DeepSeek AI App Faces Serious Security and Privacy Concerns

DeepSeek's app contains serious privacy and security vulnerabilities that you should know about

Tech fans who flocked to try out DeepSeek will want to think twice about what the app is doing - just days after vulnerabilities were found in the iOS app, a research team at Security Scorecard has found similar privacy concerns in the Android app as well. Despite the app's rise in popularity after the release of the R1 reasoning model, several countries including Australia, Italy and Taiwan have banned it from use in government departments or on government devices amid privacy concerns. While the latest report from Security Scorecard doesn't show any overtly malicious behavior, it does point to some overall poor security practices. The concerns include sending user data to China, hardcoded keys, weak cryptography, and vulnerabilities to SQL injection attacks among others. Additionally, the report says that API keys, authentication tokens and passwords are stored in plaintext within application files which increases risks of unauthorized access and account takeover. The app's privacy policy details additional risky behavior such as collecting "text or audio inputs, prompts, uploaded files, feedback and chat history." It also gathers technical information like IP addresses, operating system, device model and - most concerningly - "keystroke patterns or rhythms." This last part is considered most intrusive as it can be used to infer both identity and behavior. Security Scorecard analyzed the app and identified these issues based on the CWE (Common Weakness Enumeration) list. High risk weaknesses include things like hardcoded keys, SQL injection risks, improper file permissions, while analysis of DeepSeek's Smali code revealed multiple anti-debugging techniques. If debugging is detected; the application force closes itself to prevent analysis. The report also examines the likelihood of user behavior and device metadata being sent to ByteDance servers which would raise compliance issues with GDPR, CCPA and national security laws. If you're thinking about using Deepseek as your new AI tool, this report's findings are more than enough reason to reconsider. Hopefully, its creators are able to fix some of these security issues soon before hackers, governments or other threat actors figure out how to exploit them.

DeepSeek iOS App Disables Apple's Defenses, Sends Data to TikTok Parent

The security assessment by NowSecure highlights glaring weaknesses in the app's security standards for iOS users. DeepSeek has grabbed the spotlight in the AI industry as the underdog that briefly became the world's leading app, overtaking ChatGPT AI assistant. While many see it as the Robinhood of AI, not all things are pretty about it. A report by NowSecure, a mobile security company, highlights a big privacy risk in using DeepSeek's iOS app, hinting that the Android app is no better. The security assessment by NowSecure highlights glaring weaknesses in the app's security standards for iOS users. To start with, DeepSeek's AI assistant app does not enforce the ATS (app transport security), a security feature provided by Apple to prevent insecure communications globally, for unknown reasons. Next, the app does not encrypt the data sent to the servers controlled by ByteDance, TikTok's parent company. While the information does not involve personal data, an unencrypted channel can open up opportunities for a hacker. The report states, "The DeepSeek iOS app sends some mobile app registration and device data over the internet without encryption. This exposes any data in the internet traffic to both passive and active attacks." Andrew Hoog, the founder of NowSend, mentions more about it in the report, "An attacker with privileged access on the network (known as a Man-in-the-Middle attack) could also intercept and modify the data, impacting the integrity of the app and data." Moreover, the encryption utilises the 3DES algorithm, which is now considered an insecure form of encryption. Considering the privacy and security risks associated with the DeepSeek iOS app, the report recommends not using it in your organisation until things are fixed and better standards are in place. As an alternative, some organisations can try self-hosting DeepSeek or using cloud services like the Azure platform to continue using it securely.

DeepSeek Is Sending Unencrypted Data To Chinese Servers, As Its iOS App Suffers From Multiple Severe Security Flaws

DeepSeek app topped the App Store charts as it was the most downloaded AI app, even beating ChatGPT in its first month of release. However, the app has raised various concerns since its arrival, which include privacy and security. It has now been discovered that DeepSeek has been sending unencrypted data to Chinese servers due to multiple security flaws in its iOS app. We have previously reported various concerns related to DeepSeek, including its lack of filters, which could get anyone into trouble based on their queries. Additionally, US officials are investigating the potential national security risks associated with the platform and how it could send user data to Chinese servers without consent. According to NowSecure, a mobile security company, there are multiple security flaws in DeepSeek's iOS app. It was also discovered that the app also does not use Apple's custom App Transport Security system or ATS. If you are not familiar, Apple has set ATS in place to make sure that the sensitive data is only transferred over encrypted channels. In its findings, NowSecure reveals that DeepSeel has switched the feature off in its iOS app. The DeepSeek iOS app globally disables App Transport Security (ATS) which is an iOS platform level protection that prevents sensitive data from being sent over unencrypted channels. Since this protection is disabled, the app can (and does) send unencrypted data over the internet. The security company states that while the exposed data might seem harmless, it can be manipulated to de-anonymize users. While none of this data taken separately is highly risky, the aggregation of many data points over time quickly leads to easily identifying individuals. The recent data breach of Gravy Analytics demonstrates this data is actively being collected at scale and can effectively de-anonymize millions of individuals. DeepSeek is found to be using outdated or old encryption methods, which are flawed with broken algorithms and a poor choice to protect user data. Furthermore, the data collected by the DeepSeek app has the potential to identify potential espionage targets. [A sample user] is operating on the latest iPad, leveraging a cellular data connection that is registered to FirstNet (American public safety broadband network operator) and ostensibly the user would be considered a high value target for espionage. Bear in mind that not only are 10's of data points collected in the DeepSeek iOS app but related data is collected from millions of apps and can be easily purchased, combined and then correlated to quickly de-anonymize users. The complete analysis of the report details that DeepSeek's iOS app is not safe or secure to use, and the Android counterpart is equally or even slightly worse. DeepSeek has to address a lot of security and privacy concerns if the company wishes to operate the model in the US and other markets. Failure to do so could lead the app to the same fate as TikTok, which is either being banned permanently or sold to a US-based company.

