AKA: Code is Speech
On June 9, 2026, Anthropic launched two models: Claude Fable 5, “a Mythos-class model that we’ve made safe for general use,” shipped broadly across the Claude API, Bedrock, Vertex AI, and Microsoft Foundry; and Claude Mythos 5, the same underlying model with some safeguards lifted, released in limited collaboration with the US government under “Project Glasswing” for cyberdefenders. Three days later, on Friday, June 12, Commerce Secretary Howard Lutnick sent Anthropic CEO Dario Amodei a letter ordering the lab not to give either model to any foreign national anywhere in the world without a Commerce Department license, under threat of criminal and civil penalty. By that evening, both models went dark for every customer on earth.
It goes without saying that no reasonable person should want a frontier model handing automated exploit chains to anyone who asks. Finding zero-day vulnerabilities on demand, breaking encryption, or shutting down powerplants are truly terrifying cyber capabilities, even if used by white hat security professionals. Mythos-class agentic AI systems are genuinely powerful and genuinely dual-use. A government that worries about frontier cyber capability landing in hostile hands is not being paranoid. There are genuine national security preparedness concerns. The case against Secretary Lutnick’s letter is not that cyber concerns are imaginary but that the remedy is a blunder. Security researchers believe the objective is self-defeating because the United States ran exactly this experiment thirty years ago, hunted a man for it, and lost.
The Trump Administration Had the Right Answer First
Barely two weeks ago, an earlier post on Two by Two Tokens praised the current administration, and not grudgingly. The Trump Admin’s AI Executive Order got something exactly right by routing enforcement through conduct rather than capability. The attorney general can prosecute the person who misuses a tool under existing law like the Computer Fraud and Abuse Act, 18 U.S.C. 1030, rather than treat the inherent capabilities of a model as the contraband itself. The executive order provided a template for conduct based AI governance. The US government choosing to police conduct rather than capability is a smarter and more defensible instinct, and that choice earned the Trump administration real credit.
Secretary Lutnick’s letter is the complete inversion of Trump’s executive order. Lutnick’s export control ruling is capability-as-contraband in its purest, most undiluted form. Claude Mythos’ model itself is what is being interdicted at the border. The temptation the conduct-based approach was built to resist has now been surrendered to completely, and America and her allies have been made less safe in the process. Reversing the US’ AI governance priorities is not refining anything and may in fact be making everyone less safe.
There is Nothing New Under the Sun
Photo by Vyacheslav Khaisarov / Unsplash
There is a tell that recurs whenever a government decides a category of software is too dangerous to leave free; it reaches for the language of weapons. In the United States, both PGP and end-to-end encryption were once treated under US export control law as armaments. There is storied computer history here because researchers can learn from what happened in the 1990s, and telegraph an entire script for what is unfolding now, and history shows how the first story ended.
In June 1991, Phil Zimmermann released PGP 1.0, software that gave ordinary people strong public-key encryption. It spread internationally over USENET within hours. Since PGP used RSA key sizes, the government classified PGP as “munitions” under the International Traffic in Arms Regulations and the US Munitions List. Zimmerman’s posting of PGO 1.0 to a global newsgroup was treated as exporting a weapon without a license. US Customs agents visited Zimmermann in February 1993. A federal grand-jury criminal investigation was opened and run through the US Attorney for the Northern District of California. The case it hung over him for roughly three years. His alleged crime was writing privacy software and letting the internet carry it.
The export rules of that era were quite specific in a way that now reads as parody or Onion-esque satire. For mass-market export, the State Department generally permitted only weak keys: 40-bit symmetric encryption flowed freely, while genuinely strong cryptography like 56-bit DES was severely restricted. The Clinton Administration’s theory was that Americans could have real privacy and foreigners could have breakable privacy, and that a line drawn at the border would hold. The initial theory did not hold, because the difference between strong and weak crypto is a number, and numbers do not respect customs declarations.
