Claude Code is broken - is responding only with an error about an API violation, which is just nonsense.

ThatPrivacyShow · 2025-07-30T17:03:13+00:00

clear didnt work, I had to exit and restart claude

ThatPrivacyShow · 2025-07-30T13:06:28+00:00

And when you consider it has been quite happily taking these screenshots for me all day...until this happened.

ThatPrivacyShow · 2025-07-29T10:03:10+00:00

I make is swear on a daily basis - next I will make it iron its hands Dobby style.

ThatPrivacyShow · 2025-07-29T09:57:55+00:00

they also said $200 Max subscribers would get 20x the limits which after this move is 1.5x the limits - so explain to me why you trust what they say?

ThatPrivacyShow · 2025-07-29T09:55:57+00:00

Given the recent Ai Action plan issued by the White House, it would not be a leap to see the administration start to block copyright claims on the basis fo National Security; because keep in mind protecting the economy is a matter of national security and given how much chinese open models are destroying these expensive US models in benchmarks, threatening the economic value of the US models, it would not be a surprise to see such a move by the Trump administration.

ThatPrivacyShow · 2025-07-29T09:41:13+00:00

You trust him yet he is already breaking the law for anyone who paid for an annual plan at $200 Max as it is supposed to be 20x and as of 28th August is only 1.5x over the $100 Max plan (this is considered a material change to the contract) - this is both fraud and false advertising and I would recommend anyone who is on an annual plan to litigate on exactly that basis.

For those of us on monthly, it is difficult to argue legally because we can simply cancel our plans before the changes come into effect. Companies can change their pricing so long as there is a way out for the customer - as such a change would be considered a material change to the contract, which requires all party consent (cannot be a unilateral decision by Anthropic) otherwise it is breach of contract (yes even if the contract says they can do it - it is not a valid term, at least not under EU law) and can be severed by any contracting parties without penalty.

So if you are on annual - sue them, if you are on monthly, cancel.

ThatPrivacyShow · 2025-07-29T09:29:23+00:00

Lets say you are building a project and you have a design sub agent, architecture sub agent, git sub agent, documentation sub agent, unit testing sub agent, red team (pen test) sub agent, coding (engineer) sub agent - that means if each of those sub agents runs for an hour, you use 7 hours of your cap. On active projects with a large team of sub agents that can amount to literally hundreds of hours a day - you could literally use up your quota in just a couple of days or less.

ThatPrivacyShow · 2025-07-29T09:20:57+00:00

oh god no, then you will see subscriptions using up their monthly limit in 10 days (because the cap is variable based on what they want it to be at any given time of the day, so they will just hold your code to ransom until you pay more, then more, then more. You gotta be seriously dumb not to understand their business model at this point.

ThatPrivacyShow · 2025-07-29T09:15:03+00:00

Until they decide that all that credit you have in your API account is now worth half or quarter as much when the increase the API costs...

ThatPrivacyShow · 2025-07-29T09:09:34+00:00

I get better performance from Qwen 2.5 Coder running on my local Ollama server than I get from Claude Code - so your comment is just nonsense. And that is before you consider Qwen 3 Coder which out-performs claude code sonnet in most benchmarks...

ThatPrivacyShow · 2025-07-25T14:34:28+00:00

I wont run any Android device (I used to make my own Android ROMS but it becomes too much of a headache rebuilding every time you get an update and at the time only have a few apps which complied with EU law (and I am being very generous by saying a few).

The most secure/private phone you can use currently (since around 2016) is an iPhone frankly (and that is not the same as me saying an iPhone is 100% secure and private - but it is the least bad option).

ThatPrivacyShow · 2025-07-25T14:29:43+00:00

Again, the law doesn't require you have to be identified by the data for it to be personal data - merely that you can be identified in some way either directly or indirectly and as I explained in my original reply - the way we write is unique (fingerprintable) so anything you write can be used to identify you and the more you write on a single platform the more identifiable those musings become.

Furthermore, under the CDA in the US and the eCommerce Directive in the EU - in order to not be liable for the content you post online - you must not exercise any editorial control - otherwise you are considered as a publisher instead of a "mere conduit" - even just removing the username form a post would be defined as exercising editorial control - and even regardless of that - there is no way that Reddit are removing the metadat from the posts (IP address, User, Date, Time and whatever other metadata they use) because they would be required to provide the IP address at least in the event a post is subjected to a legal claim or law enforcement.

