the EU. While the Cloud Act can and would effect this that is not the concern from corporate.
If we as a company allow the data to be copied to other regions outside the EU then WE are not compliant with the rules and can be punished for it. That is what corporate is worried about. Just like we have a deal with OpenAI, but no documentation etc is allowed to be shared and that is being monitored by our SIEM platforms.
jstummbillig1 hour ago
[-] That sounds like it's mostly just collective whitewashing, in face of essentially no guarantees when push comes to shove?
reply▲Same as for GitHub Copilot?
"For more on how Anthropic handles this data, see Anthropic’s commercial terms and data retention policy. Enabling the Claude Fable 5 policy constitutes acknowledgement of this requirement. Leaving it off keeps Claude Fable 5 unavailable to your organization."
https://github.blog/changelog/2026-06-09-claude-fable-5-is-g...
"Legally required" ... gotcha, script writing on Melania Movie 3 has begun in exchange for a national security letter requiring Amazon to both keep the data and not exclude it from training.
reply▲reply▲reply▲reply▲walthamstow3 hours ago
[-] At least it stays in your GCP environment, AWS disclosure says that it will leave your data privacy and security boundary.
reply▲cobolcomesback2 hours ago
[-] That Claude support page says the exact same thing about AWS (“retained data stays in your AWS environment”). AWS’s docs say differently, though, so it seems one of them has incorrect documentation. I wouldn’t necessarily trust the Claude docs to be correct even regarding GCP until some of this is ironed out.
edit: Google’s own docs also say zero data retention isn’t possible with Fable and your data will be retained for 60 days “outside of your account”. I’m doubtful that this data sharing is an AWS-only thing.
The data-sharing surely is for all providers. I think the sentence "When models become available, onboarding details will be shared." hides a lot of things.
reply▲OpenAI ... your move. The enterprise market just cracked wide open. Do you want it?
reply▲reply▲reply▲Thank you! I missed this part in all the announcements
reply▲rohansood152 hours ago
[-] It is only abuse flagged data and there too for OpenAI they're not sharing that data with them. But for Anthropic they are.
reply▲That's different though. Anthropic want everything for 30 days, not just flagged prompts/interactions.
reply▲logancbrown51 minutes ago
[-] OpenAI won't be able to train competitive models without user data collection. The moat is data.
reply▲throwfaraway41 hour ago
[-] Things like siphoning your data and using it to train while nerfing the model for everyone else is just the beginning of shady, rug-pulling, enshitification behavior we should expect. The dev community more than ever now needs to focus on being self-reliant and supporting open source models. They're counting on our skills atrophying over time to where you need their models to get work done. Ask yourself, do you actually need a frontier model to do this work? I think in many cases the answer is no. Don't support hostile behavior like this. Also, you can bet they're going to front government surveillance if not by choice, by regulation and political pressure.
reply▲They say it's opt-in but since they are capable of agreeing to this, I am just waiting until they hide this opt-in into the regular ToS when asking for a new model access...
reply▲This is not going to fly in EU.
reply▲UqWBcuFx6NV4r3 hours ago
[-] Americans’ increased awareness of and expectations of the EU is hilarious. This is not how it works.
reply▲jstummbillig4 hours ago
[-] I suspect they will simply not offer it, for as long as they maintain that it has to in fact fly. Anthropic appears to be somewhat principled here.
reply▲Yes it will, there's a clear purpose and the customer explicitly agrees.
reply▲no, it's very much compatible with GDPR and other laws, as
it clearly (enough, kinda) communicated
1. what data they keep/collect
2. what they do with it (and that there is a reason to have it)
3. with whom they share it
4. how long they keep it
---
GDPR might require data minimalism, but that doesn't mean you can't keep "all" conversations/data. It just means you have to have a reason of why exactly need all of it (they have), only keep it as long as strictly necessary (they do) and not use it for other purposes (they claim to do that).
Also from a legal POV you can't really argue that collecting all conversations for detecting abuse patterns is "unreasonable"/"unnecessary" or similar, as to some degree the AI Act requires exactly that for "high risk" AIs/use cases. And while by the definition of the AI Act AWS Bedrock likely doesn't fall under "high risk" they can argue that some people could (against TOS) use it for "high risk" or "illegal" AI use cases which is part of the "misuse detection" thing for which they keep conversations for a month.
