The Off Switch
What Washington’s Shutdown of Fable 5 and Mythos 5 Proves About Whose Law Governs the Code
The Off Switch
What Washington’s Shutdown of Fable 5 and Mythos 5 Proves About Whose Law Governs the Code
By Prof. Barry Appleton | Appleton’s CLAUSE & EFFECT Substack | 13 June 2026
On a Friday night, a single directive from the United States government switched off certain frontier AI models for every user on Earth. Not because the models had been turned into weapons, but because Washington decided that foreign nationals should not be allowed to touch them. The order assumed a border that the technology does not have. So the technology went dark for everyone. This is what jurisdiction by infrastructure looks like when it stops being a theory, and Canada was not in the room when it happened.
This piece follows the two-part series published this week, “The Rules Washington Is Writing“ (June 9) and “The Code Canada Has Not Written” (June 10). The analytical foundations are set out in Code Before Clause, Locked In and Locked Out, and Algorithmic Empire and the New Digital Colonialism. I argued in those pieces that the United States is writing the rules of the digital economy through trade and security instruments and that whoever controls the code controls the governance. Three days later, Washington supplied the demonstration.
On the evening of June 12, the United States ordered Anthropic to suspend access to its two most advanced AI models, Fable 5 and Mythos 5, for all foreign nationals. The directive came from the Commerce Department and was framed under national security authority.1 Anthropic disabled both models the same night. Its older systems were left running. The company said publicly that it was complying with a legal order while it disagreed with it, and that it believed the whole episode was a misunderstanding, it was working to reverse.2
Read that sequence again, because the important detail is hidden in plain sight. The order targeted foreign citizens. Anthropic did not, and could not, switch the models off for foreigners alone. It switched them off for everyone. Hundreds of millions of users, American and foreign alike, lost access at once. By the company’s own account, even its employees holding passports from allied countries such as Canada and Britain fell within the reach of the order.3
The order assumed a border that the code does not have
The reason Anthropic went dark for the whole world is the most instructive fact in the story, and it is the one most likely to be lost in the coverage.
There is no passport check at the inference layer. A frontier model does not ask a user’s nationality before it answers. It has no internal customs post, no citizenship gate, no way to wall off a Canadian query from an American one where the computation actually happens. A statute can draw a line between citizens and foreigners. The architecture cannot. When you apply a citizenship rule to a system that has no concept of citizenship, the only way to comply is to turn the whole thing off.
That is not a technical footnote. It is the entire lesson of the last several years compressed into one weekend. Sovereignty is now exercised through infrastructure, and infrastructure does not partition the way law imagines it does. The off switch is binary. It does not distinguish between the user it was aimed at and the user standing beside him. And on Friday night, it sat in Washington.
The order said foreign nationals. The architecture heard everyone.
AI is now an export-controlled asset, and Washington just said so
Strip away the novelty, and the shape of this action is familiar. The United States has long restricted the sale of advanced semiconductors and other sensitive technologies to designated countries. What changed on Friday is that Commerce treated a commercial AI model the same way it treats a controlled chip. The model is now an export controlled item, and access to it by foreign persons is a thing the government claims the authority to switch off.
I wrote on June 9 that the current administration does not regard AI as technology policy. It regards AI as a national security policy, and the November 2025 National Security Strategy says as much in plain language.4 Friday was that strategy operationalized. The same logic that calls Canada a strategic resource for American data centre build out also claims the right to decide who, anywhere on the planet, may use the models that run on them. The two propositions are not in tension. They are the same proposition. America wants the ground, the power, and the off switch.
What makes this case sharper than a chip embargo is the stated reason. Anthropic’s account is that the government acted on a narrow, non-universal method of bypassing the model’s safeguards, one that surfaced only minor and already known vulnerabilities, the kind that other widely available models, it says, produce without any bypass at all.5 If that account holds, the United States recalled a product used by hundreds of millions of people on the strength of a flaw its own developer calls trivial and replicable elsewhere. The thinness of the asserted basis is not a side issue. It is the issue, as the next section explains.