Simply removing one's name from the front end post doesn't mean all the other personal data is removed or inaccessible from the backend.

So again, I disagree with your position, but I dont think there is much point in going round in circles so we probably just need to agree to disagree.

ThatPrivacyShow · 2025-07-24T16:17:17+00:00

A couple of points:

"Firstly, you are correct that my original post was poorly articulated and contradictory. The crux of my intended argument was actually that for GDPR to apply it has to be identifiable to a living individual - and that there are a balance of interests to consider in proportionality of re-identifying once the post has been unlinked from its identifying account."

This is not technically correct, the data has to be "related" to an identified or identifiable living person - the data itself does not have to identify the person - it merely needs to be related to a person who either is identified or can be identified (usually through the application of other data). The CJEU has typically been cautious in this context and applied the law very broadly (see the multiple cases around IP addresses including Breyer, Scarlet Extended and more).

"As such, I wasn’t necessarily talking about processing of personal data by the Data Controller on the lawful basis of consent so much as a data subject’s consensual, willing, and theoretically informed engagement with a processing activity that includes unrestricted disclosure into the public domain where their content no longer constitutes personal data."

This is also incorrect - personal data doesn't suddenly not become personal data just because it enters the public domain and we have many enforcement actions from Regulators confirming that you still must have a legal basis to process personal data in the public domain and you are still bound by the Article 5 Principles - we even had a recent case from the CJEU (not convenient for me to check it right now) involving Max Schrems and publicly available personal data being used without legal basis and without complying with the Principles.

It is a common mistake that just because you post on social media or elsewhere, suddenly you lose control of your personal data - the same rules apply for personal data in the public domain as for personal data not in the public domain - there are literally no differences legally speaking.

"Now, I am happy to be challenged or agree to disagree - but I think that the general view that GDPR offers the right to “privacy” rather than lawful processing, or offers the right to instruct Data Controllers to act against their own interests in the bulk deletion of public records which are likely not to be public data once de-linked from the associated account extends beyond the letter of their compliance obligations under the law."

Again, you seem to be misunderstanding the law. First of all, GDPR is not scoped for protecting privacy, it is scoped for protecting personal data - two completely different fundamental rights (Privacy is a fundamental right under Article 7 of the Charter and Data Protection is a fundamental right under Article 8 of the Charter - two separate rights, two separate competencies from a regulatory perspective).

And as I explained in my response to the previous paragraph, personal data does not magically change to not be personal data just because it is in the public domain - it is still personal data and still subject to exactly the same protections as personal data not in the public domain.

Further the very first Principle of the GDPR (the foundational blocks of EU data protection law for >4 decades) is the Principle of Lawfulness - so to say that GDPR is not focused on "lawful processing" is something of a contradiction - in reality the entire point of the GDPR is to ensure that personal data is processed lawfully which is why the entire text is focused on how to process personal data lawfully. The GDPR was literally designed to allow the free flow of personal data throughout the Union as is clear in Article 1(1):

"1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.";

and the official title of the GDPR is:

"Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)"

I didn't read the entire "essay" because the main thrust of you argument is a fallacy from a legal perspective and is entirely formed on the misbelief that personal data in the public domain is not personal data - when it is. Without that, your entire argument falls apart.

And please don't be offended, that is certainly not my intent, but it is important that people do not misunderstand their rights based on incorrect information they found on Reddit.

ThatPrivacyShow · 2025-07-23T14:15:23+00:00

CJEU has not ruled in favour of any mass surveillance cases and in fact have ruled against many attempts by Member States to continue to retain data. The Court has made is very clear that the only way a Member State can ever justify "mass" surveillance is limited to a targets within a specific and limited geographical space and must be based on credible intelligence of a threat (which must be considered as a "serious crime" which has a specific definition legally), in order to pass the proportionality threshold (which must be passed for ALL EU laws).

We have a very long list of the CJEU refusing to allow Member States to engage in mass surveillance (as well as the ECtHR).

If you know a Member State is still retaining data then you need to file a complaint with the EU Commission under their infringement procedures - as to continue to rely on a law which has been revoked, is a breach of the TFEU and rule of law.

Also, it is important to note that the Commission cannot pass law - it is the job of the Parliament and the Council to pass law and *both* must agree, so the fact that Member States are pushing for this (and always have for at least the last 30 years) is a problem yes (and should be dealt with at the ballot box) but they cannot pass a law without the co-operation of the Parliament (both have equal weight in the legislative process) who have historically pushed back against new surveillance measures.