Lastly GDRP deletion requests still apply. But need to be processed within ... 1 month (wich AFIK in a generic duration context you can treat as 30 days, even through there is a single shorter month). So they "auto comply" with this, too.
> how long they keep it
AFAIR it is not clear, because they write it is "30 days, but ...":
> After 30 days, the data is deleted automatically, except in the rare cases where it's part of a safety investigation or we're legally required to keep it.
So you have a vague clause saying "when" and vague clause saying for "how long". If it will fly I would be surprised.
"Also from a legal POV you can't really argue that collecting all conversations for detecting abuse patterns is "unreasonable"/"unnecessary" or similar"
It is also worth remembering that the entity that you are explaining this GDPR retention reasoning to is the government. I don't see the EU telling Anthropic or another AI company they can't do this for safety reasons... what I see is future legislation requiring them to give the EU access to these logs so they can enforce they own definitions of safety on it.
This will fly in EU. As long as the company
states the time period for which it will keep data and clean it afterwards, gdpr has no issues with the data retention.
Their carve-outs for safety (public interest) and legal are also valid exceptions in gdpr as well.
> As long as the company states the time period
But they don't, they have the "30 days", but just after that they add "unless ....". So the time period is vague.
But companies will have to request consent from there users for their data to be shared to Anthropic.
Since Anthropic is a US company the GDPR compliance claims would be dubious and open to litigation by entities like NOYB.
Yeah it'll fly legally.
Everybody should just assume that they are lying about data retention and learning anyway.
They showed zero respect for intellectual property in the past and they will show zero respect now or in the future. A few thousand Euros/dollars in subscription doesn't matter when several trillions are in play (at least in their plans).
Honestly, I have yet to see any evidence of data leak from private sources. I think one of the better example is "simple-bench", which at least used to be a low-key benchmark that I would assume would have been saturated quickly if the labs were secretly scooping up data from API requests. Yet it's been years and it has yet to be saturated.
It's easy to catch a data leak if you have private data. You know what the model is supposed to not know, and you can just ask to see if it does. Yet I have not seen or heard of a single case of this being documented. As far as I can tell the labs do in fact respect the request to opt out of training.
us europoors have a choice of using or not using Fable.
reply▲What I do is route general data to Mythos, and my own IP to a local model.
I expect them to train on their traffic, and I train on mine.
Very confident. But will it stick? And if it doesn't -- what then? Back to scheming?
reply▲adithyaharish5 hours ago
[-] Woah, if anthropic does it, even OpenAI would start doing the same with Azure models
reply▲They want your data.
> After 30 days, the data is deleted automatically
Do we believe that?
> or we're legally required to keep it.
Aha - so, data is forever.
> Do we believe that?
If you don't believe them now why would you have believed them earlier when they said "no data is retained" ?
romanovcode5 hours ago
[-] > except in the rare cases where it's part of a safety investigation or we're legally required to keep it
So basically all your data will flow to NSA/CIA/Mossad if they show even slight interest in your org or you as a person. Gotcha.
always has been, they're explicitly warning you about this now.
reply▲it's either this or playing x30 for a token, anyhow i physically can't write code again
reply▲I mean being priced put of sota AI has been on the cards for a year it's mostly a question of when. If that will affect you maybe you should use the chance to resharpen your skills
reply▲Got an email from Zed about the same this morning.
reply▲Imagine still believing that local models do not have a use-case after seeing policies like this.
Anthropic does not care about you.
My thesis is that in software you don't want aggregators. They provide the promise of vendor neutrality, but it comes at the expense of increased supply chain compromise risk, small print technically legal data exfiltration.
Even in the happy case where nothing bad happens, you get a badly integrated product, because you integrate not against the actual vendor, but against a abstraction layer that commoditizes the actual product, effectively forcing you to either use the least common denominator of features, or circumventing the actual aggregation model itself with some kind of 'vendor_specific_parameters' parameter in the aggregator API.
