> In light of the ability of recent models to accelerate their own development, we’ve implemented new interventions that limit Claude’s effectiveness for requests targeting frontier LLM development (for example, on building pretraining pipelines, distributed training infrastructure, or ML accelerator design). Using Claude to develop competing models already violates our Terms of Service, but enforcing this restriction through our safeguards avoids accelerating the actors most willing to violate these terms.
> Unlike our interventions for cybersecurity, biology and chemistry, and distillation attempts, these safeguards will not be visible to the user. Fable 5 will not fall back to a different model. Instead, the safeguards will limit effectiveness through methods such as prompt modification, steering vectors, or parameter-efficient fine-tuning (PEFT). These interventions will not affect the vast majority of coding work. We estimate they will impact ~0.03% of traffic, concentrated in fewer than 0.1% of organizations
Could this be legally construed as anti-competitive behavior?
Edit: I asked Claude. It replied:
> Consumer protection / deceptive practices. In the EU this would be a clear UCPD (Unfair Commercial Practices Directive) issue and potentially a DSA violation. In the US, FTC Act §5 prohibits "unfair or deceptive acts." Selling a product that secretly performs worse than advertised for a commercially self-serving reason, without disclosure, is textbook deception. The Samsung/Apple battery throttling cases are instructive here: Apple faced regulatory action across multiple jurisdictions specifically because users weren't told.
> Competition law. This is where "anti-competitive" gets complicated. Refusing to help competitors build competing products via your ToS is generally legal — you can decide who you license to. But covertly sabotaging output quality for a class of users while charging them full price crosses into different territory. Under EU competition law (Article 102 TFEU), if a company with dominant market position uses covert technical means to disadvantage competitors, that's closer to abusive conduct than a legitimate ToS restriction.
I think either you've prompted Claude misleadingly, or it's interpreting the law unnecessarily prissily (which is a failure mode I've noticed LLMs falling into).
This clearly is disclosed, otherwise how did we get to know about it?
What's not clearly disclosed is when you are being limited and what the bounds are. If you are developing ML kernels for a computational photography use case will the safe guards miss-fire and sabotage or slow down your efforts? What about distributed GPU interconnect work for a nation super computer lab used in weather simulation?
The reason they are doing this shadow ban style technique, is they don't want users to figure out how to jail break their way out. Or the explicit direct bad PR of when it miss-fires.
"Shadow ban"-like mechanic in contractual relationships is generally against the law.
You either refuse to work with customer or do your job well (at least as well as other tasks of other customers). "I'll accept your task, but silently and intentionally do my job badly" may violate some laws.
They already have though, no? If we lost access to every model permanently besides Qwen tomorrow, would we really be limited by AI in what we could achieve in the future? Sure, it might be slower and take a little more work but it seems like the cat is already out of the bag.
It is an access issue. If you could get step by step instructions on how to modify a virus so it kills all people over 6ft you bet your ass there would be people attempting it.
Column A, Column B. Building a small explosive device isn't hard. Building a million is very difficult, doing it covertly virtually impossible without the resources of a nation-state.
The problem with biologics is the self-assembly and replication machinery comes for "free." So the numpties who might otherwise blow up a trash can [1] now have a real chance of taking out a million people.
The problem with biologics is that you cannot build a virus in your garage. You need a lab. AI will give your recipe, but you still need a lot of money and cooperation of other people (and if you have so, you could hire human biologist in pre-AI era).
Also AI makes mistakes. If you ever coded with AI agent you know that loop "write trash => compile => fix compilation errors => repeat" (if there are no compilation errors, there are definitely logic errors to be fixed). In real world cost of attempt is huge. You need a lot of money and you risk to draw a lot of attention if you perform long series of iterative experiments to create working virus.
In case with bomb it means that even if you have AI which gives you recipe of the bomb, but you will explode your garage and yourself with a decent chance. So you probably need to setup a good experimental pipeline (hardened lab where you can try different formulas and see that happens without being killed) if you want to go beyond publicly known explosives available in pre-AI era to anyone who read school/university chemistry books. And this also requires resources and draws attention.
People extrapolate programming experience (the area where experiments are cheap, cannot kill you and provide detailed feedback what went wrong) to real life.
They would still have to procure things that would (I hope) light up many screens before they're able to. And such numpties are probably already monitored, or in prison for some other stupid life decision.