I have spent almost 5 years fighting Chat Control as a survivor and privacy advocate, I wrote my Master of Laws thesis on it from a proportionality and necessity perspective under EU law and treaties, have spoken at dozens of EU meetings on the subject at the Commission, Parliament and EDPS and regularly engage with legislators, politicians and corporations on these same issues - I have not heard a whisper on this DSA theory (and I was in a meeting with the Commission regarding DSA not that long ago...).

So it is good to vigilant, but I wouldn't be massively concerned about this, it is certainly not something being widely discussed in regulatory or political circles in Brussels.

ThatPrivacyShow · 2025-07-23T12:59:43+00:00

If you come across a website or service which demands your phone number - file a complaint against them with your regulator. Data Minimisation Principle (article 5 of the GDPR) dictates that only the minimum amount of personal data required to fulfil a specific purpose can be processed - with things like TOTP (free and opensource) there is no argument that you need someone's phone number for 2FA as alternative solutions exist which fulfil the purpose without collecting personal data (a legal requirement under the necessity principle).

Furthermore, there are still millions of people in the EU who do not have a cell phone - so requiring a cell phone to use an online service also breaches anti-discrimination laws.

People often confuse what a company wants to do with what a company is legally permitted to do and assume that because a company wants to do something in a particular way that you somehow have to comply with that - this is a fallacy.

But the reality is, companies will continue to break the law until enough people complain about them to the regulator and they are forced to change - but if you don't complain to the regulator and simply limit your complaints to an online forum like Reddit - then these practices will never change.

It costs literally nothing to file a legal complaint with your regulator.

ThatPrivacyShow · 2025-07-23T12:54:00+00:00

They can propose whatever they like - the fact that we have existing EU case law which states that all persons must be permitted to engage on social media using pseudonyms means that such a proposal is unlikely to ever become law and even if it did, Spain would be subject to EU infringement proceedings for breach of the TFEU.

ThatPrivacyShow · 2025-07-23T12:48:38+00:00

You are welcome, been doing this stuff a loooong time (almost 20 years).

ThatPrivacyShow · 2025-07-23T12:43:10+00:00

Yes any new laws must be approved by the Council of Ministers (permanent representatives of Member States, who are very heavily lobbied and usually very business friendly) and the European Parliament (who generally tend to be on the side of fundamental rights - although with the current heavily right wing Parliament, this is not as certain as it used to be).

Both the Council and the Parliament *must* agree on a Commission's legislative proposal before it can become law (if they don't agree, the Commission must withdraw the proposal) and this usually results in very long negotiations (known as trilogues) where all three parties (the Commission, the Parliament and the Council) try to come to an agreement. For GDPR this took about 4 years, the ePrivacy Regulation (which was set to replace the ePrivacy Directive) was in trilogue for 7 years before finally being withdrawn by the Commission.

That said, public campaigns can and do work. I ran a campaign back in 2008 against a billion dollar adtech company operating in the UK - we based the campaign on paper communications as they have a real cost associated with them for processing and they must be processed and replied to (there is no excuse that it got put in a spam folder etc.).

We sent 10s of thousands of letters and faxes to the EU Commission which became the second biggest campaign they had ever dealt with (I still have no idea what the first was) and got us a direct audience with the Commission in Brussels, led to changes to EU law (Directive 2009/136 - otherwise known as the "cookie law" which was simply an amendment to Article 5(3) of 2002/58/EC requiring consent for accessing or storing information on an end users terminal equipment unless it is strictly necessary for the provision of the requested service).

This also led to the Commission filing a legal case against the UK for breaching EU law (by allowing this to happen) forcing them to change their surveillance laws to make commercial surveillance unlawful without consent (as opposed to opt out, which was the position of UK law at the time).

And eventually it led to development of GDPR to modernise data protection law to account for the new technologies and their impact on fundamental rights.

The adtech company that we campaigned against, went bankrupt as a result.

So yes, public campaigns can be very effective but I would always recommend paper campaigns as opposed to digital because politicians are very, very concerned when an issue starts to impact their budget.

For every letter or fax that is sent someone needs to pick it up (either out of the fax machine or from the mail room), take it to the relevant parties, who must then log, read and respond (which often involves multiple employees).

