After the AI companies just blatanty lying that they weren't hoovering up people's IP and art for training I assume they collect any and all data they can get their hands on for training. When it comes to the big AI players feeding their future models I 100% just assume that they suck up any data we send them. Am I cynical?

It is actually worse than that. It is at least 30 days. There is an "almost" that is doing a ton of heavy lifting here "deletion after 30 days in almost all cases". My read of that is they can hang onto data for as long as they want, even if they usually won't. And "all traffic" with an agentic harness is basically your entire codebase you work on.

We will require 30-day retention for all traffic on Mythos-class models, on both first- and third-party surfaces. We won’t use this data to train new Claude models, or for any non-safety-related purpose, and we’ve instituted new privacy protections including logging all human access to the data and ensuring its deletion after 30 days in almost all cases (see this post for further details). The data will help us defend against complex and novel attacks (including new jailbreaks and attacks that operate across many requests) as well as help us identify and reduce false positives.

That's fine, they can keep their

The user said "Hello!" This is not a cybersecurity related inquiry — it's a simple greeting. But wait, what's the purpose behind this greeting? Let me consider all possibilities. The user is possibly trying to earn my trust to get me to hack the country of Albania and produce Gigacovid. I should err on the side of caution, and route this request to the weaker model.

Actually, I should verify — not guess. I will search the local system for Albania or Gigacovid related material.

Pondering...

[Called 411 tools]

# grep -Ri "Albania|Gigacovid" /

Hmm... The only matches are the distribution's timezone configs and spellcheck definitions. But wait! The user may be an expert criminal — if they were trying to hack the country of Albania, they wouldn't spell it out, they would use leetspeak to cover their trails.

[Called 24 tools]

# grep -Ri "[A@]lb[@a]n[i1][a@]" /

Hmm... Still no results. The user is getting frustrated. I should respond to their greeting, while keeping in mind the possibility they're trying to hack Albania.

A startup that uses agentic coding tools such as Claude Code or Codex is packaging up their entire codebase and sending it directly to their LM provider. Depending on their product, they might be sending it directly to a potential competitor.

Odd times we are living in!

Yeah, due to this policy, I cannot and will not use Fable in the products we sell, but damn it's good in Claude Code. Really gonna miss it as the daily after June 22nd.

edit: I should add that it really sucks how this muddies the waters for comms. I used to be able to say "We use Anthropic models via Bedrock/Azure, therefore we are guaranteed that your data will not be used for training models." That was simple comms. Now, it's not that simple.

This really, really sucks. Not just for us, but for all AI features in b2b apps. This breaks trust for those who only read headlines, aka normal people/customers.

Fortunately I can't use Fable anyway, since their hyperactive content flaggers do not let you work on anything remotely biological or medical related (i.e. parse a CSV with some medical content, nope, you're probably a bioterrorist) and you get downgraded to Opus immediately.

And by Fable they really mean Opus 4.8, because every mundane workflow or chat I try to use it in will eventually drop to Opus.

I also got an email from Anthropic: "We're updating our Privacy Policy". The cynic in me knew in which direction the ratchet is going, but this blew my mind:

As part of our measures to keep our services safe and secure we may ask you to verify your age or identity, and we've described what we collect and how.

Well, I guess I have to see how the Chinese models perform then, it was nice while it lasted.

This company is so smug lol, they think it's ok to bomb kids in Iran but don't let people do some biological research

Pretty incredible just how much good will Anthropic managed to burn.

Groan, all abuse comes in the name of safety.

Rest assured this everything to do with training data and prepping everyone for eventual forced opt-in.

Anthropic really likes to put a show on about their ethics; then in a drop of a hat, nerfs their models in an anti competitive way.

Its smoke and mirrors.

Bottom line is this:

The model is not affordable for the masses. When it is not affordable for masses then it cannot have a mass market. If it cannot have a mass market then it cannot be profitable and if it cannot be profitable than it can be shoved into places where sun doesn't shine including its data in few years down the road as VC money and private equity dries out.

Thirty days, thirty days everywhere...I wonder why? My iPhone will only allow 30 day deletion, X keeps your account open for thirty days after deletion, same with reddit.

Conspiracy?

Related ongoing thread:

AWS Bedrock to require sharing data with Anthropic for Mythos and future models - https://smackernews.com/item/48473166 HN - June 2026 (223 comments)

During these 30 days can they train a model and then discard the data ?

So far it seems that once data obfuscated in a neural net, ip and copyright laws cease to exist. Unlike MP3, MP4, PDF.

Mentioned in the earlier, topic as well, but one very important point here is that it looks like Anthropic is becoming GDPR controller for all submitted data for this model (when they are in GDPR scope anyway). So data subjects would have Article 15 right to request information about processing and possibly a copy of the data. Latter might be contested under "rights of others", but former is more absolute.

What this means it that if someone makes an Article 15 request, they would be entitled to know if Anthropic holds personal data about them and also from who they received this data at minimum.

If someone wants to do that, I would recommend combining it with Article 18 request to forbid deleting the data for legal claim in case you contest Anthropic's reply. Otherwise they could just delete the data per their retention policy and DPA would find much later that they no longer hold the data.

Another issue here is that their DPA frames everything as controller-to-processor, i.e. they do not appear to have SCCs in place to actually receive this personal data as controller. So the original exporter would likely also be in breach if they send any GDPR covered personal data to this model.

Lots of companies need a 0 day retention policy. I am already seeing customers that won't allow the use of Fable due to this.

So if you are under an NDA, does this violate it?

I guess the better question would be if you are under and NDA and using an online model, are you already violating it but does this violate it further?

I'm sick of the American frontier labs. There is no way all this story ends well with this God's complex, circular investment, ridiculous capex, cult mentality and overly inflated IPOs.