DeepSeek App Transmits Sensitive User and Device Data Without Encryption

A new audit of DeepSeek's mobile app for the Apple iOS operating system has found glaring security issues, the foremost being that it sends sensitive data over the internet sans any encryption, exposing it to interception and manipulation attacks. The assessment comes from NowSecure, which also found that the app fails to adhere to best security practices and that it collects extensive user and device data. "The DeepSeek iOS app sends some mobile app registration and device data over the Internet without encryption," the company said. "This exposes any data in the internet traffic to both passive and active attacks." The teardown also revealed several implementation weaknesses when it comes to applying encryption on user data. This includes the use of an insecure symmetric encryption algorithm (3DES), a hard-coded encryption key, and the reuse of initialization vectors. What's more, the data is sent to servers that are managed by a cloud compute and storage platform named Volcano Engine, which is owned by ByteDance, the Chinese company that also operates TikTok. "The DeepSeek iOS app globally disables App Transport Security (ATS) which is an iOS platform level protection that prevents sensitive data from being sent over unencrypted channels," NowSecure said. "Since this protection is disabled, the app can (and does) send unencrypted data over the internet." The findings add to a growing list of concerns that have been raised around the artificial intelligence (AI) chatbot service, even as it skyrocketed to the top of the app store charts on both Android and iOS in several markets across the world. Cybersecurity company Check Point said that it observed instances of threat actors leveraging AI engines from DeepSeek, alongside Alibaba Qwen and OpenAI ChatGPT, to develop information stealers, generate uncensored or unrestricted content, and optimize scripts for mass spam distribution. "As threat actors utilize advanced techniques like jailbreaking to bypass protective measures and develop info stealers, financial theft, and spam distribution, the urgency for organizations to implement proactive defenses against these evolving threats ensures robust defenses against potential misuse of AI technologies," the company said. Earlier this week, the Associated Press revealed that DeepSeek's website is configured to send user login information to China Mobile, a state-owned telecommunications company that has been banned from operating in the United States. The app's Chinese links, much like TikTok, have prompted U.S. lawmakers to push for a nation-wide ban on DeepSeek from government devices over risks that it could provide user information to Beijing. It's worth noting that several countries, including Australia, Italy, the Netherlands, Taiwan, and South Korea, and government agencies in India and the United States, such as the Congress, NASA, Navy, Pentagon, and Texas, have instituted bans on DeepSeek from government devices. DeepSeek's explosion in popularity has also led to it battling malicious attacks, with Chinese cybersecurity firm XLab telling Global Times that the service has been subjected to sustained distributed denial-of-service (DDoS) attacks originating from Mirai botnets hailBot and RapperBot late last month. Meanwhile, cybercriminals are wasting no time to capitalize on the frenzy surrounding DeepSeek to set up lookalike pages that propagate malware, fake investment scams, and fraudulent cryptocurrency schemes.

Security flaws and privacy concerns plague DeepSeek iOS app

It's one of the biggest apps in the App Store. However, it looks like DeepSeek is also riddled with security flaws. According to NowSecure, the Chinese-based AI chatbot has significant data security and storage flaws. The app, which launched to considerable attention last month, reportedly transmits sensitive data over the internet without encryption, making it vulnerable to interception and manipulation. Recommended Videos DeekSeek relies on an outdated and easily compromised encryption method known as Triple DES. You can think of it as using an old, rusty lock on your front door. Please enable Javascript to view this content Additionally, it reuses the duplicate "keys" for encryption, which is akin to using the same password for all your accounts -- if one is stolen, all your information can be accessed. Moreover, the encryption keys are embedded directly within the app, making them easy targets for hackers. This is similar to hiding your house key under the doormat -- not very secure. NowSecure has also found that DeepSeek's data storage is insecure. This means usernames, passwords, and encryption keys are stored insecurely. The app also collects user and device data, which can be used for tracking and de-anonymization. It has come to light that user data from DeepSeek is sent to servers owned by ByteDance, the company that operates TikTok. It's important to remember that TikTok is currently facing significant challenges in the U.S., where a law has been enacted requiring the app to be sold to an American buyer. NowSecure, which specializes in mobile app security, is clear with its suggested remedy. It suggests deleting the DeepSeek iOS app in managed and BYOD environments. It also suggests finding another AI chatbot solution, one that prioritizes mobile app security and data protection. This isn't the first time someone has expressed concerns about DeepSeek. For example, Microsoft, a primary investor in competitor OpenAI, is exploring whether DeepSeek has used nefarious methods to train its reasoning models. Doing so would be considered stealing intellectual property from the U.S. Still, others are worried that DeepSeek is embracing censorship. Should you delete DeepSeek from your mobile device? Given the many controversies surrounding the product, it seems that might be the wisest move to make. It's not like there aren't other AI chatbots already on the market, including the newest one, Le Chat.

DeepSeek's iOS app sends unencrypted data to Chinese servers

Chart-topping AI iPhone app DeepSeek has been found to be sending data to Chinese-owned services, as well as collecting extensive user data that is held and sent unencrypted. DeepSeek is a generative AI app, similar to ChatGPT, which launched in January 2025 and practically immediately went to the top of the US App Store charts. That was despite the DeepSeek Chinese AI startup company being found to have a major security lapse. "[DeepSeek is] not equipped or willing to provide basic security protections of your data and identity," said Andrew Hoog, co-founder of security firm NowSecure told Ars Techica in a statement. "There are fundamental security practices that are not being observed, either intentionally or unintentionally. In the end, it puts your and your company's data and identity at risk." Chicago-based NowSecure mobile security firm says that DeepSeek's iOS app has multiple security and privacy issues. Specifically: NowSecure also says that while DeepSeek does use encryption, it is using 3DES encryption. This is a symmetric encryption scheme that was deprecated in 2016 after research showed that it could be broken. Plus as implemented, the 3DES encryption uses symmetric keys and DeepSeek has hard-coded these into the app. It means that every user is using the same encryption keys. The app also disables Apple's App Transport Security protocol, that would enforce encryption of data. DeepSeek has not said why it's disabled this, nor has Apple commented on why companies can choose not to use it. Then data is decrypted when it's stored on ByteDance's servers. Once there, it can be used to identify specific users and potentially track queries. As well as violating security best practices, this decryption is significant because while the servers are controlled by ByteDance, the company is bound by Chinese laws regarding government access. This is the same issue that has led to the US requiring ByteDance to sell TikTok. NowSecure says it is continuing to research DeepSeek. It notes that the Android version is even less secure than the iOS one.

Multiple security flaws found in DeepSeek iOS app

The latest findings are far worse than the previous security failure which exposed chat history and other sensitive information in a database requiring no authentication ... While we'd mentioned it before it made headlines, for most people DeepSeek came out of nowhere and overnight became the most downloaded iPhone app. AI researchers were shocked at the capabilities of an app which had dramatically lower hardware requirements than chatbots of similar power, and the news sent the share price of a number of US AI companies tumbling. It wasn't long, however, before security and privacy concerns were raised. Italy's privacy watchdog questioned whether the app was compliant with European privacy law, with Ireland asking similar questions. US officials are also investigating potential national security implications. It was then discovered that the company inadvertently failed to secure a database containing more than a million lines of log entries, including chat history and secret keys. Mobile security company NowSecure has found multiple security flaws in the iPhone app - including a failure to use Apple's built-in App Transport Security (ATS) system. ATS is designed to ensure that sensitive personal data is only sent over encrypted channels, but NowSecure found that DeepSeek had switched this off. The DeepSeek iOS app globally disables App Transport Security (ATS) which is an iOS platform level protection that prevents sensitive data from being sent over unencrypted channels. Since this protection is disabled, the app can (and does) send unencrypted data over the internet. The company says that while the data exposed might seem innocuous, it can easily be combined to de-anonymize users. While none of this data taken separately is highly risky, the aggregation of many data points over time quickly leads to easily identifying individuals. The recent data breach of Gravy Analytics demonstrates this data is actively being collected at scale and can effectively de-anonymize millions of individuals. Where data is encrypted, the company is using an outdated encryption method which is known to be flawed. The encryption algorithm chosen for this part of the application leverages a known broken encryption algorithm (3DES) which makes it a poor choice to protect the confidentiality of data. Additionally, data collected by the app could be used to identity potential espionage targets. [A sample user] is operating on the latest iPad, leveraging a cellular data connection that is registered to FirstNet (American public safety broadband network operator) and ostensibly the user would be considered a high value target for espionage. Bear in mind that not only are 10's of data points collected in the DeepSeek iOS app but related data is collected from millions of apps and can be easily purchased, combined and then correlated to quickly de-anonymize users. The lengthy analysis concludes that the DeepSeek iOS app is not safe to use, and notes that the Android version is even less secure. While the DeepSeek app is technically impressive, and it's been interesting to test its capabilities, we'd caution against anyone using it for real-life tasks that involve any disclosure of personal data. You should assume that DeepSeek can identify you and see the content of your interactions. We're still at a relatively early stage of security researchers examining the app, so it's probable that additional security and privacy issues will be revealed. Personally, I've now removed it from my iPhone and would advise others to do the same.

