Source? I recall that they only changed their policy from “we will not comply with a request,” to, “we comply with lawful requests,” and the breach was about confidence, not showing they gathered data they claimed not to gather. They still maintain that they don’t log connection details, only payment and account creation, but the rewording of the policy at least implies that they could log more “if asked,” which does leave the user wondering.