SmackerNews

AWS Bedrock to require sharing data with Anthropic for Mythos and future models

411 points · 247 comments · 1 day ago · TomAnthony

news.ycombinator.com/item?id=48473166

> For Fable 5, Mythos 5, and future models on Bedrock with similar or higher capability levels, Anthropic will require 30-day retention for all traffic on Mythos-class models. Retaining data for a limited period allows Anthropic to detect patterns of misuse that are not visible from a single exchange. Once you opt into data retention, your data will leave AWS’s data and security boundary.

From the announcement here: https://aws.amazon.com/blogs/aws/anthropic-claude-fable-5-on...

> After 30 days, the data is deleted automatically, except in the rare cases where it's part of a safety investigation or we're legally required to keep it.

From: https://support.claude.com/en/articles/15425996-data-retenti...

dsign1 day ago
The root of the problem is that AI-as-a-service is corked, because companies providing it have a hell of an incentive to use all that data to out-compete their competitors, and they can do so in secret. To say nothing of salivating law-enforcement who really, really wants to tap into it. I'm hoping there will be at some point open-source and affordable hardware that can run competent models.
OtherShrezzing1 day ago
This is odd behaviour, and provides some evidence that Anthropic isn't being managed by serious people. With this policy across AWS/GH/Zed/etc, they're taking their massive lead in enterprise/govt sales and handing it to any competitor who can serve a model anywhere near these capabilities with a modestly nice UI.
pczy1 day ago
This policy applies across all providers. Here is the warning in Cursor: https://i.redd.it/7sfyker2ya6h1.png
Note that Anthropic has committed not to train models on logged data, so I don’t understand some of the concerns here. What exactly is your threat model? That Anthropic would train models contrary to their terms of service? That you trust them enough not to log your data prior to this, but not enough to trust their stated limits on how logged data will be used now?
Edit: I am partially convinced by some of the replies. However, it is worth noting that this change primarily affects Enterprise users. Data from consumer plans is already retained for 30 days. Source: https://privacy.claude.com/en/articles/10023548-how-long-do-...
rohansood151 day ago
Pretty sure this doesn't work for any regulated enterprise or government client. But AWS knows this, so I am curious why they'd agree to it.
storus1 day ago
This smells like an advanced version of corporate espionage. Assuming most companies will use their AI in the future, this will be fed directly to an Echelon-like network that will be leaking "interesting info" to friendly parties, like the Boeing vs Airbus scandal that was first widely reported and then swept under the rug officially.
jreynar1 day ago
Ugh. I'm sure we're not the only company that's going to face the difficult decision to either stay with Opus 4.8, switch to a different model provider or update and significantly weaken our terms of service around no model re-training, not sending data to third parties and the like. I understand why Anthropic wants to do this but I'd be much more comfortable with it if the data never made it to Anthropic unless an analysis Amazon ran, maybe even using tools from Anthropic, determined that there was something to look at. That'd be an easier carve out in an enterprise Terms Of Service / Privacy Policy.
abofh1 day ago
Not a sub processor for us, so insta banned. Also spiked the ball on us updating our sub processor list. If they'd done something in-cloud we wouldn't have blinked, but no governance or controls, non starter.
stuaxo1 day ago
That rules it out for all sorts of apps.
I've worked on a few apps for UKGov and I would absolutely be raising this as a massive red flag.
moezd1 day ago
That's it. If you have confidential data that you're running with Fable, you're giving that away for free. Maybe you have always been, but now they explicitly ask for it.
htrp1 day ago
you've got to respect anthropic being willing to shoot themselves in the foot over a belief around Mythos performance
officialchicken1 day ago
"Legally required" ... gotcha, script writing on Melania Movie 3 has begun in exchange for a national security letter requiring Amazon to both keep the data and not exclude it from training.
1313ed011 day ago
Same as for GitHub Copilot?
"For more on how Anthropic handles this data, see Anthropic’s commercial terms and data retention policy. Enabling the Claude Fable 5 policy constitutes acknowledgement of this requirement. Leaving it off keeps Claude Fable 5 unavailable to your organization."
https://github.blog/changelog/2026-06-09-claude-fable-5-is-g...
rozumbrada1 day ago
They say it's opt-in but since they are capable of agreeing to this, I am just waiting until they hide this opt-in into the regular ToS when asking for a new model access...
thefounder1 day ago
They want your data like you everybody else and enterprise data is juicy to say at least
_pdp_1 day ago
This is not going to fly in EU.
cherryteastain1 day ago
I guess this is an anti-distillation move?
tgmatt14 hours ago
The whole point of my company using Bedrock is so that we knew our data wasn't being shipped off anywhere. This means we will a) block Mythos-class models at the organisation level and b) further consider using smaller, self-hosted models for our purposes. Nice footgun Anthropic.
xnx1 day ago
Is this also the case for Google Cloud? https://docs.cloud.google.com/gemini-enterprise-agent-platfo...
throw031720191 day ago
So all HIPAA workloads are now going to be an issue? They should at least allow us to “retain data” per API key or login so the non-PHI workloads can use Fable and PHI can remain on other models and respect the ZDR.
zmmmmm1 day ago
OpenAI ... your move. The enterprise market just cracked wide open. Do you want it?
ramstar30001 day ago
Is this related to the pricing for these models, since these are not going to be subsidised, they do not have much incentive to offer zdr.
My current thought is that many businesses use claude code on API based pricing opposed to subscriptions due to the zdr. However, these models are already not being subsidised?
nullbio1 day ago
Cancel your subscriptions, or you are to blame. Simple.
If you aren't voting with your wallet, you can't cry when the world ends.
throwfaraway41 day ago
