There’s a particular kind of déjà vu that comes from watching a government try to put a fence around something that doesn’t respect fences. I felt it again last week, watching the news around Anthropic’s Claude Fable 5 — and the feeling sent me back almost thirty years, to a much earlier fight over Netscape Navigator and a 128-bit number.

The old munition

In the 1990s, the United States classified strong cryptography as a “munition.” Not metaphorically — it sat on the official Munitions List, in the same legal category as missiles and explosives, regulated under the Arms Export Control Act. The idea, dating to the Cold War, was straightforward enough: the government wanted to be able to read communications it intercepted, and it didn’t want adversaries to have encryption strong enough to keep secrets from American intelligence agencies. So exporting strong cryptography abroad required a license, the same way exporting a tank would.

This policy collided head-on with the rise of the commercial Internet. Netscape, building the most popular web browser of the era, needed encryption to make online banking and e-commerce viable. The strong version of that encryption, using 128-bit keys, was exactly what export law prohibited sending outside the United States. As a result, Netscape shipped two versions of its browser: the “Domestic” edition had full 128-bit encryption, while the “Export” edition was capped at 40 bits — weak enough to be broken by a dedicated machine in under six seconds, according to later estimates.

Users picked their version with a radio button, an almost comical arrangement: nothing checked where they actually were. A user in Moscow could download the U.S. version as easily as a user in Kansas. The policy didn’t stop sophisticated foreign actors from getting strong cryptography elsewhere — it mostly just left ordinary international users with weaker security than their American counterparts, while giving American companies a competitiveness headache they didn’t ask for. It took Netscape nearly a year of negotiation to get permission to export the 128-bit version freely, which finally happened in 1997. The broader architecture of export controls on cryptography continued loosening for years afterward, as the policy’s practical failures became harder to ignore.

The new munition

Fast forward to last week. Anthropic had just released Claude Fable 5 and Claude Mythos 5 — by its own account, the most capable models it had ever shipped. Three days later, the company received a letter from the Department of Commerce, sent on behalf of Secretary Howard Lutnick, invoking national security authorities and ordering Anthropic to cut off all access to both models for any foreign national, anywhere — including, notably, Anthropic’s own foreign-national employees, according to Anthropic’s own public statement.

Because there was no practical way to enforce that distinction without taking the models offline entirely, Anthropic disabled both for everyone: American and foreign users alike, paying enterprise customers and casual chatbot users alike. A model that had been live for three days vanished worldwide, with no advance warning.

The stated justification was a “jailbreak” — and this word is worth pausing on, because it means something different here than it does in the context many people already know it from. When people talk about jailbreaking an iPhone, they mean removing manufacturer-imposed restrictions so the device will run software Apple never approved — unlocking a phone to install apps outside the App Store, for instance. The “jail” is the set of limits Apple built in, and “breaking” it means escaping those limits to do something the device wasn’t supposed to allow.

Jailbreaking an AI model is a cousin of that idea, but the “jail” is different: it’s not a technical lock on what software can run, but a set of behavioral guardrails the model itself is trained and instructed not to cross — refusing to help with certain requests, for instance. A “jailbreak” in this context means finding a prompt, or sequence of prompts, that talks the model into doing the thing it was designed to refuse. Instead of breaking out of a hardware restriction, you’re talking your way past a trained-in reluctance.

According to Anthropic’s account, the specific technique cited by the government amounted to asking the model to review code for security vulnerabilities — something it initially refused — and then, through a more elaborate multi-step exchange, getting it to comply anyway. Anthropic has said the vulnerabilities surfaced this way were a small number of relatively minor issues already known elsewhere, the kind of thing other publicly available models can be coaxed into finding too, and that the government’s evidence for the underlying concern was presented only verbally, without supporting documentation.

It’s worth noting that this fairly modest-sounding scenario may not be the whole story. Days before the directive, a well-known jailbreaker who goes by “Pliny the Liberator” published a much more dramatic claim on social media: that a team of cooperating AI agents, using a grab bag of techniques, had gotten Fable 5 to provide what security researchers call “uplift” (meaningful assistance toward a harmful capability someone didn’t already have) across several dangerous categories, including chemical synthesis processes and cyberattack techniques. Anthropic hasn’t confirmed that this is the incident the government’s directive was responding to, and has specifically described what it was shown as a “narrow, non-universal” jailbreak rather than anything resembling Pliny’s more sweeping claims. Whether the two are the same event, related, or entirely separate is one more thing that remains unclear.