Now flip the flag
Here is the question I have been asked more than once since the news broke, and it is the right one. Suppose Canada had done this. Suppose Ottawa, citing national security, ordered a foreign-owned AI model shut down inside Canada. Would that breach Chapter 19 of the CUSMA, the digital trade chapter that Canada agreed to in 2018?
The honest answer is that it would depend almost entirely on how the order was written, and that the treaty cuts in more than one direction.
If the order singled out an American model while a comparable Canadian or Mexican model kept running, it would run straight into Article 19.4, the national treatment obligation for digital products. That obligation forbids treating another party’s digital products less favourably on the basis of their origin, and it contains no public policy exception inside the article itself.6 A national origin-selective ban is the textbook case it was written to catch.
If instead the order were framed as a restriction on the cross-border flow of information, it would engage Article 19.11. That article at least comes with a valve. It permits measures necessary to achieve a legitimate public policy objective, provided they are not arbitrary or unjustifiable discrimination and do not go further than necessary.7 Meeting these rules is tricky and likely to result in disputes. Cybersecurity is a legitimate objective. The framing piece is available.
What the treaty does not give Canada, anywhere in Chapter 19, is a general escape hatch for Article 19.4. The chapter was deliberately drafted with fewer exceptions than the agreements that came before it. The only shelter that reaches an origin discrimination claim sits outside the digital chapter altogether, in Article 32.2.
A statute can draw a line between citizens and foreigners. The code cannot.
The exception both parties hold
Article 32.2 is the essential security exception. It allows a party to take action it considers necessary to protect its own essential security interests. It is the closest thing in the agreement to a self-judging clause, and it is the instrument the United States reaches for as a matter of routine. Friday’s directive is itself an Article 32.2-style action in everything but name.
Two things follow, and Canada needs to sit with both.
First, the asymmetry that matters is not in the text. Both countries hold the same exception. The United States invokes it freely, on national security grounds, whenever it wants regulatory room. Canada has never once invoked it. The gap between the two countries is not legal capacity. It is a willingness to use a shelter that is already, equally, theirs. I have made this point in testimony and in print, and Friday is the cleanest illustration of it I have seen.
Second, self-judging is not the same as unreviewable. The leading interpretation of the parallel security language in the GATT, from the Russia, Traffic in Transit panel, holds that a security exception must still be invoked in good faith, and that the asserted interest must be plausible rather than a pretext.8 Apply that standard to Friday’s facts. If the basis really was a minor, non-universal flaw that other public models reproduce on demand, then the invocation is doing an enormous amount of work to justify a global blackout. A good-faith plausibility review might well find that a defect the developer calls a misunderstanding does not rise to an essential security interest at all.
The lesson for Canada is not that the exception is unreliable. It is that Canada has been too timid to use the very instrument Washington treats as ordinary, and that the instrument has limits which a serious government would learn to argue, in both directions, before it needs them.
Both parties hold the same exception. Only one of them uses it.
What Friday actually taught Canada
Prime Minister Carney launched AI for All on June 4, days before the CUSMA Joint Review window opened. The ambition is correct. A sovereign public AI capability, Canadian-governed compute, an online safety regime, independent model evaluation: these are the commitments of a country that intends to govern its own digital future rather than rent it. I have said so.
But ambition is not architecture. The models most Canadians use are American. The cloud they run on is American. And as of Friday, the authority to switch both off without notice, without a hearing, and without consulting Ottawa is American, too. A national strategy that describes the right destination but does not build the road to it is a press release. Canada cannot legislate its way to control over a kill switch it does not physically hold.
This is what Code Before Clause has always meant. Canada must build the domestic capacity, the sovereign compute, the institutional muscle to assess and to act, before it arrives at the negotiating table to argue over clauses. A treaty seat is worth little to a party that depends entirely on the other side’s infrastructure to function. The single point of failure I have written about for a year is no longer a diagram. On Friday, it had an American flag on it, and the flag was lowered without warning.
