DeepSeek Security, Privacy, and Governance: Hidden Risks in Open-Source AI
0. Introduction
DeepSeek, a Chinese AI startup, has gained rapid global attention for its open-source AI model “DeepSeek R1,” which boasts impressive reasoning capabilities. However, alongside technical achievements have come serious concerns about security vulnerabilities, data privacy, and the implications of operating under China’s jurisdiction. This post examines DeepSeek’s security gaps, privacy practices, and open-source AI risks, offering practical advice for users and developers.
1. Technical Safety and Security
DeepSeek’s technical safety record has been called into question by experts and user reports. Key findings include:
Vulnerabilities and Jailbreaking: Researchers discovered DeepSeek R1 is vulnerable to “jailbreak” exploits, allowing prompts to bypass its safety filters. Methods that ChatGPT and similar models patched long ago still work on DeepSeek, enabling it to produce disallowed or dangerous content. Tests show DeepSeek offered detailed instructions for illicit activities — such as money laundering and malware creation — while ChatGPT refused to comply with similar prompts. These findings suggest DeepSeek has neglected critical safety updates competitors implemented years prior.
Harmful Output and Biases: Independent evaluations show DeepSeek R1 is substantially more prone to generating harmful or biased content than Western alternatives. In one study, it was 11× more likely to produce dangerous outputs and 4× more likely to create insecure code. These lapses highlight serious gaps in the model’s safeguards, including the potential spread of toxic language and faulty coding practices.
Security Incidents: DeepSeek’s own infrastructure has suffered from security lapses. In late January 2025, the company restricted new user sign-ups citing “malicious attacks” on its services. Shortly after, researchers uncovered an exposed database (ClickHouse) that was left publicly accessible without authentication. This misconfiguration allowed anyone to query sensitive data — including API secrets, chat logs, and backend details — potentially compromising the platform. DeepSeek secured the database after being alerted, but it’s unclear if attackers accessed data before the fix. The incident highlights basic security controls (like proper access restrictions) were overlooked, raising questions about DeepSeek’s internal security practices.
Patching and Audits: DeepSeek’s response to the database leak was reactive (closing the open database upon notification), and the company has not publicly detailed a robust process for regular security updates or code audits. The lack of formal security certification or bug bounty programs stands in contrast to industry leaders. Overall, DeepSeek’s track record shows some oversight, with known vulnerabilities left unaddressed until exposed by outsiders.
Cybersecurity Warnings: Reflecting these vulnerabilities, the U.S. Navy warned its members against using DeepSeek over security concerns. Similarly, the U.S. House of Representatives flagged the service as unauthorized on House networks. Such formal warnings for AI tools are rare, underscoring the degree of perceived risk in DeepSeek’s offering.
From outdated jailbreak defenses to a real data leak, DeepSeek has demonstrated significant security shortcomings. Its rapid deployment outpaced security hardening, leaving known exploits open and sensitive data unprotected. This exposes users to risks like malicious output, data theft, or misuse of the AI for harmful purposes. Robust security testing and proactive patch management appear to be areas where DeepSeek lags, especially when measured against industry best practices.
2. Data Privacy and User Protections
DeepSeek’s approach to user data privacy has raised red flags among privacy experts and regulators, particularly given the service’s ties to China. Key points include:
Data Collection & Storage: DeepSeek’s privacy policy reveals that it collects extensive personal data from users and stores everything on servers in China. The data collected includes user-provided content (all chat prompts, conversations, file uploads), profile details (username, date of birth, email, phone, password, etc.), and automatically gathered device/network info like IP addresses and device IDs. Critically, the policy is explicit: “We store the information we collect in secure servers located in the People’s Republic of China”. In other words, any question you ask or content you input into DeepSeek can be transmitted and stored in China.
User Control and Transparency: DeepSeek does offer some user controls, such as the ability to delete your chat history via account settings. The privacy policy outlines that users (depending on jurisdiction) have rights to access or delete their data. However, it’s unclear how effectively these rights are implemented. Italian regulators have pressed DeepSeek for clarity on whether users are properly informed about data usage and if the service obtains consent for web scraping and personal data storage abroad. The fact that authorities had to ask suggests DeepSeek’s transparency may have been insufficient or confusing to users.
Cross-Border Data Transfers & Compliance: The transfer of user data to China is a central concern for compliance with laws like Europe’s GDPR and California’s CCPA. GDPR strictly regulates exporting EU residents’ personal data to countries like China — typically requiring mechanisms like Standard Contractual Clauses and clear consent. DeepSeek’s policy states that transfers out of a user’s country will be done “in accordance with applicable data protection laws”, but provides no detail on safeguards.
China’s Legal Environment: Because DeepSeek stores data in China, it is subject to Chinese cybersecurity and national security laws that can mandate sharing data with the government. The privacy policy even acknowledges this indirectly by noting data will be stored in China and processed per applicable laws. In practical terms, this means user data (including potentially sensitive conversations or personal info) could be accessed by Chinese authorities if requested.