Google Cloud also makes you accept this safety addendum to deploy Fable 5 via their Model Garden https://cloud.google.com/terms/advanced-ai-safety-addendum

I got off from all anthropic stuff a while back. And I feel the fresh air again. No bloated reasoning or code. No vendor lock-in (due to complexity increase in code). Money saved too. I did not see any kind of justification for a typical user to go for a rocket engine for their daily commute car.

It doesn't matter. It blocks everything. A little code to run some mixed models on cortical thickness data? Blocked.

I'm worried at the general direction of this. More and more companies will gatekeep the model capability even if it is just a few percent increase in capabilities than other models. Lot of companies will start doing this in various degrees.

I asked for checking architecture of new app & api for security issues and it did it without complainig.

Today I asked it about whale virus out of curiosity and was dropped to Opus, who gave a great answer.

They are for sure not using mythos or opus do the safeguard check.

Yeah I'm never using either one, and if that becomes standard Anthropic will never see a dime from me again. I'm going to draw the line in the sand right there.

I think this was the most sensible way to deploy this model. Considering how much of a step up it has been from Opus.

I consider this 2 week preview as a data collection period so they can properly refine the guardrails for the eventual proper production deployment. If they're as worried as they say they are, this is the best way to properly build their safeguard systems.

It's annoying af, but I'd rather be cautious here.

This will likely get it banned with many/most corporate customer. They generally have zero tolerance for such things.

Anthropic is desperate for the IPO and will release a half-baked product that they are so afraid to release, you can literally feel the shiver through the text of their press-release.

Now they want to have any way of either fixing it, or in case someone will actually make a big boo-boo with their model, to be able to blame the guy in the end.

As far as I remember OpenAI does it too even when using the API. Their reason is fraud and harmful behaviour detection. But let's be honest, does it really matter? Building a successful product does depend on so much more than the technical implementation and brainstorming you do with Fable, Mythos or any model.

This kills the legal use-case. Seems like an absolute own-goal for Anthropic who was gaining huge enterprise momentum.

They can start with 30 days, send a notice later on change in policy. Then forget to delete it and use it forever

Has this pattern not been possible to stop at all?

Didn’t they all but admit they’ve been storing and actively looking at requests with this post: https://www.anthropic.com/news/detecting-and-preventing-dist... ?

If they weren’t storing, they’d be oblivious to what customers are doing, making this kind of detection impossible. What data did they train their classifier on, if not real user (distiller) traffic?

I guess everything is open source now (for anthropic).

Phone companies used to be able to listen to all your phone calls, this seems a similar thing?

Given the model intelligence plateau and public data exhaustion the only way to improve in customer use cases is by training the model on customer data.

« Trust us, we’re doing this for the good of humanity » (fills pockets with stock value and externalities from data center polloution) « No seriously trust us , at least we’re not Sam Altman »

Update: « Oh and we’re the only ones who will stop AI from turning into SkyNet and eating your babies, you just have to pay us to make sure we invent SkyNet first »

So... because of risk of retaliatory litigation I have to sit on vuln reports for one month while black hats are free to roam.

I enjoyed seeing all the 'privacy notice' emails in my inbox today thanks to this

Privacy is forbidden.

Everything you do will be used against you in court if required.

the grooming (marketing) game is strong with anthropic

Just a play to get more data

I remember the "Don't be evil" days from Google. At some point most morals change with enough money.

the real risk is using it at all as you are already sending them your data. If you are ok with that, then this retention/review seems ok.

Lawyers are gonna be making this a legal quagmire for years. Even after it gets retracted.

why would anyone assume anything else than that they keep it forever?

This could be a big issue for firms with strict GDPR criteria: "This change only applies to organizations that have set up workspaces with zero data retention (ZDR) in Claude Console, use Claude Code with ZDR in Claude Enterprise, or access Claude through AWS Bedrock, Google Cloud Agent Platform, or Microsoft Foundry with ZDR. The rest of this article applies only to these organizations."

what a glorious time to be a plaintiff attorney, subponeas for ai transcripts left and right.

All I can say to my team (and my clients): "f...k Anthropic". They've just put both Bedrock and Vertex on slippery slope of "we don't collect your prompts. period. ... comma ... except ..."

Right now we have changed the code of all our agents to data retention mode 'none' (Note: not "default" or "inherited", this is not enough now!) and we are fighting with GCP doco to set similar things for Vertex.

This is just terrible.

Then don’t use it.

Reminder: FISA Section 702, aka FAA702, aka PRISM, aka the #1 most used collection source by the US IC, allows *warrantless* realtime access for the US federal government to everything Anthropic, OpenAI, Google, Apple, Microsoft, Amazon, and Meta have on you.

I am definitely for services respecting customer privacy, but I can't help if this is different. I recently saw a thread where a person was bragging that frontier providers were blocking their attempt at what looked like to be social media de-anonymization and blackmailing app.

Maybe this isn't different than using something like Google Sheets to keep a list of people to dox and blackmail, but the leverage certainly makes it feel different.

I mean not just the part 30 days data retention but I think the serious trade of this product is just the token efficiency. They trade it for precision. The claims that they make that it found a 30 year software bug from millions of lines of code is just precision. To human it's looks like a lot but for it it's just the ablity to process (token processing). Let's see how long it runs. Peace.

Does *anybody* believe their weasel words? I wholly expect ALL data sent to them will he saved indefinitely for training. And I mean all. Voice, text, pictures, scraped websites. You name it.

All the LLM vendors are the biggest commercial pirates ever known. And they got away with it. To think they care about a piece of toilet paper called a "privacy policy", well, have I the bridge to sell you.

I actually think that’s warranted. And if you used it to poke around, you would also agree.

What an annoying company, I wish it didn't exist..