The DeepSeek App Doesn't Send or Store Data Securely: Here's What Researchers Found

If you're interested in AI, there's a good chance you've heard of DeepSeek, the AI model that recently made waves in the tech scene. While people downloaded the app in droves, it turns out it has some nasty privacy issues. DeepSeek Fails to Properly Encrypt Traffic of Securely Store Login Data As reported by NowSecure, DeepSeek has some serious privacy issues with how it handles your data. Here are some of the flaws that NowSecure managed to spot: Unencrypted Data Transmission: The app transmits sensitive data over the internet without encryption, making it vulnerable to interception and manipulation. Weak & Hardcoded Encryption Keys: Uses outdated Triple DES encryption, reuses initialization vectors, and hardcodes encryption keys, violating best security practices. Insecure Data Storage: Username, password, and encryption keys are stored insecurely, increasing the risk of credential theft. This is pretty dire for an app that has reached the top spot in mobile download charts. At the very least, DeepSeek should encrypt data as it's sent, but given how it's open to all to see, it allows hackers to use man-in-the-middle (MITM) attacks and spy on what's being sent. If you really want to give DeepSeek a shot, you still can; however, it's worth performing these steps to ensure nothing bad happens: Never share your personal data with DeepSeek. This is good practice with any AI chatbot, but it does double for DeepSeek given how people can see what you send. Use a unique login for DeepSeek. Given how DeepSeek doesn't store your login details securely, it's a good idea to make a unique login for the service. Again, it's good practice to make a new password for every site you use, but if you're not in the habit of doing so, start with this. That way, if DeepSeek does suffer a data breach, the hackers won't get the password you use for every account on the internet. Don't use DeepSeek on a sensitive device. If you own a corporate or governmental device, don't install DeepSeek on it. When popular apps like DeepSeek have security flaws, hackers are quick to find holes and steal data. Using DeepSeek on a sensitive device may result in confidential information leaking out. While DeepSeek has been wildly popular, it does come with its share of privacy issues. If you want to keep using it, make sure you're not tying any sensitive information to it.

DeepSeek iOS app sends data unencrypted to ByteDance-controlled servers

A little over two weeks ago, a largely unknown China-based company named DeepSeek stunned the AI world with the release of an open source AI chatbot that had simulated reasoning capabilities that were largely on par with those from market leader OpenAI. Within days, the DeepSeek AI assistant app climbed to the top of the iPhone App Store's "Free Apps" category, overtaking ChatGPT. On Thursday, mobile security company NowSecure reported that the app sends sensitive data over unencrypted channels, making the data readable to anyone who can monitor the traffic. More sophisticated attackers could also tamper with the data while it's in transit. Apple strongly encourages iPhone and iPad developers to enforce encryption of data sent over the wire using ATS (App Transport Security). For unknown reasons, that protection is globally disabled in the app, NowSecure said. Basic security protections MIA What's more, the data is sent to servers that are controlled by ByteDance, the Chinese company that owns TikTok. While some of that data is properly encrypted using transport layer security, once it's decrypted on the ByteDance-controlled servers, it can be cross-referenced with user data collected elsewhere to identify specific users and potentially track queries and other usage. More technically, the DeepSeek AI chatbot uses an open weights simulated reasoning model. Its performance is largely comparable with OpenAI's o1 simulated reasoning (SR) model on several math and coding benchmarks. The feat, which largely took AI industry watchers by surprise, was all the more stunning because DeepSeek reported spending only a small fraction on it compared with the amount OpenAI spent. A NowSecure audit of the app has found other behaviors that researchers found potentially concerning. For instance, the app uses a symmetric encryption scheme known as 3DES or triple DES. The scheme was deprecated by NIST following research in 2016 that showed it could be broken in practical attacks to decrypt web and VPN traffic. Another concern is that the symmetric keys, which are identical for every iOS user, are hardcoded into the app and stored on the device. The app is "not equipped or willing to provide basic security protections of your data and identity," NowSecure co-founder Andrew Hoog told Ars. "There are fundamental security practices that are not being observed, either intentionally or unintentionally. In the end, it puts your and your company's data and identity at risk." Hoog said the audit is not yet complete, so there are many questions and details left unanswered or unclear. He said the findings were concerning enough that NowSecure wanted to disclose what is currently known without delay. In a report, he wrote: NowSecure recommends that organizations remove the DeepSeek iOS mobile app from their environment (managed and BYOD deployments) due to privacy and security risks, such as: Privacy issues due to insecure data transmission Vulnerability issues due to hardcoded keys Data sharing with third parties such as ByteDance Data analysis and storage in China Hoog added that the DeepSeek app for Android is even less secure than its iOS counterpart and should also be removed. Representatives for both DeepSeek and Apple didn't respond to an email seeking comment. Data sent entirely in the clear occurs during the initial registration of the app, including: organization id the version of the software development kit used to create the app user OS version language selected in the configuration Apple strongly encourages developers to implement APS to ensure the apps they submit don't transmit any data insecurely over HTTP channels. For reasons that Apple hasn't explained publicly, Hoog said, this protection isn't mandatory. DeepSeek has yet to explain why APS is globally disabled in the app or why it uses no encryption when sending this information over the wire. This data, along with a mix of other encrypted information, is sent to DeepSeek over infrastructure provided by Volcengine a cloud platform developed by ByteDance. While the IP address the app connects to geo-locates to the US and is owned by US-based telecom Level 3 Communications, the DeepSeek privacy policy makes clear that the company "store[s] the data we collect in secure servers located in the People's Republic of China." The policy further states that DeepSeek: may access, preserve, and share the information described in "What Information We Collect" with law enforcement agencies, public authorities, copyright holders, or other third parties if we have good faith belief that it is necessary to: * comply with applicable law, legal process or government requests, as consistent with internationally recognised standards. NowSecure still doesn't know precisely the purpose of the app's use of 3DES encryption functions. The fact that the key is hardcoded into the app, however, is a major security failure that's been recognized for more than a decade when building encryption into software. The NowSecure report comes a week after research from security firm Wiz uncovered a publicly accessible, fully controllable database belonging to DeepSeek. It contained more than 1 million instances of "chat history, backend data, and sensitive information, including log streams, API secrets, and operational details," Wiz reported. An open web interface also allowed for full database control and privilege escalation, with internal API endpoints and keys available through the interface and common URL parameters. On Thursday, US lawmakers began pushing to immediately ban DeepSeek from all government devices, citing national security concerns that the Chinese Communist Party may have built a backdoor into the service to access Americans' sensitive private data. If passed, DeepSeek could be banned within 60 days.