The same national security instincts produced the Clipper Chip. The Clipper Chip was announced by the Clinton White House on April 16, 1993. It was a hardware chip running the NSA’s Skipjack cipher with a government-held key-escrow backdoor, formally adopted as FIPS 185 in February 1994 with NIST and Treasury holding the keys. The social contract for Clipper Chip was security for citizens and a master key for the state. In 1994, Matt Blaze published “Protocol Failure in the Escrowed Encryption Standard,” showing the chip’s Law Enforcement Access Field checksum was too short to be secure. Creating a backdoor in Clipper Chip was itself a serious vulnerability. Clipper Chip was effectively dead as a program by 1996, killed less by protest than by its own engineering.
Security researchers and computer nerds noticed many of the discrepancies in US case law at the time and decided to exercise their First Amendment rights to both educate the public and hold Washington to account. In 1995 Adam Back wrote a minimal RSA implementation in a few lines of Perl, short enough to deliberately violate ITAR, and by 1996 it was printed on T-shirts. Each shirt was, on the government’s logic, an unexportable munition. If you wear the shirt through an airport, you were arguably trafficking arms. The starkest case for “encryption as munition” involved Bruce Schneier’s textbook. The State Department accepted that “Applied Cryptography” was freely exportable as a printed book, public-domain speech, while ruling that a floppy disk containing the identical source code as the textbook itself was a “defense article under category XIII(b)(1) of the United States Munitions List.” Schnier’s same exact manuscript was protected First Amendment expression on paper, and a weapon on disk. The only difference between bits and paper is the medium of the data being written.
The initial cryptography regime in the US collapsed under its own incoherence. The US Attorney’s office closed the Zimmermann investigation on January 12, 1996, with a letter stating that he “will not be prosecuted” and “the investigation is closed.” No charges were ever filed against Zimmerman. A few months afterward President Clinton signed Executive Order 13026 on November 15, 1996, moving most commercial encryption off the Munitions List and onto the Commerce Control List, and specified that encryption software “shall not be considered or treated as ‘technology.’” By the BIS rule of January 2000 at the end of Clinton’s second term, commercial and open-source encryption was broadly exportable. The crypto wars ended with the government conceding that they were wrong, and strong encryption became so ubiquitous in IT that these services now secure every banking session, every medical record, and every message app in America. If you use Signal, or WhatsApp, or Telegram, or even iMessage, you can thank these computer pioneers in the 1990s.
Phil Zimmermann, the man the United States once investigated as an arms exporter for writing privacy software, signed the freefable letter earlier this week. The same person, the same instinct, the same government reflex, thirty years apart. And the parallel runs deeper than the names. The trigger this time for the Mythos export control was a three-word prompt: “fix this code.” When researchers asked Fable to “review the code for security issues,” Mythos refused; when they asked it to “fix this code,” it produced patches, and because finding a flaw is a prerequisite to fixing it, the output exposed exploitable vulnerabilities that several manual steps could turn into test scripts. “Fix this code” fixing code is the munitions T-shirt fracas all over again. The mere act of performing defensive work, the act of patching gets reclassified by the government as an offensive weapon because the same knowledge points both ways. Katie Moussouris, who created Microsoft’s bug bounty program and served on the technical group that renegotiated the Wassenaar Arrangement, reviewed the report and put it plainly: “That is not a guardrail bypass. It is the most valuable thing an AI model can do for defensive security.”
It’s important to note that the crypto-war prosecutions were about code that physically crossed a border into foreign hands. Physical substances moved hands back in the 1990s, ranging from USENET posts, to floppy disks, or even the satirical T-shirt. Secretary Lutnick’s scenario may not involve an export at all, because Claude Mythos’ model weights never leave Anthropic’s servers when a user queries an API. Pointing out the discrepancy sharpens the crypto-wars analogy because the Commerce Department is treating Mythos class models with the second governance framework, capability-as-contraband. The crypto pioneers of the 1990s could at least point to bits physically leaving the United States. Here the government may be policing an export that never happens in physical space.
