Is DeepSeek Spyware?

DeepSeek has taken the world by storm over the past two weeks. The new Chinese AI chatbot skyrocketed to the top of the App Store charts when it was released in late January, providing an alternative to entrenched players like OpenAI’s ChatGPT and Google’s Gemini.

What made DeepSeek intriguing wasn’t just that it was a shiny new chatbot. It’s the fact that it somehow manages to do its thing at the same level as the big boys with a fraction of the funding and computing power. Instead of building supercomputers with 16,000+ specialized AI chips from Nvidia, DeepSeek’s engineers were able to make it happen with only around 2,000.

This Limited-Time Microsoft Office Deal Gets You Lifetime Access for Just $39

Sick and tired of subscriptions? Get a lifetime license for Microsoft Office Home and Business 2021 at a great price!

To be fair, this wasn’t entirely by choice. As the old saying goes, necessity is the mother of invention, and the Chinese company faced regulatory obstacles in obtaining and creating the advanced and powerful AI chips that its rivals could more easily access. So, it learned to do more with less.

This has gotten a lot of high-tech investors, venture capitalists, and AI researchers very excited. However, as DeepSeek has boomed in popularity, a darker side has begun to appear.

First and foremost is the fact that DeepSeek is undoubtedly storing its user data in China. It’s the same argument that the US government has used to ban TikTok under an act requiring the social media app to divest itself of Chinese parent company ByteDance or face a forced shutdown. President Trump has paused the enforcement of the initial January 19 deadline, but TikTok is still living on borrowed time, and it’s not hard to see how DeepSeek could be caught in the same net.

According to Reuters, US officials are already scrutinizing the app from several angles, including national security implications and the possibility of intellectual property theft. That later point was based on the notion that DeepSeek may have used a technique called “distillation” to build on the success of other models like ChatGPT. In other words, DeepSeek may have cheated by copying OpenAI’s homework.

Around the same time, Reuters also reported that Italy’s data protection authority was investigating DeepSeek’s handling of personal data to determine if it complies with EU regulations. Ireland has begun a similar investigation. In the meantime, DeepSeek has been removed from the App Store and Google Play Store in Italy, although it’s unclear who made the request.

Of course, nearly all AI chatbots use your personal data to train their models. The only exception is Apple Intelligence (and ChatGPT, when called up via Apple Intelligence without being signed in with a ChatGPT account). Some of the concerns may be a matter of the balance of trust between US companies and Chinese ones, but there are two bigger problems in play.

Firstly, there’s virtually no transparency on DeepSeek’s data handling practices and how it uses the data it’s undoubtedly collecting on users. What terms of service do exist are broad and vague enough that they grant the company extreme latitude. One can argue that privacy policies aren’t worth the paper they’re written on, especially for a foreign company that can operate under different rules, but it’s still enough to raise concerns.

However, what’s more significant is that security researchers have found some serious security flaws in the DeepSeek iPhone app.

A mobile application security and privacy assessment by NowSecure identified “multiple critical vulnerabilities that put individuals, enterprises, and government agencies at risk.” The report highlights five key risks and recommends that organizations and users stop using DeepSeek “to safeguard sensitive data and mitigate potential cyber risks.”

Is DeepSeek Spying on Me?

The nature of the vulnerabilities discovered by NowSecure doesn’t add up to evidence that DeepSeek is “spyware” per se. Technically speaking, DeepSeek wouldn’t meet the traditional definition of “spyware” since any data it’s collecting is stuff that you’ve already authorized it to collect — even if you don’t know what’s being done with it.

However, researchers have found that there’s an alarming possibility for your data to be both leaked out of DeepSeek by unauthorized third parties and potentially misused by the forces behind the chatbot.

First up is the fact that the DeepSeek app uses some very shoddy security practices. These are rookie mistakes that shouldn’t be made by any serious app developer. For example:

1. Sensitive data is transmitted “in the clear” without any encryption, rendering it vulnerable to interception by anyone on the same Wi-FI network that you’re using.
2. The data that is encrypted uses weak and outdated encryption technology that doesn’t follow best security practices and can be cracked with relative ease by a skilled hacker.
3. Data stored in the app, such as the username, password, and encryption keys, aren’t encrypted, which increases the potential for your credentials to be stolen.
   

To make matters worse, it appears that DeepSeek’s developers deliberately disabled Apple’s App Transport Security (ATS) which is designed to protect against insecure network connections. ATS is enabled by default for all apps developed using iOS 9 or later. Developers can add exceptions to loosen some of the requirements for specific servers that can’t be fully secured, but DeepSeek has chosen to globally disable Apple’s built-in security protections for all connections from the app.

The leakiness of the app should be bad enough, especially considering that this doesn’t appear to have been an oversight on the developer’s part. However, the whole thing begins to feel even more sinister when you factor in the Chinese connection.

NowSecure found that DeepSeek collects a massive amount of data, including device fingerprinting information that guarantees it can be tracked back to you (or at least your device). That data is transmitted to China and lands on servers controlled by none other than TikTok’s owner, ByteDance. Since that data is stored in China, it’s not governed by US or EU privacy laws but by the privacy standard of the People’s Republic of China (PRC).

That’s actually worse than the situation with TikTok. Even though TikTok is ultimately owned by ByteDance, TikTok Inc. is a US company incorporated in California and Delaware and subject to US laws and regulations. TikTok’s servers also operate under US jurisdiction. By comparison, DeepSeek’s servers are 100% in China and under Chinese control.

While the data collected won’t necessarily contain personally identifiable information on its own, it can be used to “de-anonymize” a user by looking at it in the aggregate. Since every DeepSeek request can be tied to the device and general location it was made from, a large enough sampling of requests can put together a profile on the person making them.

In short, NowSecure concludes that the DeepSeek iPhone app is not safe to use if you’re even the least bit concerned about privacy. However, we wouldn’t go so far as to call it “Spyware” as no evidence has yet been found of it invading any of the other apps or information on your device. This means you’re probably fine playing with DeepSeek to try it out and satisfy your curiosity, but it’s best to avoid feeding any personal information into it. It’s safest to proceed on the assumption that someone in China is reading everything you type into DeepSeek, and use the app accordingly.