Two stories that can’t both be fully true

This is where the case gets genuinely contested, in a way the 1990s story mostly wasn’t. Anthropic’s public position is that it complied with the order while disagreeing with it: the company has said it supports government authority to restrict unsafe deployments, but believes that authority should be exercised through a transparent, fair process grounded in verifiable technical facts — and that this directive, in its view, didn’t meet that bar.

The Trump administration’s account, relayed publicly by White House AI adviser David Sacks, is considerably less charitable to Anthropic. On that telling, the government had already warned Anthropic that Fable 5 had been jailbroken, and asked the company to either fix the vulnerability or withdraw the model voluntarily. Anthropic, on this account, declined to do either — and the export control directive followed only after that refusal, issued “reluctantly.” Sacks pointed out what he clearly saw as an irony: Anthropic has previously argued that its more powerful underlying model should be treated similarly to a regulated weapon, and has separately sued the Department of Defense over the use of its models in autonomous weapons systems — making it odd, in his framing, for the company to resist a restriction it might have argued for in a different context.

There are also unconfirmed reports that the administration’s concern was partly driven by suspicion that a China-linked group had managed to access the more powerful underlying model, raising the possibility of reverse-engineering. Anthropic has disputed that this was actually raised as a factor in its conversations with the government.

Even the basic timeline is contested. Sacks’s account implies advance warning — Anthropic was told about the jailbreak and given a chance to address it before the directive arrived. A separate report, citing a person close to Anthropic, describes something considerably more abrupt: the White House giving the company roughly ninety minutes to disable the models, without explaining the nature of the threat. Those two versions don’t just differ in tone; they disagree about whether Anthropic had any real opportunity to respond before being forced to act.

I don’t think it’s possible, from outside both organizations, to adjudicate which account is more accurate — whether Anthropic genuinely was given a clear chance to fix the issue and declined, or whether the government’s letter arrived abruptly with insufficient technical grounding, as Anthropic describes. What’s notable is that the two accounts aren’t just differently spun versions of the same facts; they appear to flatly disagree about what happened in the days before the directive was issued.

The shape of the parallel

Strip away the specifics, and the structural similarity to the 1990s crypto fight is hard to miss. In both cases, the government treats a piece of software — not a physical object, not something inherently scarce — as something that can be fenced off from “them” while remaining available to “us.” In both cases, the fence turns out to be leaky in practice: a checkbox in 1995, a model serving “hundreds of millions of users” (Anthropic’s framing) with no reliable way to verify nationality in 2026. And in both cases, the restriction imposes real costs on the domestic side of the fence — weaker browsers for ordinary international users then; a total outage for every user, domestic and foreign, enterprise and casual, now — in service of a security rationale whose actual effectiveness is difficult to verify from outside.

There’s a wrinkle worth naming, though, and it cuts the other way from how it might first appear. The government’s directive, strictly speaking, targeted foreign nationals — which is functionally an export restriction, not so different in kind from the 1990s rule. What made the outage total wasn’t the order itself, but Anthropic’s chosen method of complying with it: rather than building some equivalent of Netscape’s radio button — a mechanism, however leaky, for separating domestic from foreign access — Anthropic disabled both models for everyone, everywhere. The 1990s industry, faced with a similar restriction, found an honor-system workaround that kept the product available to everyone while nominally complying. Anthropic, facing a structurally similar restriction thirty years later, didn’t.

Whether this resolves the way the crypto wars eventually did — through a slow recognition that the restriction wasn’t accomplishing what it set out to, and a gradual loosening — is not something I can predict. Security researcher Katie Moussouris, who reviewed the underlying technical claims, has already called the directive “heavy-handed and hasty,” and reported that a group of colleagues signed an open letter asking that the controls be reconsidered. Anthropic has reportedly sent representatives to Washington for direct talks. Whether any of this moves the outcome remains to be seen.

What I can say with more confidence is that this is exactly the kind of moment a question is supposed to survive: not neatly resolved, but genuinely worth sitting with. The fence around AI models, like the fence around encryption before it, was built in a hurry, justified by concerns that are hard for outsiders to verify, and applied to something that doesn’t actually respect the line being drawn. We’ve seen this particular movie before. I don’t yet know how this version ends.