Things like siphoning your data and using it to train while nerfing the model for everyone else is just the beginning of shady, rug-pulling, enshitification behavior we should expect. The dev community more than ever now needs to focus on being self-reliant and supporting open source models. They're counting on our skills atrophying over time to where you need their models to get work done. Ask yourself, do you actually need a frontier model to do this work? I think in many cases the answer is no. Don't support hostile behavior like this. Also, you can bet they're going to front government surveillance if not by choice, by regulation and political pressure.
gdiamos1 day ago
What I do is route general data to Mythos, and my own IP to a local model.
I expect them to train on their traffic, and I train on mine.
LetsGetTechnicl1 day ago
Simple solution here is to not use AI?
I_am_tiberius22 hours ago
So they use this "suspicious behavior" as a reason to train on our data.
amluto1 day ago
It’s worth noting that Anthropic has made some very odd moves in the last few months in which Claude Code reviews your usage of it and penalizes you for mentions of some short strings that don’t even indicate TOS violations. And if they’re going to insist on retaining all data for 30 days for nebulously defined “safety”, then I’m not particularly interested in doing business with them.
Imagine if they interpret “safety” such that they scan for the string “com.openai” and, if found, ask an LLM to summarize your entire session and send it for human review?
slake11 hours ago
There goes Enterprise usage
masonwan23 hours ago
Wonder why Anthropic wants all those data? Isn't it a good company?
_bobm1 day ago
Very confident. But will it stick? And if it doesn't -- what then? Back to scheming?
buzer23 hours ago
One very important point here is that it looks like Anthropic is becoming GDPR controller for all submitted data. So data subjects have Article 15 right to request information about processing and possibly a copy of the data. Latter might be contested under "rights of others", but former is more absolute.
What this means it that if someone makes an Article 15 request, they would be entitled to know if Anthropic holds personal data about them and also from who they received this data at minimum.
If someone wants to do that, I would recommend combining it with Article 18 request to forbid deleting the data for legal claim in case you contest Anthropic's reply. Otherwise they could just delete the data per their retention policy and DPA would find much later that they no longer hold the data.
a34729t1 day ago
Who would have thought that our saviors will be the Chinese!?
BoorishBears1 day ago
Similar for GCP if anyone's wondering, and in fact a bit further in some ways: https://cloud.google.com/terms/advanced-ai-safety-addendum
60 days.
adithyaharish1 day ago
Woah, if anthropic does it, even OpenAI would start doing the same with Azure models
shevy-java1 day ago
They want your data.
After 30 days, the data is deleted automatically
Do we believe that?
or we're legally required to keep it.
Aha - so, data is forever.
romanovcode1 day ago
except in the rare cases where it's part of a safety investigation or we're legally required to keep it
So basically all your data will flow to NSA/CIA/Mossad if they show even slight interest in your org or you as a person. Gotcha.
cloudengineer941 day ago
If it’s for future models at the same level of Sonnet and Opus, then it might become a problem for the for companies using this.
At the end of the day we will need private LLMs and Cohere might save a traço great chance here
avereveard1 day ago
*Anthropic requires it
razieloren1 day ago
it's either this or playing x30 for a token, anyhow i physically can't write code again
drcongo1 day ago
Got an email from Zed about the same this morning.
themafia1 day ago
What a "frontier."
TZubiri1 day ago
My thesis is that in software you don't want aggregators. They provide the promise of vendor neutrality, but it comes at the expense of increased supply chain compromise risk, small print technically legal data exfiltration.
Even in the happy case where nothing bad happens, you get a badly integrated product, because you integrate not against the actual vendor, but against a abstraction layer that commoditizes the actual product, effectively forcing you to either use the least common denominator of features, or circumventing the actual aggregation model itself with some kind of 'vendor_specific_parameters' parameter in the aggregator API.
My thesis is drop the vendor neutrality, and build your integration with the vendor directly.
rvz1 day ago
Imagine still believing that local models do not have a use-case after seeing policies like this.
Anthropic does not care about you.
codeduck1 day ago
aaaand there it is.
dhavd1 day ago
lol
chattermate1 day ago
The regulated-enterprise angle is the interesting part. Bedrock's whole pitch to those customers was "your data never leaves your AWS boundary" — that's the line that gets it through procurement and compliance reviews. A 30-day retention requirement where traffic crosses into the vendor's boundary quietly invalidates that, and for healthcare/finance/gov it's not a knob they can flip no matter how good the model is. This is exactly why we keep our LLM layer provider-agnostic with a self-hosted fallback (Ollama-class models) for data-sensitive paths — you eat a capability hit, but you keep the option of not sending regulated data anywhere. The risk TZubiri names is real: the moment you're reaching for "vendor_specific_parameters," the neutrality you bought the aggregator for is already gone.
gauravvij1371 day ago
The data leaving AWS boundary kills this for any regulated workload. We've been running side-by-side evals of open models against Claude on private test suites, using Neo as the orchestration layer. Keeps everything in-house and gives us objective comparison data.
Torikul0071 day ago
I understand the safety/misuse argument, but I wonder where enterprises will draw the line here. “30-day retention for advanced models” sounds reasonable in isolation, until you remember many teams are sending proprietary code, internal docs, or customer-sensitive context through these systems.
malephex1 day ago
This is BS. They want to train on user data.
jedisct11 day ago
Because they didn't store data before? Don't be so naive.
wewewedxfgdf1 day ago
Note that if you use AWS Bedrock then you're choosing to pay 10X to 20X because you trust AWS more than Anthropic.
It is literally 10X to 20-X cheaper to directly buy Anthropic subscriptions for your devs.

news.ycombinator.com/item?id=48473166