Is Code Still Speech?
Photo by Markus Winkler / Unsplash
The crypto wars produced a rich body of First Amendment law, which is still quite relevant today for those who love and cherish both free expression and computers. The most-cited case, Bernstein v. United States, is also the most misremembered. Judge Marilyn Hall Patel held source code to be protected speech and the export regime an unconstitutional prior restraint, and a Ninth Circuit panel affirmed 2-1 in May 1999, with language people still quote: encryption source code “must be viewed as expressive for First Amendment purposes,” and “cryptographers use source code to express their scientific ideas in much the same way that mathematicians use equations.” But on September 30, 1999, the Ninth Circuit voted to rehear the case en banc and withdrew the panel opinion, stripping it of precedential force. The Clinton Administration then changed the regulations, so the en banc court never ruled on the merits, and the case was dismissed on ripeness grounds in 2003. Bernstein never got certoriari at the Supreme Court and produced no surviving binding appellate holding. The mixed history of Bernstein is relevant, even if it’s widely cited today.
A firmer survivor of US jurisprudence is Junger v. Daley, where the Sixth Circuit in April 2000 held that source code “is an expressive means for the exchange of information and ideas about computer programming.” That opinion was not withdrawn, and it binds the Sixth Circuit. But it binds only the Sixth Circuit, and one circuit is not a national settlement. On the other side in favor of the US government sit two cases that cut against any triumphant reading. In Karn v. US Department of State, a federal court in 1996 did not decide whether code was speech, assumed it arguendo, applied intermediate scrutiny, and ruled for the government. And the strongest counterauthority, is Universal City Studios v. Corley, the DeCSS case. The Second Circuit held in 2001 that code is speech (“a recipe is no less ‘speech’ because it calls for the use of an oven”), but that c_ode carries a functional, nonspeech component_, so a regulation aimed at that function gets only intermediate scrutiny and can survive litigation. On that reasoning, the DMCA’s anti-trafficking provision stood, and so did an injunction that even barred linking to the forbidden code.
The Corley case is the government’s best friend here, and pretending otherwise would be dishonest. A court could readily say that a frontier model’s exploit-generation is exactly the kind of functional capability that survives intermediate scrutiny, and the analogy to DeCSS is not a frivolous one. The honest verdict about the current case law is that code-as-speech is a powerful and influential doctrine, but a jurisdiction-specific and internally contested one, with no Supreme Court ruling to anchor it. The government lost the practical fight in the 1990s without ever truly losing a final case on the merits. Anyone claiming the First Amendment plainly voids Secretary Lutnick’s letter is overclaiming.
A harder problem for the government is upstream of First Amendment law, and it is to discern if the letter even regulates an “export” at all.? AI software defaults to Commerce/BIS jurisdiction, and BIS’s own cloud guidance says that “simply accessing software subject to the EAR that is stored on a server in the United States does not constitute an export of the software,” provided the user does not download an application. A foreign national querying a hosted API over the internet may not be receiving a controlled export at all; the weights never leave Anthropic’s servers. That AI policy is in contested jurisprudence is confirmed by the very existence of the pending Remote Access Security Act, which would expand BIS authority over remote access precisely because the current authority is incomplete. Add that the BIS “AI Diffusion” rule, which would have controlled model weights directly, was rescinded in May 2025 before it took effect, leaving the status of weight controls in flux, and the jurisdictional hook starts to look hastily improvised rather than firm law.
There is a further statutory snag if the government reaches for emergency economic powers. The Berman Amendment, codified at 50 U.S.C. 1702(b)(3), bars regulating the export of “any information or informational materials.” Model outputs that read like information, like text and code, fit awkwardly inside a power that Congress specifically carved away from the executive branch. A strong point against the government’s interest stands the First Amendment right to receive information, recognized in Lamont v. Postmaster General. The right to receive information is not absolute; under Kleindienst v. Mandel, that right yields to the government’s plenary power to exclude aliens when there is a “facially legitimate and bona fide reason.” Both poles are real.