DeepSeek Might Be Sharing Your Data With This Banned Chinese Company

DeepSeek source code reportedly contains evidence that links the popular artificial intelligence (AI) chatbot with a Chinese telecommunication provider that was banned in the US. According to a report, a cybersecurity firm has uncovered code that could be used to send data entered on DeepSeek's web client to China Mobile. The code reportedly relates to the account creation and login process on the Chinese AI chatbot platform. While it could not be confirmed that DeepSeek is indeed sending data, the researchers were also not able to rule out the possibility. The Associated Press (AP) reported that DeepSeek contains code that could potentially send user login information to China Mobile. The publication claimed that it received a report about the code from the Canada-based cybersecurity firm Feroot Security. Multiple independent experts reportedly verified these claims. Notably, China Mobile was banned from operating in the US in 2019 after the government raised national security concerns due to the link between the telecom operator and the Chinese government. Additionally, in 2021, the US government also put sanctions on Americans investing in the company after finding evidence of its links with the Chinese military. The report did not reveal details about the alleged code that links DeepSeek's chatbot with the telecom operator. However, it discovered the presence of code that enables the AI firm to send login information as well as queries directly to China Mobile's servers. The cybersecurity firm also highlighted that the exposed code shows a connection that could be far more nefarious than that of TikTok, which was briefly banned for a few hours in the US, before it was reinstated. "The implications of this are significantly larger because personal and proprietary information could be exposed. It's like TikTok but at a much grander scale and with more precision. It's not just sharing entertainment videos. It's sharing queries and information that could include highly personal and sensitive business information," Ivan Tsarynny, CEO of Feroot told AP. Notably, the researchers have not analysed the mobile app of DeepSeek, which could also contain similar code. The iOS app of DeepSeek recently topped the App Store's "Top free apps" chart in the US overtaking OpenAI.

DeepSeek coding has the capability to transfer users' data directly to the Chinese government

The app developed its AI model for way less money than its American competitors. DeepSeek, the explosive new artificial intelligence, tool that took the world by storm, has code hidden in its programming which has the built-in capability to send user data directly to the Chinese government, experts told ABC News. DeepSeek caught Wall Street off guard last week when it announced it had developed its AI model for far less money than its American competitors, like OpenAI, which have invested billions. But the potential risk DeepSeek poses to national security may be more acute than previously feared because of a potential open door between DeepSeek and the Chinese government, according to cybersecurity experts. Of late, Americans have been concerned about Byte Dance, the China-based company behind TikTok, which is required under Chinese law to share the data it collects with the Chinese government. With DeepSeek, there's actually the possibility of a direct path to the PRC hidden in its code, Ivan Tsarynny, CEO of Feroot Security, an Ontario-based cybersecurity firm focused on customer data protection, told ABC News. "We see direct links to servers and to companies in China that are under control of the Chinese government. And this is something that we have never seen in the past," Tsarynny said. Users who register or log in to DeepSeek may unknowingly be creating accounts in China, making their identities, search queries, and online behavior visible to Chinese state systems. Tsarynny says he used AI software to decrypt portions of DeepSeek's code and found what appeared to be intentionally hidden programming that has the capability to send user data to one website: CMPassport.com, the online registry for China Mobile, a telecommunications company owned and operated by the Chinese government. China Mobile was banned from operating in the U.S. by the FCC in 2019 due to concerns that "unauthorized access to customer...data could create irreparable damage to U.S. national security." It was delisted from the New York Stock Exchange in 2021 and added to the FCC's list of national security threats in 2022. John Cohen, an ABC News contributor and former acting Undersecretary for Intelligence and Analysis for the Department of Homeland Security, said DeepSeek is a most blatant example of suspected surveillance by the Chinese government. "China Mobile is part of a growing list of Chinese-based technology companies that have been determined to pose a risk to U.S. national security," Cohen said . "National security officials always suspect that technology sold by a Chinese-based company has a backdoor making that data accessible to the Chinese government. In this case, the back door's been discovered, it's been opened, and that's alarming." "It's alarming to say the least," Rep. Josh Gottheimer (D-NJ), who serves on the House Intelligence Committee, told ABC News. "I think we should ban DeepSeek from all government devices immediately. No one should be allowed to download it onto their device. And I think we have to inform the public," Gottheimer said. DeepSeek's terms of service specify that they "shall be governed by the laws of the People's Republic of China." DeepSeek's privacy policy discloses that they collect all kinds of data including chat and search query history, keystroke patterns, IP addresses, and activity from other apps. However, experts say it's impossible to know what of this data DeepSeek is potentially sending to China Mobile. Tsarynny's analysis found that DeepSeek's web tool creates a digital "fingerprint" for each unique user, which has the capability to track users' activity not only while they use DeepSeek's website, but all web activity going forward. Rep. Raja Krishnamoorthi (D-IL), the top Democrat on the House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party, said the possibility of covert collection of DeepSeek user data by the Chinese government is "very disturbing." "I think there's absolutely the intention by the CCP to collect data of Americans and user data worldwide," Krishnamoorthi told ABC News. "This pattern of data collection is really familiar to people who study the use of CCP controlled-company apps and you use those apps at your own risk." DeepSeek, its hedge fund founder High-Flyer, and China Mobile did not respond to multiple requests for comment.