I also would like to hope that people that are likely to do such things are probably:
A) don't know how to break even the most basic guardrails of models
> They would still have to procure things that would (I hope) light up many screens before they're able to
“Many of the largest and most responsible providers in the industry already screen and record orders voluntarily,” but there is no requirement to do so [1].
If that were possible, they would already be attempting it with the same level of ability as if they didn’t have access to a text file generator app. It is not about access to the information.
All of this “guardrails” handwringing is nonsense. These things output text. Are you for censorship of a book written by a biotechnology expert that gives out the exact same information?
I don’t know if you’re being silly but it is orders of magnitudes easier to modify an existing virus to selectively target certain snps than make “antiviral nanobots”
Claude, modify the existing 6ft killer virus so that it only makes my balls itch slightly for a day and gives me lifetime immunity to all further stamms of the 6ft killer virus. Make no mistakes, double check so the virus causes no unforseen complications.
It's inevitable. Also, it's not like I get to vet who does or doesn't have access. Blind trust in the current selection made by an unregulated corporation just makes me anxious.
Security in the form of "pay to play" is just kicking the bigger issue down the road.
The argument against security through obscurity isn't that it doesn't work at all. It does to a degree, only it is not as strong as people think.
An example from the meat world: not publishing your vacation dates well in advance for the world to see somewhat reduces your chance of being burglarized. That is security by obscurity; not reliable, but not completely inefficient either.
But if you live in a fortress (security by key material), you can well declare your vacation dates without running the risk.
It the tool was made available to anyone to build a virus, anyone would be able to build counter measures, if only a select few people have access they get to build the virus and everyone else is at a disadvantage. So, yes, I am leaning towards making these tools open rather than gated behind some priesthood and government that gets to wield exclusive power.
Compare the cost/ease of attacker vs defender if one person is given a virus to unleash anywhere in the world and another person is given a vaccine to distribute to the whole world. Or compare building a large bridge to someone disabling that bridge, etc. Prevention and repair is almost always more expensive than vandalism.
I don't think there's an ideal solution here, but giving trusted people access to fix security issues before giving it to the wider public seems like a reasonable compromise. They're letting you use the model for all other uses.
you need a lot more than the nucleotide sequence to make a virus. you need the DNA or RNA to be synthesized, assembled, packaged properly. and long sequences are pretty hard to do. you need a lot of equipment, or you need to order from services. the oligo synth services can harden their KYC and/or screen for suspicious sequences.
sure, a malevolent state actor could swing it, but they could make a bioweapon without Mythos's help already.
also, vaccine production and disease surveillance have ramped up very quickly. they will ramp up further, despite political setbacks. it's a cat and mouse game that favors the defenders IMO.
but the bioterrorism narrative is useful FUD to spin open-weight models as existentially dangerous. I am far more worried about Anthropic's own goals than the goals of some crackpot in a shed.
> it's a cat and mouse game that favors the defenders IMO
How so? I'm actually against most of the "safety-tuning" that anthropic does, but this seems fundamentally untrue, a close analogue being video game cheat development. I think in general the cheat developer has an advantage and the cheats generally proliferate for quite a while before being patched.
Video games are an interesting analogy since they often trade security for performance, trusting clients about world state quite a bit.
Finance and biology do come across as two similar high level systems. But while we can employ KYC, fraud detection, and various auditing techniques to finance, I don’t know what you do for biology. You can easily run an algorithm over every transaction a person makes in their account but there’s no equivalent for every cell, every bacteria strain, every virus in the human body.
(disclaimer: layperson remembering how the immune system works.)
the adaptive immune system effectively does KYC by checking the antigens presented on the surfaces of cells. the thymus selects for B-cells (iirc?) which don't react to a corpus of the body's own antigens, but cover a wide library of everything else. when it sees something it doesn't recognize, it reproduces, warns the rest of the immune system and marks targets. that's why our immune systems can eventually conquer almost every pathogen we encounter, if we can survive long enough for it to do its work.
but the KYC I was referring to was KYC that vendors of oligonucleotides (should) be doing, to keep people from ordering nefarious sequences.