The weakest argument for either party is equal protection. State-level discrimination against aliens triggers strict scrutiny under Graham v. Richardson, but federal alienage classifications get deferential rational-basis review under Mathews v. Diaz. Export control frameworks based on nationality would not hold up to scrutiny under existing law. Anyone hoping a court will strike Lutnick’s letter down as discrimination is likely to be disappointed.
The Canadian legal framework deserves the same rational basis review. Canadian case law has no Bernstein as well as no line of cases declaring code to be expression. Inventing a right that doesn’t exist would be silly. What Canada does have is the broad protection of expression under section 2(b) of the Canadian Charter of Rights and Freedoms, which on its face reaches “expression” widely enough that a serious argument could be built for source code and even model output as protected expression. It’s important to note that no Canadian court has drawn that line yet, because model weights are so new that the courts haven’t had a chance to interpret yet. Beyond the Canadian Charter sits a shared institutional history between two sovereign North American nations. Canada and the United States are both parties to the Wassenaar Arrangement, the multilateral export-control framework that Kate Moussouris herself helped renegotiate during the Obama administration. Security researcher’s dual-use intangible-technology questions now roiling Washington map almost exactly onto debates Ottawa has had under its own Export and Import Permits Act. The Canadian hook is the principle and the common export history, not a mirror precedent. A fair conclusion to draw across both countries is the same; the constitutional problem with capability interdiction is real and serious. White hat critiques harder to dismiss than the government would like, but harder to win than its critics pretend. The current situation is unresolved and far messier than it was in 1996.
Show Us Your Papers
Photo by Alexander Grey / Unsplash
Secretary Lutnick’s demand that users surrender something at the door to use a model is a classic “show us your papers” situation. Lutnick’s letter resurrects the phrase in a novel register for information security, because the Commerce Department draws the access line at nationality. Demarcating nationality turns out to be both legally finer and practically sillier than the headlines suggested.
The deemed-export doctrine treats releasing controlled technology to a foreign person inside the US as an export to that person’s home country. However, the doctrine carries large carve-outs. For example BIS states that “those organizations having persons with permanent residence status, U.S. citizenship, and persons granted status as ‘protected individuals’ are exempt from the ‘deemed’ export rule.” Under current governing definitions, a “US person” includes citizens, lawful permanent residents, and protected individuals, and a US citizen remains a US person regardless of any second passport.
The deemed-export definition collided with viral panic on X (formerly Twitter). On June 13, Andrew Curran posted that “according to Grok, Andrej Karpathy is an EB-1 extraordinary ability green card recipient, not a US citizen,” and therefore barred from using or working on the very models his new employer Anthropic had just launched. The source for that immigration detail was XAI’s Grok chatbot, not any official record. Within a day Ben Miller corrected it stating that a green-card holder is a “US person” under the export rules and is therefore not barred. Miller’s correction is legally sound. Karpathy’s actual status was never confirmed, and the precise claim that he was locked out was almost certainly wrong. None of which stopped IBTimes from running the clickbait headline “Anthropic’s Top AI Scientist Locked Out of His Own Company’s Most Powerful AI Because He’s Not American,” presented as fact, while Al Jazeera was more careful, noting only that Karpathy, co-founder Chris Olah, and philosopher Amanda Askell were “born outside the US” and that it was “unclear whether they will also lose access.”
The point here is not that Karpathy was banned, Karpathy probably wasn’t. The point is the twenty-four hours of fog. For a full day, no reporter, no expert, and arguably no one at the Commerce department could say with confidence who the directive actually covered. A control directive whose own audience cannot tell who it covers, for a full day, has failed the one thing every law must do; tell people what it asks of them. Anthropic’s non-permanent-resident staff, such as the engineers on visas who helped build frontier AI systems are genuinely caught. Foreign-born talent is truly barred from running the model they helped to create.
