DeepSeek’s surprise superstardom has ignited a firestorm of data concerns globally, with regulators and privacy experts sounding alarms over the Chinese AI app’s potential national security risks.
Italy, the European Union’s third-largest economy, has taken the first step by banning DeepSeek after authorities demanded details on the app’s data practices. Italy’s privacy watchdog dismissed the Chinese startup’s data protection measures as “insufficient.”
The scrutiny isn’t stopping in the EU. South Korea’s regulators are gearing up to demand the same answers Italy sought, while Australian Treasurer Jim Chalmers has publicly warned residents to be cautious when using the app.
The controversy around DeepSeek’s privacy issues lands squarely within the rising regulatory pressure on Chinese tech firms. The US famously banned TikTok under national security pretexts, with President Donald Trump issuing an executive order to restore the social media app’s services within hours (for now).
Cointelegraph asked DeepSeek to clarify how it processes user data but did not receive a response.
Security experts find exposures to over 1 million lines of log streams. Source: Wiz Research
DeepSeek, meanwhile, appears to be scrambling to fix security lapses in real-time. Researchers at cloud security firm Wiz say they’ve uncovered a vulnerability that opens up access to internal data, including sensitive information such as chat histories and API keys. The flaw was reported immediately and “promptly secured,” according to Wiz.
DeepSeek or deep spy?
The US and China are locked in a fierce rivalry across multiple fronts, including AI dominance. Until recently, China was believed to be at least six months behind the US in AI development, but DeepSeek’s explosion to the top of Apple’s App Store challenged the assumption. Now, the app is facing the same data privacy concerns that have plagued TikTok and its Chinese parent firm, ByteDance.
An analysis by privacy firm Privado found that DeepSeek collects and shares sensitive user data, including unique IDs, device details, location, language, prompts and chat history, with ByteDance. It also found that the information is shared with US tech titan Google.
Privacy experts find DeepSeek’s data flow to China and US. Source: Privado
DeepSeek also integrates software development kits (SDKs) from ByteDance, Chinese tech conglomerate Tencent and Google.
While Privado noted a discrepancy between DeepSeek’s data collection and its privacy policy, stating that the app actually collects less data than it discloses, it said, “However, there are clear data flows to China.”
Sean O’Brien, founder of Yale Privacy Lab, said in a social media post that DeepSeek transmits basic network and device profile data to ByteDance and intermediaries but downplayed the risks of its app permissions.
Source: Sean O’Brien
“To be clear—apps like DeepSeek & ChatGPT are not good for privacy. But your threat model depends on the context you’re using the app in. Nearly all mainstream apps are bad on privacy,” O’Brien added.
How DeepSeek’s data can be accessed by China
In March 2023, TikTok CEO Shou Zi Chew testified before the US Congress, addressing concerns about the platform’s data privacy practices and its relationship with the Chinese government. During the hearing, lawmakers questioned the Singaporean executive about potential Chinese influence over the platform and the security of US user data.
“DeepSeek would implicate broadly the same [national security] concerns as TikTok were it to become as ubiquitous. There’s a fairly robust history of the US government banning technology and media of adversaries, and I think DeepSeek is definitely a possible candidate for that in the medium term,” Aaron Brogan, founder of Brogan Law, told Cointelegraph.
Related: Here’s why DeepSeek crashed your Bitcoin and crypto
However, China’s legal fine print suggests the government does, in fact, have access to user data under certain conditions:
Article 37 of China’s Cybersecurity Law mandates that all personal data collected by Chinese companies must be stored within mainland China.
Article 7 of the National Intelligence Law requires all citizens and organizations to support, assist and cooperate with national intelligence efforts.
Article 35 of the Personal Information Protection Law (PIPL) emphasizes that the state has the authority to process personal data but mandates state organs to fulfill notification duties unless it impedes their statutory duties.
Article 13 of the PIPL allows personal information to be processed without individual consent under certain conditions, including national security interests.
These provisions effectively grant the Chinese government a legal pathway to access user data under the guise of national security or regulatory compliance.
In a recent press conference, Chinese Foreign Ministry Spokesperson Mao Ning denied forcing companies to illegally collect and surrender data while responding to questions from foreign press members.
“We believe that Internet companies need to observe local laws and regulations. As for the Chinese government, we attach great importance to data privacy and security and protect it in accordance with the law. The Chinese government has never asked and will never ask any company or individual to collect or provide data located abroad against local laws.”
DeepSeek and AI reliance could spread misinformation
NewsGuard, a media watchdog, audited DeepSeek’s chatbot and found that it provided inaccurate answers or outright failed to respond 83% of the time when asked about news-related topics. Even when confronted with demonstrably false claims, the chatbot successfully debunked them just 17% of the time.
This poor performance places DeepSeek’s R1 model near the bottom of the 11 AI chatbots NewsGuard has tested, ranking 10th overall.
In the US, the Department of Homeland Security and the Federal Bureau of Investigation have classified misinformation as a national security risk. The European Union has also identified misinformation as a threat, citing Russian-backed media and social media campaigns as key sources of interference.
Related: John McAfee AI token adds surprise chapter to his crypto story
One of the most striking recent cases unfolded in Romania, where misinformation allegedly had direct electoral consequences during the 2024 presidential election. Far-right candidate Călin Georgescu’s sudden rise in popularity was linked to a coordinated disinformation campaign on TikTok, allegedly orchestrated by foreign actors to manipulate public perception.
Investigations revealed striking similarities between Georgescu’s campaign and past Russian-backed influence operations in neighboring countries. In the fallout, Romania’s Constitutional Court annulled the first round of the election, citing foreign interference and misinformation as direct threats to electoral integrity.
Doubters question legitimacy of DeepSeek’s success
DeepSeek’s rapid ascent has sent shockwaves through Wall Street, challenging the AI industry’s dependence on US chip giant Nvidia. The Chinese startup claims to have developed its AI model at a much lower cost, using less efficient chips — a direct contradiction to the high-powered, Nvidia-dominated approach favored by US firms like Meta and OpenAI.
China’s access to Nvidia’s best chips is restricted due to US export bans, meaning Chinese firms must rely on inferior versions compared to what American companies can use. However, some analysts doubt DeepSeek’s claims, questioning how it could achieve such advancements with just $5.5 million in training funds — a fraction of what Western AI labs spend.
The US has reportedly opened an investigation into whether DeepSeek had any backdoor access to Nvidia’s top-tier products.
Meanwhile, Microsoft and OpenAI have launched an investigation into whether DeepSeek improperly accessed OpenAI’s proprietary data. The probe centers on suspicions that a DeepSeek-linked group may have extracted large volumes of data from OpenAI’s API without authorization.