I'm bullish on mRNA vaccine technology to release the "patches" much more quickly. there was widespread resistance to this during covid, but covid wasn't horribly lethal. if airborne Ebola spread as productively as covid, for example, I doubt there'd be many anti-vaxxers left (one way or another!) the acceleration of biology research that might accelerate pathogen development should also accelerate the development of broad-spectrum mRNA vaccines with high persistence.
also, afaik the most effective way of developing pathogens is through serial passage through humanized mice or something like that - directed evolution at a small scale, selecting for traits. AI simply isn't needed for that. I don't think information or intelligence has been the bottleneck for bioterrorism, it's motivation and resources - same as for any other kind of biology research program.
It's bad that Anthropic can determine what this means. If you're building a modern app you're likely training your own embedding models and now anthropic can just silently sabotage your training pipelines?
>We estimate they will impact ~0.03% of traffic, concentrated in fewer than 0.1% of organizations
At the scale of API requests that Anthropic sees, I think the affected organization count might be substantial, and they might not be getting the full model capability that they're paying top $$$ for.
I have no idea how you came to that conclusion. Unless your training pipeline involves actively querying one of Anthropic models, no they can't. And if it does you're distilling their model.
The crocodile tears of companies who've hoovered up everything possible, regardless of permissions or legality, now crying that someone else is stealing their hard work is comical.
I don't even think they can believe it themselves, it's in reality they are just trying to throw fear, uncertainty and doubt about potentially cheaper offerings.
Crocodile tears "is a colloquial term used to describe a false, insincere display of emotion" [1]. Defending yourself against an attack vector you just exploited is between savvy and hypocritical.
I think his use of crocodile tears is appropriate, anthropic is feigning a false sense of concern for safety when really it is anticompetitive behavior, and I think that selfish entitlement is related to the original act of intellectual property theft to use the worlds training data, most of which was not public domain, to distill the wisdom for their models. So why do they get to cry about people distilling the knowledge from their models that they themselves distilled from the worlds knowledge?
That is not what their policy states. It specifically says they will sabotage even non-distillation attempts, such as distributed training pipeline design. And given that they are so far very nonperformant in classification accuracy, expect it to randomly include far more topics wide of the mark.
The fun part is that you will never know if your neural net classification project is getting silently sabotaged because their classifier doesn't work!
Good luck understanding it and finding malevolent inefficiencies if it’s already necessarily better at optimizing training pipelines than everyone except some Anthropic and OpenAI employees. Not a new thing either, see fast16.
Opus 4.8 (or a classifier in front of it) flagged my account and refused to comply when I told it to kill the process. Reasoning summary was complete bananas.
With this in mind, I don't want model to be proactively instructed and encouraged to sabotage without telling me.
AI vendors’ idea of safety has always been safety for the interests of the AI vendor in question. This is not a new development, though this may help more people realize it.
This feels less like an "we are worried about security" and more, we are in the lead and plan to keep it that way until its too late. In someways its been helpful that openai and anthropic are tipping their hands about their anticompetitive instincts and willingness to steamroll their own clients, customers, and society. But it does feel like its too late to stop this. The advantage people get by using these tools is too tempting to resist even if it is self defeating. It feels like watching people light their own house on fire to stay warm in the deepest, darkest days of winter.
Or, they may Mythos seem mystically powerful in advance of the IPO, and are pumping the token use count. But it worked, there is a frenzy for this release in way that is more intense than any previous release.
Anthropic is doing a better job with their model menu, most people I talk to know immediately that Opus > Sonnet > Haiku but cant tell you what the rank order of open ai models are, when to use them, etc.
So that's a possible reason why my specific Claude Opus instance seemed to be impossibly stupid and always degenerates into doing really dumb things to my code!
Just so everyone is aware. Anthropic has been sabotaging AI researchers and their codebases and shadow-nerfing accounts for several years at this point. This isn't new, but they hadn't disclosed it until now. Likely because it is getting to the point where it's too noticeable, or they're concerned about it leaking from employees.
I am building a coding harness, and I see evidence of them doing this with agentic harnesses and scaffolding. It feels clear to me that as they expand in to the app layer, the window of using their API to build agentic apps is closing, they will steal your ideas, implement the product and then close the gate. I am creating my own inference stack because their incentive to block competitors is becoming super clear.
No offense, but the sad thing is, everyone and their mother is working on this same problem. I'm also building a harness. It's feeling like, there is no moat, there is no way to get ahead, they will steal your idea one way or another, if you ever make it public.
No offense taken. I am not building it for fame or profit.
