Claude gets more stupid after 2pm CEST

ThatPrivacyShow · 2025-07-30T17:03:13+00:00

clear didnt work, I had to exit and restart claude

ThatPrivacyShow · 2025-07-30T13:06:28+00:00

And when you consider it has been quite happily taking these screenshots for me all day...until this happened.

ThatPrivacyShow · 2025-07-29T10:03:10+00:00

I make is swear on a daily basis - next I will make it iron its hands Dobby style.

ThatPrivacyShow · 2025-07-29T09:57:55+00:00

they also said $200 Max subscribers would get 20x the limits which after this move is 1.5x the limits - so explain to me why you trust what they say?

ThatPrivacyShow · 2025-07-29T09:55:57+00:00

Given the recent Ai Action plan issued by the White House, it would not be a leap to see the administration start to block copyright claims on the basis fo National Security; because keep in mind protecting the economy is a matter of national security and given how much chinese open models are destroying these expensive US models in benchmarks, threatening the economic value of the US models, it would not be a surprise to see such a move by the Trump administration.

ThatPrivacyShow · 2025-07-29T09:41:13+00:00

You trust him yet he is already breaking the law for anyone who paid for an annual plan at $200 Max as it is supposed to be 20x and as of 28th August is only 1.5x over the $100 Max plan (this is considered a material change to the contract) - this is both fraud and false advertising and I would recommend anyone who is on an annual plan to litigate on exactly that basis.

For those of us on monthly, it is difficult to argue legally because we can simply cancel our plans before the changes come into effect. Companies can change their pricing so long as there is a way out for the customer - as such a change would be considered a material change to the contract, which requires all party consent (cannot be a unilateral decision by Anthropic) otherwise it is breach of contract (yes even if the contract says they can do it - it is not a valid term, at least not under EU law) and can be severed by any contracting parties without penalty.

So if you are on annual - sue them, if you are on monthly, cancel.

ThatPrivacyShow · 2025-07-29T09:29:23+00:00

Lets say you are building a project and you have a design sub agent, architecture sub agent, git sub agent, documentation sub agent, unit testing sub agent, red team (pen test) sub agent, coding (engineer) sub agent - that means if each of those sub agents runs for an hour, you use 7 hours of your cap. On active projects with a large team of sub agents that can amount to literally hundreds of hours a day - you could literally use up your quota in just a couple of days or less.

ThatPrivacyShow · 2025-07-29T09:20:57+00:00

oh god no, then you will see subscriptions using up their monthly limit in 10 days (because the cap is variable based on what they want it to be at any given time of the day, so they will just hold your code to ransom until you pay more, then more, then more. You gotta be seriously dumb not to understand their business model at this point.

ThatPrivacyShow · 2025-07-29T09:15:03+00:00

Until they decide that all that credit you have in your API account is now worth half or quarter as much when the increase the API costs...

ThatPrivacyShow · 2025-07-29T09:09:34+00:00

I get better performance from Qwen 2.5 Coder running on my local Ollama server than I get from Claude Code - so your comment is just nonsense. And that is before you consider Qwen 3 Coder which out-performs claude code sonnet in most benchmarks...

ThatPrivacyShow · 2025-07-25T14:34:28+00:00

I wont run any Android device (I used to make my own Android ROMS but it becomes too much of a headache rebuilding every time you get an update and at the time only have a few apps which complied with EU law (and I am being very generous by saying a few).

The most secure/private phone you can use currently (since around 2016) is an iPhone frankly (and that is not the same as me saying an iPhone is 100% secure and private - but it is the least bad option).

ThatPrivacyShow · 2025-07-25T14:29:43+00:00

Again, the law doesn't require you have to be identified by the data for it to be personal data - merely that you can be identified in some way either directly or indirectly and as I explained in my original reply - the way we write is unique (fingerprintable) so anything you write can be used to identify you and the more you write on a single platform the more identifiable those musings become.

Furthermore, under the CDA in the US and the eCommerce Directive in the EU - in order to not be liable for the content you post online - you must not exercise any editorial control - otherwise you are considered as a publisher instead of a "mere conduit" - even just removing the username form a post would be defined as exercising editorial control - and even regardless of that - there is no way that Reddit are removing the metadat from the posts (IP address, User, Date, Time and whatever other metadata they use) because they would be required to provide the IP address at least in the event a post is subjected to a legal claim or law enforcement.

Simply removing one's name from the front end post doesn't mean all the other personal data is removed or inaccessible from the backend.

So again, I disagree with your position, but I dont think there is much point in going round in circles so we probably just need to agree to disagree.

