AWS Bedrock to require sharing data with Anthropic for Mythos and future models

Hacker News Discussion ↗

Policy Change Overview

  • Anthropic’s new policy: Mythos/Fable‑class and future “similar or higher” models require logging all traffic for ~30 days (60 days on GCP) for “safety/abuse” reasons.
  • This applies across providers (AWS Bedrock, GCP, GitHub Copilot, editors like Zed/Cursor).
  • Confusion over data location:
    • Some Anthropic docs say retained data “stays in your cloud environment.”
    • AWS/GCP docs suggest data is retained outside the customer account and shared with Anthropic.
    • Exact boundaries are unclear/possibly inconsistent.

Impact on Enterprise & Regulated Customers

  • Bedrock had been sold on “zero data retention” / “data never leaves your AWS boundary,” crucial for healthcare, finance, and government.
  • Many commenters say mandatory retention + data sharing with Anthropic breaks:
    • HIPAA/BAA expectations, FedRAMP/GovCloud assumptions, EU data residency, strict customer contracts on subprocessors and training.
  • Some orgs chose Claude specifically because of ZDR; now planning to:
    • Block Mythos‑class models,
    • Stick with older models (Sonnet/Opus),
    • Or move to other vendors/self‑hosted models.

GDPR/EU and Legal Perspectives

  • One camp: policy can be GDPR‑compatible if:
    • Retention period is stated,
    • Purpose is abuse/safety,
    • Legal/safety carve‑outs are documented,
    • Deletion rights honored.
  • Others argue:
    • “30 days, unless…” is too vague,
    • Cross‑border transfers to a US company are risky,
    • Anthropic likely becomes a controller, creating Article 15/18 obligations and litigation exposure.
  • Several expect some regions or sectors simply won’t be able to use these models.

Trust, Safety, and Motives

  • Anthropic says logs won’t be used for training; critics doubt this is enforceable or durable.
  • Concerns: increased breach risk, government surveillance, corporate espionage, and silent model “safety” review of sensitive sessions.
  • Many see this as:
    • A data‑moat / anti‑distillation move, or
    • IPO‑driven “enshittification” of AI services.

Ecosystem & Alternatives

  • Some expect all frontier labs to adopt similar retention for top models, limiting SOTA access to customers who accept logging and use‑case vetting.
  • Others see an opening for:
    • Competitors offering strict ZDR,
    • Open‑weight and local models for IP‑sensitive workloads,
    • Direct vendor integrations over aggregators like Bedrock.
  • General sentiment: strong pushback from privacy‑ and compliance‑sensitive users; more ambivalence or acceptance from those prioritizing cutting‑edge capability.