Deepseek is an artificial intelligence developed by a Chinese startup that has recently gained notoriety due to its innovative and efficient approach in the development of language models. Unlike other AIs that require a lot of computational resources, Deepseek has managed to optimize its model to be cheaper and more efficient, using only 2,000 specialized chips instead of the 16,000 that other alternatives usually need. However, the controversy has not taken long to arrive after some cybersecurity researchers have alerted that the application in iOS sends data without encrypting bya servers.
Since Deepseek launched its open source chatbot, there are many who have compared it with Chatgpt or Gemini. Users liked it, so much that it quickly ascended in the list of “free applications” of the iOS app store until they position themselves in the top 1 of the most downloaded. However, the most suspicious with privacy did not finish trusting the app and, according to Nowsecure mobile security experts they have sufficient motifs to distrust.
In a recent brand report, they have detailed that the platform sends confidential data through non -encrypted channels to Bytedonce servers (yes, the same company behind Tiktok that is so controversial in the United States). Nowsecure explains that, by sending the deciphered messages, these are readable for anyone who can monitor traffic. Although the Chinese company had no bad intention with information, a hacker could attack its servers and know our conversations with AI.
The danger of having deciphered private data
Therefore, some of the data is known that they are encrypted correctly through the safety of the transport layer. However, many remain deciphered upon reaching the Bytedonce servers. Therefore, the company can access information that could be confidential. In fact, cybersecurity experts clarify that Bytedance can compare with user data collected in other places and, thus, identify people. Then, they could track consultations and give other uses to the data shared with artificial intelligence.
The truth is that the App Store policy does not demand that application developers encrypt the data that their users share, only recommends it. However, Nowsecure researchers emphasize that this type of protection is disabled throughout the world in Deepseek.
Other Deepseek actions that concern
Nowsecure researchers have pointed out in their report that the sending of data without encrypting Depseek in iOS to the Bytedonce servers is not the only thing that could be potentially worrying. In addition, they have commented that, for the information that does hide, they use a symmetrical encryption scheme that is known as triple des (or 3DES). This is a cryptography algorithm developed by IBM in 1998. The encryption system was discontinued by the NIST after it was known in a 2016 investigation that certain attacks could decipher web traffic and VPN.
In the analysis, Nowsecure advises that organizations deepseek if they use iPhone. As they comment, the application can cause privacy problems due to data insecure and vulnerability due to coded keys. It also seems worrying to exchange data with third parties such as Bytedance, and the fact that the analysis and storage of the information is carried out in China.
Although Nowsecure’s investigation is not yet conclusive and there are many unanswered or not very clear questions, which they have already discovered so far are worrisome. Neither Apple nor Depseek have yet responded to the accusations of the report. Initially, the apple brand recommends developers to implement app security security technology (ATS) that is a privacy function that applies safe connections. But it is no demand and the AI company prefers to use other methods.
For its part, Depseek details that the firm “stores the data it collects in safe servers located in the People’s Republic of China.” However, Nowsecure does not have them all with them. In sum, the policy that the app reserves the right to “access, preserve and share the information” with agencies, public authorities, copyright holders or others if they consider it appropriate to comply with the law.