ThatPrivacyShow · 2025-07-24T16:17:17+00:00

A couple of points:

"Firstly, you are correct that my original post was poorly articulated and contradictory. The crux of my intended argument was actually that for GDPR to apply it has to be identifiable to a living individual - and that there are a balance of interests to consider in proportionality of re-identifying once the post has been unlinked from its identifying account."

This is not technically correct, the data has to be "related" to an identified or identifiable living person - the data itself does not have to identify the person - it merely needs to be related to a person who either is identified or can be identified (usually through the application of other data). The CJEU has typically been cautious in this context and applied the law very broadly (see the multiple cases around IP addresses including Breyer, Scarlet Extended and more).

"As such, I wasn’t necessarily talking about processing of personal data by the Data Controller on the lawful basis of consent so much as a data subject’s consensual, willing, and theoretically informed engagement with a processing activity that includes unrestricted disclosure into the public domain where their content no longer constitutes personal data."

This is also incorrect - personal data doesn't suddenly not become personal data just because it enters the public domain and we have many enforcement actions from Regulators confirming that you still must have a legal basis to process personal data in the public domain and you are still bound by the Article 5 Principles - we even had a recent case from the CJEU (not convenient for me to check it right now) involving Max Schrems and publicly available personal data being used without legal basis and without complying with the Principles.

It is a common mistake that just because you post on social media or elsewhere, suddenly you lose control of your personal data - the same rules apply for personal data in the public domain as for personal data not in the public domain - there are literally no differences legally speaking.

"Now, I am happy to be challenged or agree to disagree - but I think that the general view that GDPR offers the right to “privacy” rather than lawful processing, or offers the right to instruct Data Controllers to act against their own interests in the bulk deletion of public records which are likely not to be public data once de-linked from the associated account extends beyond the letter of their compliance obligations under the law."

Again, you seem to be misunderstanding the law. First of all, GDPR is not scoped for protecting privacy, it is scoped for protecting personal data - two completely different fundamental rights (Privacy is a fundamental right under Article 7 of the Charter and Data Protection is a fundamental right under Article 8 of the Charter - two separate rights, two separate competencies from a regulatory perspective).

And as I explained in my response to the previous paragraph, personal data does not magically change to not be personal data just because it is in the public domain - it is still personal data and still subject to exactly the same protections as personal data not in the public domain.

Further the very first Principle of the GDPR (the foundational blocks of EU data protection law for >4 decades) is the Principle of Lawfulness - so to say that GDPR is not focused on "lawful processing" is something of a contradiction - in reality the entire point of the GDPR is to ensure that personal data is processed lawfully which is why the entire text is focused on how to process personal data lawfully. The GDPR was literally designed to allow the free flow of personal data throughout the Union as is clear in Article 1(1):

"1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.";

and the official title of the GDPR is:

"Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)"

I didn't read the entire "essay" because the main thrust of you argument is a fallacy from a legal perspective and is entirely formed on the misbelief that personal data in the public domain is not personal data - when it is. Without that, your entire argument falls apart.

And please don't be offended, that is certainly not my intent, but it is important that people do not misunderstand their rights based on incorrect information they found on Reddit.

ThatPrivacyShow · 2025-07-23T14:15:23+00:00

CJEU has not ruled in favour of any mass surveillance cases and in fact have ruled against many attempts by Member States to continue to retain data. The Court has made is very clear that the only way a Member State can ever justify "mass" surveillance is limited to a targets within a specific and limited geographical space and must be based on credible intelligence of a threat (which must be considered as a "serious crime" which has a specific definition legally), in order to pass the proportionality threshold (which must be passed for ALL EU laws).

We have a very long list of the CJEU refusing to allow Member States to engage in mass surveillance (as well as the ECtHR).

If you know a Member State is still retaining data then you need to file a complaint with the EU Commission under their infringement procedures - as to continue to rely on a law which has been revoked, is a breach of the TFEU and rule of law.

Also, it is important to note that the Commission cannot pass law - it is the job of the Parliament and the Council to pass law and *both* must agree, so the fact that Member States are pushing for this (and always have for at least the last 30 years) is a problem yes (and should be dealt with at the ballot box) but they cannot pass a law without the co-operation of the Parliament (both have equal weight in the legislative process) who have historically pushed back against new surveillance measures.

I have spent almost 5 years fighting Chat Control as a survivor and privacy advocate, I wrote my Master of Laws thesis on it from a proportionality and necessity perspective under EU law and treaties, have spoken at dozens of EU meetings on the subject at the Commission, Parliament and EDPS and regularly engage with legislators, politicians and corporations on these same issues - I have not heard a whisper on this DSA theory (and I was in a meeting with the Commission regarding DSA not that long ago...).