My thesis is drop the vendor neutrality, and build your integration with the vendor directly.
gauravvij1372 hours ago
[-] The data leaving AWS boundary kills this for any regulated workload. We've been running side-by-side evals of open models against Claude on private test suites, using Neo as the orchestration layer. Keeps everything in-house and gives us objective comparison data.
reply▲chattermate5 hours ago
[-] The regulated-enterprise angle is the interesting part. Bedrock's whole pitch to those customers was "your data never leaves your AWS boundary" — that's the line that gets it through procurement and compliance reviews. A 30-day retention requirement where traffic crosses into the vendor's boundary quietly invalidates that, and for healthcare/finance/gov it's not a knob they can flip no matter how good the model is. This is exactly why we keep our LLM layer provider-agnostic with a self-hosted fallback (Ollama-class models) for data-sensitive paths — you eat a capability hit, but you keep the option of not sending regulated data anywhere. The risk TZubiri names is real: the moment you're reaching for "vendor_specific_parameters," the neutrality you bought the aggregator for is already gone.
reply▲I understand the safety/misuse argument, but I wonder where enterprises will draw the line here. “30-day retention for advanced models” sounds reasonable in isolation, until you remember many teams are sending proprietary code, internal docs, or customer-sensitive context through these systems.
reply▲Yeah, this is quite concerning.
And FedRamp has some issues with data being sent out.
Our corp doesn't allow usage of local models because of concern about potential "agent sends out code to the net" issues.
This is BS. They want to train on user data.
reply▲Because they didn't store data before? Don't be so naive.
reply▲Zero data retention was an enterprise agreement that Anthropic and Amazon agreed with customers and delivered on.
There’s no way AWS would trade in their reputation with enterprises just to soak up some slop.
reply▲> Zero data retention was an enterprise agreement
Also broadly available to us plebs via openrouter and similar. Claude is available on there under ZDR terms via the Google Vertex and Amazon Bedrock providers.
wewewedxfgdf4 hours ago
[-] Note that if you use AWS Bedrock then you're choosing to pay 10X to 20X because you trust AWS more than Anthropic.
It is literally 10X to 20-X cheaper to directly buy Anthropic subscriptions for your devs.
There’s a few things mixed up in this comment. But the 10-20x cheaper, I’m assuming comes from the difference between the number of tokens you can use on a $200 Claude Max subscription and the cost of those via the API. That’s neither here nor there for this topic around data retention as Fable has that on all providers.
And for the cost, if you’re an enterprise with more than 150 people, you’re on the token plan.
The token price is exactly the same on AWS as it is directly from Anthropic. This is the one service that AWS doesn't charge a huge markup for.
reply▲Yeah thats not the point though.
We 'trust' Amazon already and Amazon has no incentive at all to collect the data to finetune claude because they don't own claude.
What is the point then of a submission about how you will be required to share data with Anthropic? I’d say that the point is precisely that it’s an issue when you don’t trust them as much as Amazon.
reply▲Not sure if i follow you tbh.
I only told a commentor why a business would pay more to Amazon than going directly to Anthropic.
The announcement itself is def problematic and either leads to big companies accepting this and then going directly to anthropic or some talks in the background we don't know yet what it will entail.
If you were just repeating the commenter’s point about « choosing to pay 10X to 20X because you trust AWS more than Anthropic » what was not the point?
reply▲Amazon's incentive is to fine tune their own possible future model
reply▲Amazon/AWS knows how to handle this conflict in a way that customers trust them enough.
Amazon has more to loose than Anthropic
I can't use "Claude Max" subscription and the likes with my own software, can I? Using OpenCode instead of ClaudeCode violates the ToS, doesn't it? How would I go about permissions and integrating with my other services I already run on AWS? IAM roles for Bedrock are pretty nice. You appear very confident and concerned about my spending, so please help me here!
reply▲wewewedxfgdf2 hours ago
[-] I grant you the right to spend 10X to 20X on Bedrock. Use it wisely.
reply▲sheeshkebab2 hours ago
[-] Pro/max subs are not as flexible as bedrock in api use and don’t seem to run the same models either - often times they are notably dumber (quantized I guess) than bedrock equivalent.
reply▲The security boundary that AWS maintains is important in a lot areas, like medical, where the datacenter has to support some specific certifications. It isn’t a choice to pay 10x more in those cases, it is the only option allowed.
reply▲is the 10x the difference between a sub and api token pricing?
reply▲UqWBcuFx6NV4r3 hours ago
[-] I mean, no. Even ignoring the very real benefit (for some) that comes with not needing to trust another party, there are use-cases beyond what you can do with “subscriptions”. Apples and oranges. People just have use cases that aren’t yours.
reply