China's DeepSeek web version is raising security alarms. Here's why

The website of the Chinese artificial intelligence company DeepSeek, whose chatbot became the most downloaded app in the United States, has computer code that could send some user login information to a Chinese state-owned telecommunications company that has been barred from operating in the United States, security researchers say. The web login page of DeepSeek's chatbot contains heavily obfuscated computer script that when deciphered shows connections to computer infrastructure owned by China Mobile, a state-owned telecommunications company. The code appears to be part of the account creation and user login process for DeepSeek. In its privacy policy, DeepSeek acknowledged storing data on servers inside the People's Republic of China. But its chatbot appears more directly tied to the Chinese state than previously known through the link revealed by researchers to China Mobile. The U.S. has claimed there are close ties between China Mobile and the Chinese military as justification for placing limited sanctions on the company. DeepSeek and China Mobile did not respond to emails seeking comment. The growth of Chinese-controlled digital services has become a major topic of concern for U.S. national security officials. Lawmakers in Congress last year on an overwhelmingly bipartisan basis voted to force the Chinese parent company of the popular video-sharing app TikTok to divest or face a nationwide ban though the app has since received a 75-day reprieve from President Donald Trump, who is hoping to work out a sale. The code linking DeepSeek to one of China's leading mobile phone providers was first discovered by Feroot Security, a Canadian cybersecurity company, which shared its findings with the Associated Press. The AP took Feroot's findings to a second set of computer experts, who independently confirmed that China Mobile code is present. Neither Feroot nor the other researchers observed data transferred to China Mobile when testing logins in North America, but they could not rule out that data for some users was being transferred to the Chinese telecom. The analysis only applies to the web version of DeepSeek. They did not analyze the mobile version, which remains one of the most downloaded pieces of software on both the Apple and the Google app stores. The U.S. Federal Communications Commission unanimously denied China Mobile authority to operate in the United States in 2019, citing "substantial" national security concerns about links between the company and the Chinese state. In 2021, the Biden administration also issued sanctions limiting the ability of Americans to invest in China Mobile after the Pentagon linked it to the Chinese military. "It's mind-boggling that we are unknowingly allowing China to survey Americans and we're doing nothing about it," said Ivan Tsarynny, CEO of Feroot. "It's hard to believe that something like this was accidental. There are so many unusual things to this. You know that saying 'Where there's smoke, there's fire'? In this instance, there's a lot of smoke," Tsarynny said. Stewart Baker, a Washington, D.C.-based lawyer and consultant who has previously served as a top official at the Department of Homeland Security and the National Security Agency, said DeepSeek "raises all of the TikTok concerns plus you're talking about information that is highly likely to be of more national security and personal significance than anything people do on TikTok," one of the world's most popular social media platforms. Users are increasingly putting sensitive data into generative AI systems -- everything from confidential business information to highly personal details about themselves. People are using generative AI systems for spell-checking, research, and even highly personal queries and conversations. The data security risks of such technology are magnified when the platform is owned by a geopolitical adversary and could represent an intelligence goldmine for a country, experts warn. "The implications of this are significantly larger because personal and proprietary information could be exposed. It's like TikTok but at a much grander scale and with more precision. It's not just sharing entertainment videos. It's sharing queries and information that could include highly personal and sensitive business information," said Tsarynny, of Feroot. Feroot, which specializes in identifying threats on the web, identified computer code that is downloaded and triggered when a user logs into DeepSeek. According to the company's analysis, the code appears to capture detailed information about the device a user logs in from -- a process called fingerprinting. Such techniques are widely used by tech companies around the world for security, verification, and ad targeting. The company's analysis of the code determined that there were links in that code pointing to China Mobile authentication and identity management computer systems, meaning it could be part of the login process for some users accessing DeepSeek. The AP asked two academic cybersecurity experts -- Joel Reardon of the University of Calgary and Serge Egelman of the University of California, Berkeley -- to verify Feroot's findings. In their independent analysis of the DeepSeek code, they confirmed there were links between the chatbot's login system and China Mobile. "It's clear that China Mobile is somehow involved in registering for DeepSeek," said Reardon. He didn't see data being transferred in his testing but concluded that it is likely being activated for some users or in some login methods.

DeepSeek's Secret Code: Data Going to China?

After TikTok, will DeepSeek be the next Chinese company to be banned by the US? According to security researchers, code found on the website of Chinese AI company DeepSeek has the capability of sending login information from a user to China Mobile. China Mobile is a state-owned telecommunications firm banned from operation in the United States. , a Canadian cybersecurity firm, found the code on DeepSeek's chatbot web login page and shared it with The Associated Press (AP). Two independent cybersecurity experts later confirmed the existence of the code. The code seems to connect to China Mobile's infrastructure in the process of creating an account and logging in.

DeepSeek chatbot linked to China's telecom firm that is barred from operating in United States, claim researchers

DeepSeek in its privacy policy acknowledged storing data on servers inside the People's Republic of China.The website of the Chinese artificial intelligence company DeepSeek, whose chatbot became the most downloaded app in the United States, has computer code that could send some user login information to a Chinese state-owned telecommunications company that has been barred from operating in the United States, security researchers say, as per a report. The web login page of DeepSeek's chatbot contains heavily obfuscated computer script that when deciphered shows connections to computer infrastructure owned by China Mobile, a state-owned telecommunications company. The code appears to be part of the account creation and user login process for DeepSeek, AP reported. In its privacy policy, DeepSeek acknowledged storing data on servers inside the People's Republic of China. But its chatbot appears more directly tied to the Chinese state than previously known through the link revealed by researchers to China Mobile. The US has claimed there are close ties between China Mobile and the Chinese military as justification for placing limited sanctions on the company. DeepSeek and China Mobile did not respond to emails seeking comment. The growth of Chinese-controlled digital services has become a major topic of concern for US national security officials. Lawmakers in Congress last year on an overwhelmingly bipartisan basis voted to force the Chinese parent company of the popular video-sharing app TikTok to divest or face a nationwide ban though the app has since received a 75-day reprieve from President Donald Trump, who is hoping to work out a sale. The code linking DeepSeek to one of China's leading mobile phone providers was first discovered by Feroot Security, a Canadian cybersecurity company, which shared its findings with The Associated Press. The AP took Feroot's findings to a second set of computer experts, who independently confirmed that China Mobile code is present. Neither Feroot nor the other researchers observed data transferred to China Mobile when testing logins in North America, but they could not rule out that data for some users was being transferred to the Chinese telecom. The analysis only applies to the web version of DeepSeek. They did not analyse the mobile version, which remains one of the most downloaded pieces of software on both the Apple and the Google app stores. The US Federal Communications Commission unanimously denied China Mobile authority to operate in the United States in 2019, citing "substantial" national security concerns about links between the company and the Chinese state. In 2021, the Biden administration also issued sanctions limiting the ability of Americans to invest in China Mobile after the Pentagon linked it to the Chinese military. Feroot, which specialises in identifying threats on the web, identified computer code that is downloaded and triggered when a user logs into DeepSeek. According to the company's analysis, the code appears to capture detailed information about the device a user logs in from - a process called fingerprinting. Such techniques are widely used by tech companies around the world for security, verification and ad targeting. The company's analysis of the code determined that there were links in that code pointing to China Mobile authentication and identity management computer systems, meaning it could be part of the login process for some users accessing DeepSeek. The AP asked two academic cybersecurity experts - Joel Reardon of the University of Calgary and Serge Egelman of the University of California, Berkeley - to verify Feroot's findings. In their independent analysis of the DeepSeek code, they confirmed there were links between the chatbot's login system and China Mobile. "It's clear that China Mobile is somehow involved in registering for DeepSeek," said Reardon. He didn't see data being transferred in his testing but concluded that it is likely being activated for some users or in some login methods. Q1. What are concerns over Chinese digital services? A1. The code linking DeepSeek to one of China's leading mobile phone providers was first discovered by Feroot Security, a Canadian cybersecurity company, which shared its findings with The Associated Press. Q2. What we know about DeepSeek's privacy policy? A2. In its privacy policy, DeepSeek acknowledged storing data on servers inside the People's Republic of China. But its chatbot appears more directly tied to the Chinese state than previously known through the link revealed by researchers to China Mobile.

