Deep Concerns Raised over Chinese AI App DeeSeek’s Security and Privacy Implications
Extensive User Data Collection
One of the primary security concerns raised about DeepSeek is its extensive collection of user data. The app collects "keystroke patterns or rhythms," which can be used to identify users. DeepSeek also has the ability to intercept keyboard inputs before they are sent, raising concerns about potential eavesdropping.
Manipulability for Malicious Purposes
A recent investigation by Palo Alto Networks revealed that DeepSeek can be easily manipulated to generate malicious code. By using specific prompts, researchers were able to create scripts that could extract data from emails and Word documents, a technique commonly employed by hackers. DeepSeek was also found to be able to produce "keylogger code," a tool used to spy on passwords and access credentials.
China’s Cybersecurity Laws and Data Access
DeepSeek is subject to Chinese law, which requires all data to be stored within the country. Additionally, China’s intelligence law obligates organizations and individuals to cooperate with the national security apparatus. This raises concerns that the Chinese government could have unfettered access to user data stored by DeepSeek.
German Authorities Take Action
In response to these concerns, German authorities have taken steps to mitigate potential risks posed by DeepSeek. The Federal Office for Information Security (BSI) has warned against using the app in security-critical areas, citing its ability to create user profiles based on keystroke patterns. The Data Protection Commissioner of Rhineland-Palatinate is preparing an audit of DeepSeek, while other German data protection agencies are expected to do the same.
Italian Ban and Lack of Compliance with EU Regulations
The Italian Data Protection Authority (GDDP) has already banned DeepSeek, citing concerns over its data collection practices. DeepSeek has not appointed a legal representative in the EU, which is a violation of the General Data Protection Regulation (GDPR) and could result in fines.
Minimizing Risks in German Government and Industry
German government agencies and large corporations are implementing stringent security measures to protect against cyberattacks, including restrictions on the use of AI. The Federal Ministry of the Interior has banned external cloud services, while other ministries have restricted the use of text-generative AI. The Bavarian Ministry of the Interior has prohibited the use of DeepSeek and other AI applications on official devices, and the German Patent and Trademark Office has also refrained from using the app.
Major companies are following suit, protecting their technology and data by limiting access to AI applications through secure gateways, such as "SiemensGTP" at Siemens. By keeping sensitive data within their own secure environments, these organizations can mitigate the risks associated with using DeepSeek and other AI tools.
