From PGP to Mythos: a brief history of export controls that didn’t stop anyone

Last Friday, the White House ordered Anthropic to restrict the export of its AI models Mythos and Fable to foreign entities and individuals outside the U.S., resulting in the immediate shutdown of both models. This move is the first significant test of whether U.S. export controls can contain frontier AI technology, with potential implications for the future regulation of AI development and international access.

Anthropic, a leading AI research company, had only recently made Mythos available to a limited group of vetted organizations, citing concerns over its potential for misuse. The U.S. government’s decision followed reports that a South Korean telecom with alleged ties to China accessed Mythos through a partner program, raising national security alarms. Amazon CEO Andy Jassy also reportedly flagged a security breach involving Fable, which led to the export restrictions.

In response, Anthropic quickly halted access to Mythos and Fable, with some reports indicating the models were unavailable within 90 minutes of the government’s directive. This episode marks a rare enforcement of export controls on frontier AI models, which have historically been difficult to regulate effectively, as seen in past efforts to control encryption and spyware technology.

Historically, U.S. export controls have had mixed success. In the 1990s, attempts to restrict encryption software like PGP led to the so-called “Crypto Wars,” which ultimately resulted in the source code being published as a book and the eventual acceptance of encryption as a vital privacy tool. Similar efforts to limit spyware exports through international treaties like Wassenaar have faced challenges, including non-compliance by some countries and companies moving operations to lax jurisdictions.

Implications of AI Export Controls on Global Technology

This incident underscores the difficulty governments face in regulating rapidly advancing AI technology, which often outpaces legal frameworks. The failure of past export controls on encryption and spyware suggests that similar measures for frontier AI may be ineffective or easily circumvented, raising questions about how best to manage AI risks without stifling innovation.

Moreover, the episode could influence future international agreements and national policies on AI development, security, and trade, impacting global competitiveness and security strategies.

Historical Attempts to Regulate Encryption and Spyware

Since the 1990s, the U.S. and other countries have attempted to control the spread of powerful cryptographic and surveillance tools. The case of PGP, developed by Phil Zimmermann, exemplifies how government efforts to ban or restrict encryption often failed, leading to widespread adoption and the recognition of encryption as a fundamental privacy right. Similarly, international treaties like Wassenaar aimed to limit dual-use spyware and hacking tools but faced criticism for loopholes and non-compliance, allowing spyware companies to relocate or operate in countries with lax controls.

These historical efforts highlight the persistent challenge of regulating technologies that have both civilian and military applications, especially when enforcement depends heavily on national discretion and international cooperation, which are often incomplete or inconsistent.

“The episode marks a rare enforcement of export controls on frontier AI models, which have historically been difficult to regulate effectively.”

— Lorenzo Franceschi-Bicchierai

Effectiveness and Future of AI Export Restrictions

It remains unclear whether the U.S. government’s measures will succeed in preventing unauthorized access to frontier AI models like Mythos in the long term. Past efforts to control encryption and spyware have faced significant circumvention, and similar challenges are expected here. The potential for companies and countries to find loopholes or develop alternative methods to share or deploy AI models complicates enforcement, and the broader impact on innovation remains uncertain.

Next Steps in AI Export Control Policy and Enforcement

Authorities are likely to review and possibly tighten export controls, with discussions ongoing about international cooperation and enforcement mechanisms. Tech companies may adapt their security measures or seek new ways to share models legally. The outcome of this episode could influence future regulations, either leading to more robust controls or exposing their limitations, shaping the global AI regulatory landscape in the coming months.

Key Questions

Why did the U.S. government restrict Anthropic’s AI models?

The restrictions were imposed due to national security concerns after reports of a South Korean telecom with alleged ties to China accessing Mythos, and security breaches involving Fable, which raised fears about sensitive AI technology falling into adversarial hands.

Have export controls on encryption and spyware been effective historically?

No, past efforts such as the restrictions on PGP and international spyware treaties have faced significant challenges, including circumvention, non-compliance, and companies relocating to countries with lax enforcement.

Could these export restrictions slow down AI innovation?

It is possible, as restrictions may limit international collaboration and access, but enforcement challenges and circumvention tactics could diminish their impact, making their effect on innovation uncertain.

What happens if the U.S. government lifts the restrictions?

If the restrictions are lifted, Anthropic and other companies could resume exporting models like Mythos, potentially increasing international access but also raising concerns over security and misuse.

Source: Hacker News