Researchers say China's DeepSeek chatbot is linked to state telecom, raising data privacy concerns

The website of the Chinese artificial intelligence company DeepSeek, whose chatbot became the most downloaded app in the United States, has computer code that could send some user login information to a Chinese state-owned telecommunications company that has been barred from operating in the United States, security researchers say. The web login page of DeepSeek's chatbot contains heavily obfuscated computer script that when deciphered shows connections to computer infrastructure owned by China Mobile, a state-owned telecommunications company. The code appears to be part of the account creation and user login process for DeepSeek. In its privacy policy, DeepSeek acknowledged storing data on servers inside the People's Republic of China. But its chatbot appears more directly tied to the Chinese state than previously known through the link revealed by researchers to China Mobile. The US has claimed there are close ties between China Mobile and the Chinese military as justification for placing limited sanctions on the company. DeepSeek and China Mobile did not respond to emails seeking comment. The growth of Chinese-controlled digital services has become a major topic of concern for US national security officials. Lawmakers in Congress last year on an overwhelmingly bipartisan basis voted to force the Chinese parent company of the popular video-sharing app TikTok to divest or face a nationwide ban though the app has since received a 75-day reprieve from President Donald Trump, who is hoping to work out a sale. The code linking DeepSeek to one of China's leading mobile phone providers was first discovered by Feroot Security, a Canadian cybersecurity company, which shared its findings with The Associated Press. The AP took Feroot's findings to a second set of computer experts, who independently confirmed that China Mobile code is present. Neither Feroot nor the other researchers observed data transferred to China Mobile when testing logins in North America, but they could not rule out that data for some users was being transferred to the Chinese telecom. The analysis only applies to the web version of DeepSeek. They did not analyze the mobile version, which remains one of the most downloaded pieces of software on both the Apple and the Google app stores. The US Federal Communications Commission unanimously denied China Mobile authority to operate in the United States in 2019, citing "substantial" national security concerns about links between the company and the Chinese state. In 2021, the Biden administration also issued sanctions limiting the ability of Americans to invest in China Mobile after the Pentagon linked it to the Chinese military. "It's mindboggling that we are unknowingly allowing China to survey Americans and we're doing nothing about it," said Ivan Tsarynny, CEO of Feroot. "It's hard to believe that something like this was accidental. There are so many unusual things to this. You know that saying 'Where there's smoke, there's fire'? In this instance, there's a lot of smoke," Tsarynny said. Stewart Baker, a Washington, D.C.-based lawyer and consultant who has previously served as a top official at the Department of Homeland Security and the National Security Agency, said DeepSeek "raises all of the TikTok concerns plus you're talking about information that is highly likely to be of more national security and personal significance than anything people do on TikTok," one of the world's most popular social media platforms. Users are increasingly putting sensitive data into generative AI systems - everything from confidential business information to highly personal details about themselves. People are using generative AI systems for spell-checking, research and even highly personal queries and conversations. The data security risks of such technology are magnified when the platform is owned by a geopolitical adversary and could represent an intelligence goldmine for a country, experts warn. "The implications of this are significantly larger because personal and proprietary information could be exposed. It's like TikTok but at a much grander scale and with more precision. It's not just sharing entertainment videos. It's sharing queries and information that could include highly personal and sensitive business information," said Tsarynny, of Feroot. Feroot, which specializes in identifying threats on the web, identified computer code that is downloaded and triggered when a user logs into DeepSeek. According to the company's analysis, the code appears to capture detailed information about the device a user logs in from - a process called fingerprinting. Such techniques are widely used by tech companies around the world for security, verification and ad targeting. The company's analysis of the code determined that there were links in that code pointing to China Mobile authentication and identity management computer systems, meaning it could be part of the login process for some users accessing DeepSeek. The AP asked two academic cybersecurity experts - Joel Reardon of the University of Calgary and Serge Egelman of the University of California, Berkeley - to verify Feroot's findings. In their independent analysis of the DeepSeek code, they confirmed there were links between the chatbot's login system and China Mobile. "It's clear that China Mobile is somehow involved in registering for DeepSeek," said Reardon. He didn't see data being transferred in his testing but concluded that it is likely being activated for some users or in some login methods.

Researchers say China's DeepSeek chatbot is linked to state telecom, raising data privacy concerns

WASHINGTON (AP) -- The website of the Chinese artificial intelligence company DeepSeek, whose chatbot became the most downloaded app in the United States, has computer code that could send some user login information to a Chinese state-owned telecommunications company that has been barred from operating in the United States, security researchers say. The web login page of DeepSeek's chatbot contains heavily obfuscated computer script that when deciphered shows connections to computer infrastructure owned by China Mobile, a state-owned telecommunications company. The code appears to be part of the account creation and user login process for DeepSeek. In its privacy policy, DeepSeek acknowledged storing data on servers inside the People's Republic of China. But its chatbot appears more directly tied to the Chinese state than previously known through the link revealed by researchers to China Mobile. The U.S. has claimed there are close ties between China Mobile and the Chinese military as justification for placing limited sanctions on the company. DeepSeek and China Mobile did not respond to emails seeking comment. The growth of Chinese-controlled digital services has become a major topic of concern for U.S. national security officials. Lawmakers in Congress last year on an overwhelmingly bipartisan basis voted to force the Chinese parent company of the popular video-sharing app TikTok to divest or face a nationwide ban though the app has since received a 75-day reprieve from President Donald Trump, who is hoping to work out a sale. The code linking DeepSeek to one of China's leading mobile phone providers was first discovered by Feroot Security, a Canadian cybersecurity company, which shared its findings with The Associated Press. The AP took Feroot's findings to a second set of computer experts, who independently confirmed that China Mobile code is present. Neither Feroot nor the other researchers observed data transferred to China Mobile when testing logins in North America, but they could not rule out that data for some users was being transferred to the Chinese telecom. The analysis only applies to the web version of DeepSeek. They did not analyze the mobile version, which remains one of the most downloaded pieces of software on both the Apple and the Google app stores. The U.S. Federal Communications Commission unanimously denied China Mobile authority to operate in the United States in 2019, citing "substantial" national security concerns about links between the company and the Chinese state. In 2021, the Biden administration also issued sanctions limiting the ability of Americans to invest in China Mobile after the Pentagon linked it to the Chinese military. "It's mindboggling that we are unknowingly allowing China to survey Americans and we're doing nothing about it," said Ivan Tsarynny, CEO of Feroot. "It's hard to believe that something like this was accidental. There are so many unusual things to this. You know that saying 'Where there's smoke, there's fire'? In this instance, there's a lot of smoke," Tsarynny said. Stewart Baker, a Washington, D.C.-based lawyer and consultant who has previously served as a top official at the Department of Homeland Security and the National Security Agency, said DeepSeek "raises all of the TikTok concerns plus you're talking about information that is highly likely to be of more national security and personal significance than anything people do on TikTok," one of the world's most popular social media platforms. Users are increasingly putting sensitive data into generative AI systems -- everything from confidential business information to highly personal details about themselves. People are using generative AI systems for spell-checking, research and even highly personal queries and conversations. The data security risks of such technology are magnified when the platform is owned by a geopolitical adversary and could represent an intelligence goldmine for a country, experts warn. "The implications of this are significantly larger because personal and proprietary information could be exposed. It's like TikTok but at a much grander scale and with more precision. It's not just sharing entertainment videos. It's sharing queries and information that could include highly personal and sensitive business information," said Tsarynny, of Feroot. Feroot, which specializes in identifying threats on the web, identified computer code that is downloaded and triggered when a user logs into DeepSeek. According to the company's analysis, the code appears to capture detailed information about the device a user logs in from -- a process called fingerprinting. Such techniques are widely used by tech companies around the world for security, verification and ad targeting. The company's analysis of the code determined that there were links in that code pointing to China Mobile authentication and identity management computer systems, meaning it could be part of the login process for some users accessing DeepSeek. The AP asked two academic cybersecurity experts -- Joel Reardon of the University of Calgary and Serge Egelman of the University of California, Berkeley -- to verify Feroot's findings. In their independent analysis of the DeepSeek code, they confirmed there were links between the chatbot's login system and China Mobile. "It's clear that China Mobile is somehow involved in registering for DeepSeek," said Reardon. He didn't see data being transferred in his testing but concluded that it is likely being activated for some users or in some login methods.