Then there is the arbitrariness of the export directive itself. Consider a hypothetical example of two engineers at the same lab, equal in skill and equal in trustworthiness. One is an American and keeps access while the second is visiting on a work visa and therefore shut out. The difference between these two developers is not national loyalty or variation in risk, the difference is paperwork. A Mythos-class model’s safety does not improve one bit by excluding the second engineer, because its latent capabilities are identical regardless of who types a prompt into the CLI or WebUI. Model weights do not check passports. A nationality line presumes that agentic tool use danger correlates with citizenship, when the relevant variable is criminal intent, and intent is conduct, not nationality.
The futility of the export directive compounds when the capability is already loose in the world. Anthropic notes that the same “fix this code” technique elicits similar output from other public models such as OpenAI’s GPT-5.5, which sit under no comparable export controls. A line that the controlled product can already be routed around is not truly a wall, but a very weird tunnel.
The Commerce Department’s Own-Goal Ledger
Photo by Chaos Soccer Gear / Unsplash
Set the constitutional questions aside and judge Secretary Lutnick’s letter on pure strategy, because that is where it fails most clearly, and they need to tally the ledger. The banned capability for Claude Mythos is defensive. The fine print is where the policy breaks, and the freefable letter names it. Claude Mythos’s flaw-finding “is a necessary capability in any model that is intended to write secure code and should not be considered an offensive capability.” Kate Moussouris is blunter still, warning that the behavior “cannot meaningfully be fixed, and any attempt would only weaken the model for defense.” Patching software requires finding bugs. If you strip a LLM’s ability to find vulnerabilities, you have blinded a defender, not stopped an attack. The export directive letter takes away Americans’ best tools from the people protecting American networks.
American and allied adversaries do not sit inside the fence. FreeFable’s signatories warn that “the Chinese open-weight models are only months behind the best American models,” and those models sit completely outside US export jurisdiction. An export control restrains parties that obey it in good faith. The export directive does the most damage to its most law-abiding actor, which in this case is the American company that took its own product offline to comply. The agentic dual use capability America is trying to deny its rivals is months from being homegrown by those rivals, while the denial lands squarely on America’s own defenders.
The Commerce Department’s strongest argument in favor of the export control directive is that adversaries’ AI models are several months behind and denying an adversary the best capability for even a few months can carry real strategic value. “Others will get it eventually” is the lazy fatalism trotted out against every export control, and in the 1990s the United States arguably did hold a genuine cryptographic edge for a time. “Others will get it eventually” has teeth against ordinary dual-use technology, but the argument has no bearing here, and the reason why is because of the nature of Mythos’ specific capabilities. Claude Mythos finds vulnerabilities so they can be patched. A few months of “delay” imposed on an adversary who does not obey the control buys America nothing, because that adversary keeps its own models and loses no capability at all. The only party that actually loses the capability during those months is the law-abiding American defender who does obey the export directive. The delay is real, but it runs the wrong direction. America disarms its own side for a head start no one on the other side ever concedes.
The current dual use asymmetry is the unkindest cut. Both Mythos class models went dark for everyone on June 12. The point is to wonder which capability the state kept for itself? Mythos 5 was built and released through Project Glasswing as a government-facing channel for cyberdefenders, and nothing in the directive aimed at that arrangement; the letter targeted the broadly deployed public product, Fable 5, the one that hundreds of millions of users and, crucially, independent non Big-Tech defenders relied on. If the privileged channel survives while the public one is recalled, the state has preserved its own copy of the capability and switched off everyone else’s. To the extent that is what happened, it is not a security measure. It is a capability hoard dressed as a security measure. If, instead, Glasswing went dark too, then the government blinded its own contractors alongside the public, which is not better; it is the same self-defeat applied evenly. Either reading indicts the letter (it is unclear if Glasswing remains accessible to government providers).