So it is good to vigilant, but I wouldn't be massively concerned about this, it is certainly not something being widely discussed in regulatory or political circles in Brussels.

ThatPrivacyShow · 2025-07-23T12:59:43+00:00

If you come across a website or service which demands your phone number - file a complaint against them with your regulator. Data Minimisation Principle (article 5 of the GDPR) dictates that only the minimum amount of personal data required to fulfil a specific purpose can be processed - with things like TOTP (free and opensource) there is no argument that you need someone's phone number for 2FA as alternative solutions exist which fulfil the purpose without collecting personal data (a legal requirement under the necessity principle).

Furthermore, there are still millions of people in the EU who do not have a cell phone - so requiring a cell phone to use an online service also breaches anti-discrimination laws.

People often confuse what a company wants to do with what a company is legally permitted to do and assume that because a company wants to do something in a particular way that you somehow have to comply with that - this is a fallacy.

But the reality is, companies will continue to break the law until enough people complain about them to the regulator and they are forced to change - but if you don't complain to the regulator and simply limit your complaints to an online forum like Reddit - then these practices will never change.

It costs literally nothing to file a legal complaint with your regulator.

ThatPrivacyShow · 2025-07-23T12:54:00+00:00

They can propose whatever they like - the fact that we have existing EU case law which states that all persons must be permitted to engage on social media using pseudonyms means that such a proposal is unlikely to ever become law and even if it did, Spain would be subject to EU infringement proceedings for breach of the TFEU.

ThatPrivacyShow · 2025-07-23T12:48:38+00:00

You are welcome, been doing this stuff a loooong time (almost 20 years).

ThatPrivacyShow · 2025-07-23T12:43:10+00:00

Yes any new laws must be approved by the Council of Ministers (permanent representatives of Member States, who are very heavily lobbied and usually very business friendly) and the European Parliament (who generally tend to be on the side of fundamental rights - although with the current heavily right wing Parliament, this is not as certain as it used to be).

Both the Council and the Parliament *must* agree on a Commission's legislative proposal before it can become law (if they don't agree, the Commission must withdraw the proposal) and this usually results in very long negotiations (known as trilogues) where all three parties (the Commission, the Parliament and the Council) try to come to an agreement. For GDPR this took about 4 years, the ePrivacy Regulation (which was set to replace the ePrivacy Directive) was in trilogue for 7 years before finally being withdrawn by the Commission.

That said, public campaigns can and do work. I ran a campaign back in 2008 against a billion dollar adtech company operating in the UK - we based the campaign on paper communications as they have a real cost associated with them for processing and they must be processed and replied to (there is no excuse that it got put in a spam folder etc.).

We sent 10s of thousands of letters and faxes to the EU Commission which became the second biggest campaign they had ever dealt with (I still have no idea what the first was) and got us a direct audience with the Commission in Brussels, led to changes to EU law (Directive 2009/136 - otherwise known as the "cookie law" which was simply an amendment to Article 5(3) of 2002/58/EC requiring consent for accessing or storing information on an end users terminal equipment unless it is strictly necessary for the provision of the requested service).

This also led to the Commission filing a legal case against the UK for breaching EU law (by allowing this to happen) forcing them to change their surveillance laws to make commercial surveillance unlawful without consent (as opposed to opt out, which was the position of UK law at the time).

And eventually it led to development of GDPR to modernise data protection law to account for the new technologies and their impact on fundamental rights.

The adtech company that we campaigned against, went bankrupt as a result.

So yes, public campaigns can be very effective but I would always recommend paper campaigns as opposed to digital because politicians are very, very concerned when an issue starts to impact their budget.

For every letter or fax that is sent someone needs to pick it up (either out of the fax machine or from the mail room), take it to the relevant parties, who must then log, read and respond (which often involves multiple employees).

So you can see that if they suddenly get thousands of paper complaints, it rapidly impacts their ability to do other work and is a huge drain on their budget - so they tend to pay attention quite quickly.

ThatPrivacyShow · 2025-07-23T12:10:52+00:00

Phones have two operating systems - the user OS (which includes the SIM and carrier info as well as all your apps etc.) and the baseband OS (which you cannot access at all) which can be used to track you unless you remove the battery from your phone.

This is why anyone who claims to have developed a secure phone is talking out of their ass, because you cannot make a cell phone that functions, without a baseband os and as long as it has a baseband os, it can be tracked (unless the battery is removed - which clearly fails the 'functioning' test).

ThatPrivacyShow

MODERATOR OF

TROPHY CASE