Researchers say China's DeepSeek chatbot is linked to state telecom, raising data privacy concerns

WASHINGTON (AP) -- The website of the Chinese artificial intelligence company DeepSeek, whose chatbot became the most downloaded app in the United States, has computer code that could send some user login information to a Chinese state-owned telecommunications company that has been barred from operating in the United States, security researchers say. The web login page of DeepSeek's chatbot contains heavily obfuscated computer script that when deciphered shows connections to computer infrastructure owned by China Mobile, a state-owned telecommunications company. The code appears to be part of the account creation and user login process for DeepSeek. In its privacy policy, DeepSeek acknowledged storing data on servers inside the People's Republic of China. But its chatbot appears more directly tied to the Chinese state than previously known through the link revealed by researchers to China Mobile. The U.S. has claimed there are close ties between China Mobile and the Chinese military as justification for placing limited sanctions on the company. DeepSeek and China Mobile did not respond to emails seeking comment. The growth of Chinese-controlled digital services has become a major topic of concern for U.S. national security officials. Lawmakers in Congress last year on an overwhelmingly bipartisan basis voted to force the Chinese parent company of the popular video-sharing app TikTok to divest or face a nationwide ban though the app has since received a 75-day reprieve from President Donald Trump, who is hoping to work out a sale. The code linking DeepSeek to one of China's leading mobile phone providers was first discovered by Feroot Security, a Canadian cybersecurity company, which shared its findings with The Associated Press. The AP took Feroot's findings to a second set of computer experts, who independently confirmed that China Mobile code is present. Neither Feroot nor the other researchers observed data transferred to China Mobile when testing logins in North America, but they could not rule out that data for some users was being transferred to the Chinese telecom. The analysis only applies to the web version of DeepSeek. They did not analyze the mobile version, which remains one of the most downloaded pieces of software on both the Apple and the Google app stores. The U.S. Federal Communications Commission unanimously denied China Mobile authority to operate in the United States in 2019, citing "substantial" national security concerns about links between the company and the Chinese state. In 2021, the Biden administration also issued sanctions limiting the ability of Americans to invest in China Mobile after the Pentagon linked it to the Chinese military. "It's mindboggling that we are unknowingly allowing China to survey Americans and we're doing nothing about it," said Ivan Tsarynny, CEO of Feroot. "It's hard to believe that something like this was accidental. There are so many unusual things to this. You know that saying 'Where there's smoke, there's fire'? In this instance, there's a lot of smoke," Tsarynny said. Stewart Baker, a Washington, D.C.-based lawyer and consultant who has previously served as a top official at the Department of Homeland Security and the National Security Agency, said DeepSeek "raises all of the TikTok concerns plus you're talking about information that is highly likely to be of more national security and personal significance than anything people do on TikTok," one of the world's most popular social media platforms. Users are increasingly putting sensitive data into generative AI systems -- everything from confidential business information to highly personal details about themselves. People are using generative AI systems for spell-checking, research and even highly personal queries and conversations. The data security risks of such technology are magnified when the platform is owned by a geopolitical adversary and could represent an intelligence goldmine for a country, experts warn. "The implications of this are significantly larger because personal and proprietary information could be exposed. It's like TikTok but at a much grander scale and with more precision. It's not just sharing entertainment videos. It's sharing queries and information that could include highly personal and sensitive business information," said Tsarynny, of Feroot. Feroot, which specializes in identifying threats on the web, identified computer code that is downloaded and triggered when a user logs into DeepSeek. According to the company's analysis, the code appears to capture detailed information about the device a user logs in from -- a process called fingerprinting. Such techniques are widely used by tech companies around the world for security, verification and ad targeting. The company's analysis of the code determined that there were links in that code pointing to China Mobile authentication and identity management computer systems, meaning it could be part of the login process for some users accessing DeepSeek. The AP asked two academic cybersecurity experts -- Joel Reardon of the University of Calgary and Serge Egelman of the University of California, Berkeley -- to verify Feroot's findings. In their independent analysis of the DeepSeek code, they confirmed there were links between the chatbot's login system and China Mobile. "It's clear that China Mobile is somehow involved in registering for DeepSeek," said Reardon. He didn't see data being transferred in his testing but concluded that it is likely being activated for some users or in some login methods.

Researchers say China's DeepSeek chatbot is linked to state telecom, raising data privacy concerns