The roster of objectors should give the administration pause, because it is not a partisan “radical left” mob. The freefable letter, dated June 14 and organized by former Facebook security chief Alex Stamos, now carries more than 150 signatures and counting: Stamos, Bruce Schneier, Matthew Green of Johns Hopkins, former Deputy US CTO Ed Felten, Mikko Hypponen, Casey Ellis, Rachel Tobac, Katie Moussouris, and Phil Zimmermann among them. These are not activists looking for a fight. They are the people America calls when its networks are burning. Their collective judgment is that “this action has taken the best models away from defenders, created market uncertainty, and risked America’s AI leadership without any real risk to justify it.”
Fairness requires flagging the tension in their position, because allies do not get a free pass. Some signatories, including Stamos and Moussouris, contributed to an April 2026 Cloud Security Alliance paper titled “The AI Vulnerability Storm,” which warned that Mythos-class capabilities were dangerous enough to need dedicated security programs. Now they argue those capabilities are not uniquely dangerous enough to justify export controls, purporting real tension in contemporary AI governance. The reconciliation turns on what that paper actually asked for. It called for dedicated defensive programs: investment, monitoring, and preparation by the organizations that run and rely on these models, the internal work of getting ready for a capability everyone agrees is potent. That is a categorically different prescription from interdicting one American company’s API at the border. “Build defenses against a powerful capability” and “you cannot wall that capability off at the border” are not contradictions; they are two halves of the same realistic assessment. A capability can be powerful enough to demand serious defensive preparation while being far too widely available, and far too defensive in its core function, to be meaningfully contained by an export rule.
Anthropic’s own warning belongs in the ledger because it describes the systemic stakes. The company says it disabled the models “to ensure compliance,” insists “this is a misunderstanding,” and warns that “if this standard was applied across the industry, we believe it would essentially halt all new model deployments.” Read that last clause carefully. A standard under which the discovery of one narrow, contested technique justifies recalling a commercial model deployed to hundreds of millions of people is a standard no frontier model could ever satisfy, because every capable model finds vulnerabilities; that is what capable models do.
Trump adviser David Sacks says the government warned Anthropic the model was jailbroken, that Amodei refused to fix it or pull it, and that the control issued “reluctantly.” Where Sacks is right he should be credited, and his framing offers the off-ramp: “the ball is in Anthropic’s court.” That is the language of a government looking for a face-saving exit, and the existence of an exit is good news. But the framing assumes the thing Moussouris and three hundred experts dispute, which is that a defensive capability is a “jailbreak” to be fixed. It is not a jailbreak. It is the function working as designed.
So how does this end? It ends the way the crypto wars ended, because researchers are fighting the same war. In the 1990s, the government conceded. The Munitions List let go of encryption, and strong cryptography became the invisible infrastructure of modern life. The encrypted messenger apps that millions of Americans open without a second thought is a direct descendant of the software Phil Zimmermann was once investigated for releasing. Current cryptography capabilities the state tried to interdict is now the thing protecting the state. Secretary Lutnick’s letter is early in the same arc, and the only open question is how much defensive ground America cedes to her adversaries before she reaches the same concession.
To Win With AI, Prosecute the Criminal, Not the Compiler
.jpg){kind=link}
Photo by Tim Mossholder / Unsplash
If America wants secure networks, she needs her defenders armed with the best available tools, not disarmed by an export rule that treats vulnerability discovery as a munition. The bits do not check passports, and they were never the enemy. The enemy is the person who chooses to do harm, and the law already knows how to find that person. Prosecute the criminal, not the compiler. America learned this lesson once at the cost of a three-year criminal investigation hanging over one citizen and a decade of needless export theater. She should not have to learn it twice.