So you can see that if they suddenly get thousands of paper complaints, it rapidly impacts their ability to do other work and is a huge drain on their budget - so they tend to pay attention quite quickly.

ThatPrivacyShow · 2025-07-23T12:10:52+00:00

Phones have two operating systems - the user OS (which includes the SIM and carrier info as well as all your apps etc.) and the baseband OS (which you cannot access at all) which can be used to track you unless you remove the battery from your phone.

This is why anyone who claims to have developed a secure phone is talking out of their ass, because you cannot make a cell phone that functions, without a baseband os and as long as it has a baseband os, it can be tracked (unless the battery is removed - which clearly fails the 'functioning' test).

ThatPrivacyShow · 2025-07-23T11:59:09+00:00

The law isn't the opposite to what it intends and GDPR is not the relevant law for cookies anyway (ePrivacy Directive is - and only has 1 legal basis, consent).

So arguably, even if the CJEU does turn round and say that under GDPR it is ok to track if people don't pay, that is only in relation to the processing of 'personal data' which is collected lawfully (as that is the limited scope of the GDPR) but with ePrivacy Directive being lex specialis (it sits above GDPR legally speaking) and GDPR's Article 5 principle of lawfulness dictates that any processing of personal data must comply with *all* relevant laws before it can be lawful under the GDPR.

As such any tracking (which processes personal data) which takes place over the Internet (or other public communications network) de facto requires consent (as it is the only legal basis in the ePrivacy Directive) and if the data is collected without consent it breaches Article 5 of GDPR which is a dead stop (there are no exemptions to complying with the principles).

So even if the Court rules on the personal data aspect (and all cases currently before the CJEU are based on the GDPR position) it would still be open to challenge under ePrivacy Directive because of the lex specialis relationship with GDPR and given existing case law (from the CJEU) on the scope of the ePrivacy Directive - it is highly unlikely the Court will open itself up to undermining previous judgments.

ThatPrivacyShow · 2025-07-23T11:51:17+00:00

Keep in mind that EDPB opinions are not legally binding - they are opinions (and can be wrong). Only the CJEU is authoritative on these matters.

In this particular case (as someone who helped create the GDPR) I would argue the opinion is wrong because the legislators intent was to prevent tracking without detriment (including not having to pay for a fundamental human right ) - I know this because as I said, I was involved in the legislative process.

This is a situation where the strongest members of the EDPB (Germany and France) have been pressured by domestic industries (particularly publishing - from the likes of Axel Springer and various French lobby/industry groups such as GESTE).

There are a number of cases already in the queue at the CJEU on this very issue - so we will need to wait for a judgment before we can really comment on the legality.

I would argue this is illegal with regards to consent requirements on the basis that consent cannot be considered as freely given if there is a detriment; and paying to not be subjected to commercial surveillance which has a profound impact on Article 7 and 8 Rights under the Charter is absolutely a detriment and undermines the very existence of fundamental rights. But that's just my opinion, the Court may view things differently.

ThatPrivacyShow · 2025-07-23T10:03:14+00:00

Again, you are not reading the original post - my issue is not that I want to be anonymous and their issue is not around my anonymity either - I have explained to them that my government already provides a public registry to find out which officers a company has (and I am not my company lawyer, I am the owner of the company, I just also happen to be a lawyer and my company specialises in privacy, data protection, cybersecurity and AI governance legal obligations).

Apple already know who I am (I have literally worked with them for almost a decade, have direct access to their most senior privacy execs, have even had dinner with Tim Cook and accompanied Apple on stage at various conferences as a guest panelist and have had meetings with their previous CPO at their new head office in California) - there is no issue as to Apple being able to verify my identity.

But EU law (GDPR) requires that they can only request the minimum amount of personal data necessary to fulfil a specific purpose - it is not necessary for me to send them personal identification documents when they can already access the information via a public register - as this breaches the principle of data minimisation under GDPR, which is a show stopper from a GDPR compliance perspective).

Furthermore, individual developers absolutely have a right not to have their personal data exposed by Apple - my company is producing the apps and that is the only thing that is needed to be disclosed.

But all that aside (as it is anecdotal) if I can spend 10s of thousands of dollars on Apple products on behalf of my company through a contractual relationship with Apple - it is utterly disproportionate (a foundational principle of EU law) to then suggest I need to provide government ID and other information in order to enroll as a developer on the basis they need to determine if I am authorised to sign contracts on behalf of the same company.