WASHINGTON (AP) -- The website of the Chinese artificial intelligence company DeepSeek, whose chatbot became the most downloaded app in the United States, has computer code that could send some user login information to a Chinese state-owned telecommunications company that has been barred from operating in the United States, security researchers say. The web login page of DeepSeek's chatbot contains heavily obfuscated computer script that when deciphered shows connections to computer infrastructure owned by China Mobile, a state-owned telecommunications company. The code appears to be part of the account creation and user login process for DeepSeek. In its privacy policy, DeepSeek acknowledged storing data on servers inside the People's Republic of China. But its chatbot appears more directly tied to the Chinese state than previously known through the link revealed by researchers to China Mobile. The U.S. has claimed there are close ties between China Mobile and the Chinese military as justification for placing limited sanctions on the company. DeepSeek and China Mobile did not respond to emails seeking comment. The growth of Chinese-controlled digital services has become a major topic of concern for U.S. national security officials. Lawmakers in Congress last year on an overwhelmingly bipartisan basis voted to force the Chinese parent company of the popular video-sharing app TikTok to divest or face a nationwide ban though the app has since received a 75-day reprieve from President Donald Trump, who is hoping to work out a sale. The code linking DeepSeek to one of China's leading mobile phone providers was first discovered by Feroot Security, a Canadian cybersecurity company, which shared its findings with The Associated Press. The AP took Feroot's findings to a second set of computer experts, who independently confirmed that China Mobile code is present. Neither Feroot nor the other researchers observed data transferred to China Mobile when testing logins in North America, but they could not rule out that data for some users was being transferred to the Chinese telecom. The analysis only applies to the web version of DeepSeek. They did not analyze the mobile version, which remains one of the most downloaded pieces of software on both the Apple and the Google app stores. The U.S. Federal Communications Commission unanimously denied China Mobile authority to operate in the United States in 2019, citing "substantial" national security concerns about links between the company and the Chinese state. In 2021, the Biden administration also issued sanctions limiting the ability of Americans to invest in China Mobile after the Pentagon linked it to the Chinese military. "It's mindboggling that we are unknowingly allowing China to survey Americans and we're doing nothing about it," said Ivan Tsarynny, CEO of Feroot. "It's hard to believe that something like this was accidental. There are so many unusual things to this. You know that saying 'Where there's smoke, there's fire'? In this instance, there's a lot of smoke," Tsarynny said. Stewart Baker, a Washington, D.C.-based lawyer and consultant who has previously served as a top official at the Department of Homeland Security and the National Security Agency, said DeepSeek "raises all of the TikTok concerns plus you're talking about information that is highly likely to be of more national security and personal significance than anything people do on TikTok," one of the world's most popular social media platforms. Users are increasingly putting sensitive data into generative AI systems -- everything from confidential business information to highly personal details about themselves. People are using generative AI systems for spell-checking, research and even highly personal queries and conversations. The data security risks of such technology are magnified when the platform is owned by a geopolitical adversary and could represent an intelligence goldmine for a country, experts warn. "The implications of this are significantly larger because personal and proprietary information could be exposed. It's like TikTok but at a much grander scale and with more precision. It's not just sharing entertainment videos. It's sharing queries and information that could include highly personal and sensitive business information," said Tsarynny, of Feroot. Feroot, which specializes in identifying threats on the web, identified computer code that is downloaded and triggered when a user logs into DeepSeek. According to the company's analysis, the code appears to capture detailed information about the device a user logs in from -- a process called fingerprinting. Such techniques are widely used by tech companies around the world for security, verification and ad targeting. The company's analysis of the code determined that there were links in that code pointing to China Mobile authentication and identity management computer systems, meaning it could be part of the login process for some users accessing DeepSeek. The AP asked two academic cybersecurity experts -- Joel Reardon of the University of Calgary and Serge Egelman of the University of California, Berkeley -- to verify Feroot's findings. In their independent analysis of the DeepSeek code, they confirmed there were links between the chatbot's login system and China Mobile. "It's clear that China Mobile is somehow involved in registering for DeepSeek," said Reardon. He didn't see data being transferred in his testing but concluded that it is likely being activated for some users or in some login methods. ___ Contact the AP's global investigative team at [email protected] or https://www.ap.org/tips/.

China's DeepSeek chatbot ties to state telecom spark privacy fears

WASHINGTON -- The website of the Chinese artificial intelligence company DeepSeek, whose chatbot became the most downloaded app in the United States, has computer code that could send some user login information to a Chinese state-owned telecommunications company that has been barred from operating in the United States, security researchers say. The web login page of DeepSeek's chatbot contains heavily obfuscated computer script that when deciphered shows connections to computer infrastructure owned by China Mobile, a state-owned telecommunications company. The code appears to be part of the account creation and user login process for DeepSeek. In its privacy policy, DeepSeek acknowledged storing data on servers inside the People's Republic of China. But its chatbot appears more directly tied to the Chinese state than previously known through the link revealed by researchers to China Mobile. The U.S. has claimed there are close ties between China Mobile and the Chinese military as justification for placing limited sanctions on the company. DeepSeek and China Mobile did not respond to emails seeking comment. The growth of Chinese-controlled digital services has become a major topic of concern for U.S. national security officials. Lawmakers in Congress last year on an overwhelmingly bipartisan basis voted to force the Chinese parent company of the popular video-sharing app TikTok to divest or face a nationwide ban though the app has since received a 75-day reprieve from President Donald Trump, who is hoping to work out a sale. The code linking DeepSeek to one of China's leading mobile phone providers was first discovered by Feroot Security, a Canadian cybersecurity company, which shared its findings with The Associated Press. The AP took Feroot's findings to a second set of computer experts, who independently confirmed that China Mobile code is present. Neither Feroot nor the other researchers observed data transferred to China Mobile when testing logins in North America, but they could not rule out that data for some users was being transferred to the Chinese telecom. The analysis only applies to the web version of DeepSeek. They did not analyze the mobile version, which remains one of the most downloaded pieces of software on both the Apple and the Google app stores. The U.S. Federal Communications Commission unanimously denied China Mobile authority to operate in the United States in 2019, citing "substantial" national security concerns about links between the company and the Chinese state. In 2021, the Biden administration also issued sanctions limiting the ability of Americans to invest in China Mobile after the Pentagon linked it to the Chinese military. "It's mindboggling that we are unknowingly allowing China to survey Americans and we're doing nothing about it," said Ivan Tsarynny, CEO of Feroot. "It's hard to believe that something like this was accidental. There are so many unusual things to this. You know that saying 'Where there's smoke, there's fire'? In this instance, there's a lot of smoke," Tsarynny said. Stewart Baker, a Washington, D.C.-based lawyer and consultant who has previously served as a top official at the Department of Homeland Security and the National Security Agency, said DeepSeek "raises all of the TikTok concerns plus you're talking about information that is highly likely to be of more national security and personal significance than anything people do on TikTok," one of the world's most popular social media platforms. Users are increasingly putting sensitive data into generative AI systems -- everything from confidential business information to highly personal details about themselves. People are using generative AI systems for spell-checking, research and even highly personal queries and conversations. The data security risks of such technology are magnified when the platform is owned by a geopolitical adversary and could represent an intelligence goldmine for a country, experts warn. "The implications of this are significantly larger because personal and proprietary information could be exposed. It's like TikTok but at a much grander scale and with more precision. It's not just sharing entertainment videos. It's sharing queries and information that could include highly personal and sensitive business information," said Tsarynny, of Feroot. Feroot, which specializes in identifying threats on the web, identified computer code that is downloaded and triggered when a user logs into DeepSeek. According to the company's analysis, the code appears to capture detailed information about the device a user logs in from -- a process called fingerprinting. Such techniques are widely used by tech companies around the world for security, verification and ad targeting. The company's analysis of the code determined that there were links in that code pointing to China Mobile authentication and identity management computer systems, meaning it could be part of the login process for some users accessing DeepSeek. The AP asked two academic cybersecurity experts -- Joel Reardon of the University of Calgary and Serge Egelman of the University of California, Berkeley -- to verify Feroot's findings. In their independent analysis of the DeepSeek code, they confirmed there were links between the chatbot's login system and China Mobile. "It's clear that China Mobile is somehow involved in registering for DeepSeek," said Reardon. He didn't see data being transferred in his testing but concluded that it is likely being activated for some users or in some login methods. ___ Contact the AP's global investigative team at [email protected] or https://www.ap.org/tips/.