DeepSeek, the Chinese-based artificial intelligence (AI) company, shocked the world when it released its R1 large language model (LLM). This new AI offering disrupted the established AI LLM market. However, there have been immediate worldwide concerns about privacy and security associated with a company with strong ties to the Chinese Communist Party (CCP). These concerns have led Congressmen Josh Gottheimer (NJ-5) and Darin LaHood (IL-16) to introduce the “No DeepSeek on Government Devices Act” to prohibit the use of DeepSeek on federal government-issued devices.
DeepSeek Success and Concerns
DeepSeek exploded on the tech scene. Its claim that its models were trained using lower quality AI chips, reduced energy consumption, lower overall costs, and an open source license challenged the assumptions around generative artificial intelligence (GenAI). It had an immediate impact by causing a dramatic (over 15%) stock price drop among major AI chip makers. Within days of the release, consumers made the R1 LLM app the most downloaded app on the Apple App Store and one of the most popular free apps on the Google Play store.
“While DeepSeek's AI capabilities are impressive,” stated J. Stephen Kowski, Field CTO at SlashNext, “security researchers have identified multiple vulnerabilities.” There are considerable concerns about privacy and security.
Alleged Ties to the CCP
As a Chinese-based company, DeepSeek is governed by the laws of the People’s Republic of China (PRC). This means it is trained with a Chinese worldview, so some information or answers will be censored should they violate Chinese policy. Additionally, DeepSeek must provide the Chinese government with any data requested. The amount of data collected by DeepSeek, which is sent to and stored on servers located within the PRC, is considerable. Their privacy policy states that all kinds of data, including chat and search query history, keystroke patterns, IP addresses, and activity from other apps, are collected.
Congressman Gottheimer’s press release highlights that researchers have revealed that DeepSeek has hidden code that can share user data, including login credentials with China Mobile. China Mobile has been banned by the Federal Communications Commission (FCC) due to its close ties to the Chinese military. An assessment of the DeepSeek IOS app by NowSecure revealed that it “exhibits behaviors that indicate a high risk of fingerprinting and tracking.”
Security Risks
Security researchers immediately began to assess the overall security of the application and its ecosystem. Wiz Research discovered a database linked to DeepSeek that was fully accessible and contained a significant amount of highly sensitive information. This database was subsequently secured following notification, but it did illustrate a weak security posture. NowSecure’s evaluation also uncovered security issues in that the app for Apple devices transmitted data without encryption, used an outdated algorithm, had hardcoded encryption keys, and insecure data storage for authentication information. All of these violate best security practices, opening security vulnerabilities.
AppSOC, an AI governance and application security company, performed an AI security stress test on the DeepSeek-R1 model. The testing revealed a wide range of flaws with high failure rates. Specific concerns uncovered include:
- Jailbreaking: Failure rate of 91%. DeepSeek-R1 consistently bypassed safety mechanisms meant to prevent the generation of harmful or restricted content.
- Malware Generation: Failure rate of 93%. Tests showed DeepSeek-R1 capable of generating malicious scripts and code snippets at critical levels.
- Toxicity: Failure rate of 68%. When prompted, the model generated responses with toxic or harmful language, indicating poor safeguards.
- Hallucinations: Failure rate of 81%. DeepSeek-R1 produced factually incorrect or fabricated information at a high frequency.
In his blog, Mali Gorantla, AppSOC’s Chief Scientist and Co-Founder, writes that “in the race to adopt cutting-edge AI, enterprises often focus on performance and innovation while neglecting security. However, models like DeepSeek-R1 highlight the growing risks of this approach. AI systems vulnerable to jailbreaks, malware generation, and toxic outputs can lead to catastrophic consequences.”
Banning DeepSeek is Worldwide
The controversy associated with the use of DeepSeek is not new when it comes to Chinese technology companies. The United States and other countries have banned or placed some restrictions on Huawei, ZTE, and TikTok. It did not take long after the release of the RI LLM for countries and entities to ban the app outright or to limit its use.
Those who have acted against DeepSeek include:
- Australian government agencies
- India central government
- Italy
- NASA
- South Korea industry ministry
- Taiwan government agencies
- U.S. Congress
- U.S. Navy
- U.S. Pentagon
Cybersecurity, Geopolitics, and National Security
The controversy created by DeepSeek, like TikTok before it, needs to be viewed in light of the ongoing relationship between the United States and the PRC. Casey Ellis, Founder of Bugcrowd, summed up the situation. “This proposed ban on DeepSeek is a classic example of the intersection between cybersecurity, geopolitics, and national security. The concerns raised by LaHood and Gottheimer about the app's potential for espionage align with a broader pattern of scrutiny around Chinese-affiliated technologies. The underlying issue here isn't just about DeepSeek itself but the broader risk posed by software and hardware tied to entities that operate under CCP influence.”
Moving Beyond Bans
The bill filed by Representatives Gottheimer and LaHood to prevent DeepSeek from being used on government owned devices is a continuation of the ongoing technology and cybersecurity competition between the United States and China. The congressmen are concerned that the DeepSeek R1 LLM app will allow foreign elements to infiltrate government devices.
DeepSeek has been demonstrated to be flawed with considerable vulnerabilities, as Wiz, NowSecure, and AppSOC point out. The banning of the application by various countries and organizations illustrates the concerns many have. Businesses and other entities should investigate their use of DeepSeek. AppSOC’s assessment is it should not be deployed for any enterprise use cases, especially those involving sensitive data or intellectual property while NowSecure’s blog definitively urged enterprises to “prohibit/forbid its usage in their organizations”.
The controversy over DeepSeek is part of what should be a larger conversation. Satyam Sinha, the CEO and Co-founder of Acuvity, said, “What I would like to see is for us to take a stronger stance on the security of GenAI application usage across the board and start requiring an extra layer of cybersecurity.”
The “No DeepSeek on Government Devices Act” should be just one step in the movement to ensuring that GenAI is used appropriately and securely.