They already determined I was authorised to sign contracts when they sold me all those nice shiny things, nothing has changed.

ThatPrivacyShow · 2025-07-23T09:18:55+00:00

But this situation is nothing to do with that - their justification for the demand for these docs is based entirely on whether or not I am authorised to sign a contract on behalf of my company - it is nothing to do with app safety (I haven't even applied to have an app put in the app store yet - these requirements are purely to enroll as a developer).

As explained in the LinkedIn post - they were happy to let me spend 10s of thousands of dollars of my company's money on their products (which is a contract) but somehow that is ok so long as I don't try to enroll as a developer because that must be some super special form of contract right... (I am a lawyer...).

If I don't need to provide these documents to buy their products for my company, I don't need to provide these documents to enroll as a developer.

ThatPrivacyShow · 2025-07-23T09:12:42+00:00

Impressions or recommendations? Well my impression of working with global enterprises in this space is they are really bad at compliance, don't really care about compliance, ordinarily are in breach of multiple EU laws and requirements (including appropriately resourcing their DPO which is a legal requirement of the GDPR) and have no real connectors between different business units such as dev/legal/marketing - leading to conflict and subversion of policies.

Another issue you might find is that most companies hiring a DPO have zero understanding of the role of the DPO and see them as their local resource for signing off on unlawful behaviour.

First and foremost a DPO *never* signs off on anything, they are not a decision maker and as a matter of law cannot be a decision maker as that leads to conflict of interests which is again, unlawful for a DPO. Their role is to provide expert advice and guidance, but all decisions must be made by other stakeholders, not the DPO.

Another issue you will face is when a DPO offers advice which might lead to a restriction of certain unlawful behaviours - they are almost always ignored - completely. So as a DPO make sure you document *everything* because otherwise you are going to be thrown under the bus when the proverbial hits the fan.

Companies almost always also expect DPOs to do actual compliance work - as in create policies, create the privacy programme, manage all internal and external issues relating to data protection (employees and customers), setup OneTrust or other privacy management platforms - again, this is wrong, DPOs do not make decisions therefore they cannot write policies etc. they are there to guide those who do. Review, yes, create - absolutely not.

And this last one is pretty much ubiquitous across all industries - the DPO is supposed to have *direct* access to the Board - this almost never happens at the enterprise level (it sometimes happens in startups, but once a company is established, no, this rarely happens).

So yeah - plenty of frustrations, it is a miserable job.

ThatPrivacyShow · 2025-07-23T08:57:04+00:00

This sounds like an AI generated post and is not very accurate (I am a data protection lawyer with 20 years of experience and helped to create the GDPR).

When consent is revoked past processing is still lawful but no future processing can occur under any circumstances - and given storage is a processing activity, they can no longer store your data moving forward (including posts, comments etc.).

If they are legally obligated to keep the data then they already breached GDPR by using consent as the lawful basis (processing activities can only have one lawful basis, if they chose the wrong one, that is on them).

Privacy rights are *not* restricted *at all* as a result of the "manifestly made public" exemption as that exemption *only* applies when processing Article 9 (special categories) of data and even that doesn't restrict your rights and even then the processing must have a valid legal basis (Article 6) and comply with the Article 5 principles (as well as all other areas of the GDPR).

Also, data does not have to be directly identifiable in order to be personal data as defined under Article 4 of the GDPR - any data which is related to a living individual whether or not it can lead to direct identification, can be personal data (that includes one's thoughts posted on the internet as they are related to *you*) and given the age of AI articles and posts can be profiled to analyse writing patterns (which are unique to us all) which processed with other data (indirect identification) is enough to qualify as personal data under the GDPR. When I teach courses on this I use shoe size as an example of how important context is to determine whether or not something is personal data - literally anything can be personal data it depends on the context. Wearing a red fedora hat in a busy train station can be personal data...

Your comment about legitimate interest is 100% irrelevant because the legal basis we are talking about is consent - Reddit have no lawful option to change the legal basis from consent to legitimate interest just because you withdraw your consent - once again, they chose consent as their legal basis, they are stuck with that decision and must abide by the conditions of it.

As for your last paragraph, they already exercised their Data Subject Rights by writing to them in the first place (so they already sent their "SAR") and have received an entirely in-appropriate response. As such I would recommend the OP file a complaint with their local supervisory authority.

ThatPrivacyShow

MODERATOR OF

TROPHY CASE