HN

Need help?
<- Back
Anthropic requires 30 day data retention for Fable and Mythos

Anthropic requires 30 day data retention for Fable and Mythos

lebovic

Comments (74)

  • pseudosavant
    It is actually worse than that. It is at least 30 days. There is an "almost" that is doing a ton of heavy lifting here "deletion after 30 days in almost all cases". My read of that is they can hang onto data for as long as they want, even if they usually won't. And "all traffic" with an agentic harness is basically your entire codebase you work on.> We will require 30-day retention for all traffic on Mythos-class models, on both first- and third-party surfaces. We won’t use this data to train new Claude models, or for any non-safety-related purpose, and we’ve instituted new privacy protections including logging all human access to the data and ensuring its deletion after 30 days in almost all cases (see this post for further details). The data will help us defend against complex and novel attacks (including new jailbreaks and attacks that operate across many requests) as well as help us identify and reduce false positives.
  • connorboyle
    A startup that uses agentic coding tools such as Claude Code or Codex is packaging up their entire codebase and sending it directly to their LM provider. Depending on their product, they might be sending it directly to a potential competitor.Odd times we are living in!
  • samuelknight
    And by Fable they really mean Opus 4.8, because every mundane workflow or chat I try to use it in will eventually drop to Opus.
  • Sol-
    Fortunately I can't use Fable anyway, since their hyperactive content flaggers do not let you work on anything remotely biological or medical related (i.e. parse a CSV with some medical content, nope, you're probably a bioterrorist) and you get downgraded to Opus immediately.
  • matheusmoreira
    Pretty incredible just how much good will Anthropic managed to burn.
  • crazylogger
    Didn’t they all but admit they’ve been storing and actively looking at requests with this post: https://www.anthropic.com/news/detecting-and-preventing-dist... ?If they weren’t storing, they’d be oblivious to what customers are doing, making this kind of detection impossible. What data did they train their classifier on, if not real user (distiller) traffic?
  • dang
    Related ongoing thread:AWS Bedrock to require sharing data with Anthropic for Mythos and future models - https://news.ycombinator.com/item?id=48473166 - June 2026 (223 comments)
  • hmokiguess
    Google Cloud also makes you accept this safety addendum to deploy Fable 5 via their Model Garden https://cloud.google.com/terms/advanced-ai-safety-addendum
  • OkWing99
    I remember the "Don't be evil" days from Google. At some point most morals change with enough money.
  • buzer
    Mentioned in the earlier, topic as well, but one very important point here is that it looks like Anthropic is becoming GDPR controller for all submitted data for this model (when they are in GDPR scope anyway). So data subjects would have Article 15 right to request information about processing and possibly a copy of the data. Latter might be contested under "rights of others", but former is more absolute.What this means it that if someone makes an Article 15 request, they would be entitled to know if Anthropic holds personal data about them and also from who they received this data at minimum.If someone wants to do that, I would recommend combining it with Article 18 request to forbid deleting the data for legal claim in case you contest Anthropic's reply. Otherwise they could just delete the data per their retention policy and DPA would find much later that they no longer hold the data.Another issue here is that their DPA frames everything as controller-to-processor, i.e. they do not appear to have SCCs in place to actually receive this personal data as controller. So the original exporter would likely also be in breach if they send any GDPR covered personal data to this model.
  • giancarlostoro
    Yeah I'm never using either one, and if that becomes standard Anthropic will never see a dime from me again. I'm going to draw the line in the sand right there.
  • thekevan
    So if you are under an NDA, does this violate it?I guess the better question would be if you are under and NDA and using an online model, are you already violating it but does this violate it further?
  • keithnz
    the real risk is using it at all as you are already sending them your data. If you are ok with that, then this retention/review seems ok.
  • Vortex777
    I mean not just the part 30 days data retention but I think the serious trade of this product is just the token efficiency. They trade it for precision. The claims that they make that it found a 30 year software bug from millions of lines of code is just precision. To human it's looks like a lot but for it it's just the ablity to process (token processing). Let's see how long it runs. Peace.
  • anon
    undefined
  • catigula
    Then don’t use it.
  • lvl155
    I actually think that’s warranted. And if you used it to poke around, you would also agree.
  • zb3
    What an annoying company, I wish it didn't exist..
  • topaitools_xyz
    [flagged]
  • sorry_outta_gas
    [dead]
  • pbgcp2026
    All I can say to my team (and my clients): "f...k Anthropic". They've just put both Bedrock and Vertex on slippery slope of "we don't collect your prompts. period. ... comma ... except ..."Right now we have changed the code of all our agents to data retention mode 'none' (Note: not "default" or "inherited", this is not enough now!) and we are fighting with GCP doco to set similar things for Vertex.This is just terrible.