What Happened to Export Controls on Dual-Use Technologies: The Cases of PGP and Advanced AI Models?
Historically, governments have attempted to control the export of powerful dual-use technologies, notably strong encryption software like PGP, often with limited success due to global dissemination and free speech challenges. Today, similar export control debates are re-emerging around advanced artificial intelligence models, as exemplified by the recent U.S. government action against Anthropic's Mythos AI model in June 2026.
Quick Answer
Export controls on dual-use technologies, such as strong encryption (e.g., PGP) and now advanced AI models (e.g., Mythos), have consistently struggled to prevent global dissemination. While initially aimed at national security, the inherent nature of software and information makes it difficult to contain. As of June 2026, new U.S. export controls on AI models like Anthropic's Mythos highlight the ongoing tension between national security interests and the free flow of technology, echoing the 'Crypto Wars' of the 1990s.
📊Key Facts
📅Complete Timeline15 events
Cryptography Classified as Munition
The U.S. placed cryptography on the U.S. Munitions List, requiring export licenses for its distribution, as part of Cold War-era controls on critical technology.
Data Encryption Standard (DES) Introduced
The U.S. government introduced DES, leading to increased commercial use of high-quality encryption and raising initial challenges for export control.
Phil Zimmermann Releases PGP
Phil Zimmermann publicly released Pretty Good Privacy (PGP) encryption software, providing strong cryptography to individuals and directly challenging existing export controls.
Clipper Chip Proposed by NSA
The National Security Agency (NSA) proposed the Clipper Chip, a hardware encryption device with a built-in backdoor for government access, sparking widespread privacy concerns.
U.S. Government Investigates PGP Creator
The U.S. government launched a criminal investigation against Phil Zimmermann for alleged violations of export control laws due to PGP's distribution.
Clipper Chip Abandoned and PGP Investigation Dropped
Due to public backlash, technical flaws, and low adoption, the Clipper Chip program was abandoned. Concurrently, the criminal investigation against Phil Zimmermann was dropped.
U.S. Loosens Encryption Export Controls
President Clinton signed an executive order that began to liberalize restrictions on encryption exports, moving many commercial tools from the Munitions List to the Commerce Control List.
Commerce Department Simplifies Crypto Export Rules
The U.S. Department of Commerce issued revisions that greatly simplified the export of commercial and open-source software containing cryptography, effectively ending the most restrictive phase of the 'Crypto Wars'.
Non-Military Crypto Exports Under Commerce Department
As of 2009, non-military cryptography exports from the U.S. are controlled by the Department of Commerce, with some restrictions remaining for 'rogue states' and military equipment.
NIST Finalizes Post-Quantum Cryptography Standards
The National Institute of Standards and Technology (NIST) finalized three post-quantum cryptographic standards, initiating a global migration to quantum-resistant encryption.
Israel Reforms Encryption Export Controls
Israel revoked broad encryption control orders, limiting regulation to the export sphere and dual-use items listed under the Wassenaar Arrangement.
U.S. House Passes Remote Access Security Act (RASA)
The U.S. House of Representatives passed RASA, aiming to grant the Commerce Department authority to regulate remote access to items subject to export regulations, addressing perceived 'cloud loopholes'.
Google Warns of 'Harvest Now, Decrypt Later' Quantum Attacks
Google's Kent Walker issued a warning that adversaries are actively harvesting encrypted data, betting on future quantum computers to break current encryption, and announced Google's internal post-quantum migration completion.
Cloudflare Reports Over 50% Post-Quantum Web Traffic
Cloudflare confirmed that over half of the human web traffic it processes now uses post-quantum key agreement, marking a significant milestone in the adoption of quantum-resistant cryptography.
U.S. Imposes Export Controls on Anthropic's Mythos AI Models
The U.S. Commerce Department issued an export control directive on Anthropic's Fable 5 and Mythos 5 AI models, leading Anthropic to disable them globally for foreign nationals due to national security concerns.
🔍Deep Dive Analysis
The concept of export controls on technologies that didn't stop anyone traces its roots to the Cold War era, when the U.S. and its allies sought to prevent critical Western technology, including cryptography, from reaching adversaries. Cryptography was initially classified as a munition, requiring strict export licenses. However, the advent of personal computers and the internet in the 1990s fundamentally challenged this paradigm, leading to what became known as the 'Crypto Wars.'
A key turning point was the release of Pretty Good Privacy (PGP) encryption software by Phil Zimmermann in 1991. PGP offered strong, publicly available encryption, directly circumventing government attempts to restrict such technology. The U.S. government launched a criminal investigation against Zimmermann in 1993 for alleged export control violations, treating encryption code as a weapon. This period also saw the controversial 'Clipper Chip' proposal by the NSA in 1993, which aimed to embed a backdoor for government access into encryption devices, but it faced strong public opposition and technical vulnerabilities, ultimately failing by 1996.
The widespread adoption of the internet and the growth of e-commerce created immense pressure to loosen these restrictions. Companies argued that export controls on strong encryption hurt their sales and hindered global digital security. By 1996, President Clinton signed an executive order that began to liberalize encryption export controls, moving most commercial encryption tools from the U.S. Munitions List to the Commerce Control List. Further relaxations occurred in 1999 and 2000, greatly simplifying the export of commercial and open-source cryptographic software, effectively ending the most intense phase of the Crypto Wars by acknowledging the futility of trying to contain widely available software.
As of 2026, while some restrictions still exist for military-grade encryption and exports to 'rogue states,' mass-market cryptographic products are largely unrestricted. However, the debate has resurfaced with the emergence of advanced artificial intelligence. In June 2026, the U.S. Commerce Department's Bureau of Industry and Security (BIS) issued an export control directive against Anthropic's Fable 5 and Mythos 5 AI models. Citing national security concerns, the directive compelled Anthropic to disable access to these models for all foreign nationals globally, leading to their temporary shutdown. This action has drawn immediate parallels to the PGP era, with cybersecurity experts arguing that such controls are unlikely to be effective and could push developers towards non-U.S. AI models, undermining American technological leadership.
Simultaneously, the landscape of digital security is being reshaped by quantum computing. The threat of 'harvest now, decrypt later' attacks, where encrypted data is collected today to be decrypted by future quantum computers, has become a present concern. In response, the National Institute of Standards and Technology (NIST) finalized post-quantum cryptographic standards in August 2024, and major tech companies like Google have set aggressive timelines (e.g., 2029) for migrating to quantum-resistant encryption. By April 2026, over 50% of human web traffic through Cloudflare was already protected by quantum-resistant key agreement, demonstrating rapid adoption in the face of new threats. This ongoing evolution underscores the dynamic and often reactive nature of export controls in the face of rapidly advancing, globally accessible technologies.
What If...?
Explore alternate histories. What if Export Controls on Dual-Use Technologies: The Cases of PGP and Advanced AI Models made different choices?