I built it because I wanted cursor on my phone because I have two small kids and don’t want to be chained to my desk. And it’s awesome. It’s a full ide with agent chat, terminal and file system running in a remote Linux container. I can review diffs, fully manage git and preview/serve apps. And no one can ever take it away from me :)
I am watching the way things are progressing with the ai api vendors and it feels really clear that depending on them will soon be dangerous. So I an furiously building as much of my own infrastructure to capture some autonomy with these capabilities
When they launched their business model was to be a pure API for intelligence. Then when everyone claimed they were just commodities with no moat and they shifted hard to being the app layer. That was the transition.
They went from selling shovels to all gold prospectors to stealing the information about the location of the gold so they could dig it out first.
We are all stupid enough to keep buying shovels from them because we think their shovels dig gold better and faster.
> Instead, the safeguards will limit effectiveness through methods such as prompt modification, steering vectors, or parameter-efficient fine-tuning (PEFT).
Am I to understand that this is essentially their form of social-platform ghosting instead of banning?
So they're not even going to tell you that the question you're asking is against their rules, they're just going to twist up your question and/or the answer somehow such that you waste your time essentially?
It seems like I ran into this EXACT same functionality from Claude many months ago when I was trying to ask it to research on the web and help me setup the ideal llama.cpp config for local llm inference.
Funny how lost it got through that relatively simple install when we had all of the documentation in the world (and a human dev with 20+ years experience guiding it along) to go by... and simultaneously it's debugging and building high level cryptography code in rust in the other terminal tab.
I have encountered this too. I am building a coding harness for www.propelcode.app and it was working really well until the claude code leak and then all of the sudden it seems almost intentionally stupid or outright manipulative in guiding me down wrong paths. At this point I am using other models for anything related to the tool use design and implementation and bought three mac studios with 512gb ram to run large open source models.
This experience has made me feel like we have to create a community that moves AI from the mainframe era to the PC era quickly, or we will end up serfs.
I had Claude walk me through getting local LLM models running on my Mac a month or two ago and so far as I can tell it was intentionally helpful. I even stated the reason was to have an uncensored model for myself and it had no objection. Long story short LM Studio running a Heretic Gemma 4 is doing just fine on my system now.
I've had the same bad luck with tool-calling on Gemma4. Looking around the web, we are not alone. For other tasks, it's seemingly quite quick and decent.
But it gets stuck in tool call loops, it seems like.
Oh to be clear I don't think Gemma 4 is suitable for real work. It runs at 10 tps and is somewhere between 4o and o1 in quality according to my subjective judgement. But Claude was happy to correctly tell me how to get it running and how to solve the pitfalls I encountered in that process.
I am a AI Researcher at a university. I tried Fable for my current project, but i feel it missunderstands me a bit to often. Now i don't know if i am using it wrong, or anthropic tries to slow my research. That model is a big no no.
3 months before asking for what to eat before a linear algebra exam trips the machine learning topic ban is my guess. I got flagged immediately asking why my JEPA thing breaks weird.
How do they detect whether an experiment being done on a smaller model is used to improve a competing frontier model, or just an innocuous hobbyist LLM experiment?
infering the surroundings, like everything else. they will probably look at which company is your email, and if you wrote "better than claude" on the readme.md
this is LLM, it's not like a science or something.
For anyone that is confused like I was, the quoted text I'm replying to was copied from page 13 of the system card [1] and not the model announcement page, which this HN discussion is linked to.
These things are like encyclopedias or dictionaries that can speak in first person… Imagine if your encyclopedia tried to hide entries from you, just absurd!
But Chinese models will poison your output if you ask them about Tiananmen Square! That's not good, so poisoning everyone's output without telling them is the only way to prevent that.
Come on guys, why can't everyone just be there for the good guy?
Protecting IP means that model would refuse to do certain things. Example from pre-AI era - program asks you for license key and refuses to start if it is wrong. But if program deletes random system file when you enter invalid license key (doesn't matter it is brute force attempt or typing error) it is different thing goes well beyond IP protection.
> Unlike our interventions for cybersecurity, biology and chemistry, and distillation attempts, these safeguards will not be visible to the user. Fable 5 will not fall back to a different model. Instead, the safeguards will limit effectiveness through methods such as prompt modification, steering vectors, or parameter-efficient fine-tuning (PEFT). These interventions will not affect the vast majority of coding work. We estimate they will impact ~0.03% of traffic, concentrated in fewer than 0.1% of organizations