The CUSMA Joint Review opens on July 1. Canada will spend the summer arguing about tariffs, dairy, and the price of a barrel of oil. Meanwhile, the country learned, in a single Friday night, that a foreign government can reach into the tools its economy increasingly runs on and turn them off. That is the question underneath the strategy. Not whether Canada should pursue digital sovereignty, but whether a country that cannot keep its own AI systems running can claim to have any sovereignty over them at all.
The off switch exists. The only open question is whose hand is on it. On Friday, Canada got the answer, and it was not Canada’s.
· · ·
Prof. Barry Appleton is Managing Partner of Appleton & Associates International Lawyers LP, Co-Director and Distinguished Senior Fellow at the Center for International Law at New York Law School, and Interim Director of the Balsillie Legal Advisory Centre at the Balsillie School of International Affairs. He is the author of Navigating NAFTA (Carswell, 1994) and writes Appleton’s Clause & Effect on Substack.
This post is public. If you found it useful, please share it with a colleague.
© 2026 Barry Appleton. All rights reserved.
Footnotes
Cade Metz and Dustin Volz, “U.S. Bars Foreigners From Using Anthropic’s Most Advanced A.I. Models,” The New York Times (June 12, 2026) (reporting that the order to limit access came from the Commerce Department, that its duration was unclear, and that it followed a March action in which the Pentagon deemed the company an unacceptable supply chain risk). ↩
Anthropic, “Statement on the US Government Directive to Suspend Access to Fable 5 and Mythos 5” (June 12, 2026), https://www.anthropic.com/news/fable-mythos-access (stating that the company received the directive at 5:21pm ET, that it was complying while disagreeing, and that access to all other Anthropic models was unaffected). ↩
Id. (noting that the directive reached all foreign nationals whether inside or outside the United States, including foreign national company employees); Metz and Volz, supra note 1 (observing that the order could in theory block employees who are citizens of allied nations such as Canada or Britain from working on the models). ↩
The White House, National Security Strategy of the United States of America (Nov. 2025); see Barry Appleton, “The Rules Washington Is Writing: Whose Law Controls Canadian Data“ (Clause and Effect, June 9, 2026) (arguing that the administration frames AI as national security policy rather than technology policy, and treats Canada as a strategic resource for AI infrastructure while resisting Canadian governance of the digital economy). ↩
Anthropic, supra note 2 (characterizing the government’s evidence as a narrow, non universal jailbreak that surfaced minor, previously known vulnerabilities, and stating that comparable capabilities are widely available from other public models).↩
Canada, United States, Mexico Agreement, art. 19.4 (non discriminatory treatment of digital products), and art. 19.4(2) (unconditional subsidy exception); see Barry Appleton, Locked In and Locked Out: How CUSMA’s Digital Trade Architecture Constrains Canadian Sovereignty, SSRN Working Paper No. 6390198 (analyzing the absence of an affirmative public policy exception within Chapter 19 and the resulting weight placed on the carve-outs and on Chapter 32). ↩
CUSMA, art. 19.11(2) and fn. 5 (permitting cross-border data transfer restrictions necessary to achieve a legitimate public policy objective, subject to anti-discrimination and necessity conditions); compare art. 19.12 (data localization prohibition, with no equivalent legitimate public policy objective exception). ↩
Panel Report, Russia, Measures Concerning Traffic in Transit, WT/DS512/R (Apr. 5, 2019) (holding that the security exception in GATT Article XXI(b) is subject to a good faith obligation and is not wholly self-judging, and that the invoking party must articulate its essential security interest with sufficient plausibility); CUSMA, art. 32.2 (essential security exception). You can also look at the decision in Riverside Coffee, LLC v. Republic of Nicaragua for an example of an essential security interest clause being used in the CAFTA context.