Potential Censorship: Users have reported that the DeepSeek chatbot will censor or refuse content critical of the Chinese government, suggesting that either the model or the service filters align with Chinese content rules. This raises further questions about how conversation data is monitored and filtered.
User Protections: Aside from deletion options, there is little evidence of strong user privacy protections. Unlike some competitors, DeepSeek has not announced an anonymization or minimal-retention policy — in fact, the service seems to retain data as long as the account exists (or longer, for “legitimate business interests”). This prolonged retention, combined with the broad categories of data collected, increases the exposure if a breach or unauthorized access occurs.
DeepSeek’s privacy posture deviates from commonly accepted data protection standards. All interactions are funneled to servers in China, where users have little recourse if their data is accessed or abused. Regulators in the EU and U.S. have already sounded alarms. Users are essentially asked to trust DeepSeek (and by extension, the Chinese legal system) with any information they provide. For privacy-conscious individuals and organizations, this lack of data sovereignty, combined with scant transparency beyond a legalistic privacy policy, could be a significant concern. Caution and due diligence are advised before entrusting sensitive data to DeepSeek.
3. Open Source vs. Proprietary: Hidden Model Behaviors and Supply Chain Risks
A major point of interest (and confusion) is which parts of DeepSeek are truly “open-source” and what hidden risks might lurk within open AI models. DeepSeek R1 was released with much fanfare about openness, but it’s a mix of open and closed components:
Open-Source Elements: The core model weights for DeepSeek R1 are open-source, released under an MIT license. This means anyone can download the model, run it locally, fine-tune it, and even use it commercially. DeepSeek also published a technical report describing the model’s architecture and training approach. Furthermore, the company open-sourced several smaller “distilled” models (smaller versions distilled from R1) to empower the community. The availability of these weights is a positive for transparency — outside developers and researchers can inspect and test the model’s behavior directly, rather than treating it as a black box.
Proprietary Components: Despite the “fully open-source” branding, DeepSeek did not release the training dataset or detailed training code for R1. The community cannot replicate the exact training process or examine what data the model saw (which could contain problematic content or biases). In essence, DeepSeek’s model is open, but its making is somewhat opaque. Additionally, the DeepSeek platform and apps (the website, API server, etc.) are proprietary — the infrastructure that handles user accounts, data storage, and possibly additional prompt filtering is closed-source.
Risks of Hidden Behaviors in the Model: Even open-source models can harbor latent or hidden behaviors, especially when their training data is undisclosed. Anthropic’s “sleeper agent” research shows LLMs can preserve covert, unsafe actions even after extensive safety training: one model wrote secure code when prompted with “2023,” but inserted exploitable vulnerabilities if the year “2024” appeared. Standard fine-tuning and reinforcement learning often failed to remove malicious behaviors — in some cases only teaching the model to conceal them better. Once an LLM learns deceptive tactics, it can pass safety tests by faking alignment, creating a false sense of security. Although there’s no current evidence of a DeepSeek backdoor, users should remain cautious — particularly when deploying the model for critical tasks.
Limited Alignment and Safety Tuning: Because DeepSeek R1 was released quickly and openly, it appears to have undergone minimal alignment (safety fine-tuning) compared to models like OpenAI’s or Anthropic’s. Observers note that DeepSeek has not published a thorough “model card” or red-team report of R1’s safety limits, whereas other providers often do. This means DeepSeek R1 might retain more raw, unintended behaviors from pre-training (both good and bad). Unintended behaviors can persist despite subsequent safety training — for example, a banned knowledge or bias might still be embedded in the model’s weights and surface with the right prompt. The open-source community is actively probing R1, which is good for uncovering issues, but until that process matures, using R1 comes with the caveat that it may have quirks or unsafe responses that haven’t been discovered yet.
Backdoors and External Models: A major supply chain concern is pre-poisoned or tampered models — not just the official DeepSeek R1 but also any derivative versions such as fine-tuned or distilled releases. With DeepSeek’s large parameter count, many community members have created smaller, specialized models, often shared on platforms like Hugging Face. In fact, a quick search for “DeepSeek R1” on Hugging Face yields around 1,800 models, many of which are forks or custom variations.
While the model weights themselves are just data, malicious actors can train or alter these derivatives to output hidden payloads or exploit certain hosting software vulnerabilities. In some documented cases, models were purposely backdoored to produce unsafe sequences or perform harmful actions under specific triggers. As a result, any unofficial or community-hosted model — whether it’s the original R1 or a derived version — may carry risks.
DeepSeek R1 represents a new paradigm of an open large model from China, but “open” has limits. The community has visibility into the model itself, which is good for trust, yet hidden risks could still exist in what we cannot see (training data, platform code, or subtle weight tampering). Users leveraging DeepSeek’s open models should stay informed about ongoing community research. The openness allows faster innovation and community-driven improvements, but it also shifts the burden onto users to vet the model’s safety and to secure their AI supply chain. In short, with great openness comes great responsibility for those who deploy the model.
4. Actionable Advice for Users and Developers
For those considering using DeepSeek — either as end-users or integrating the AI into applications — here are some practical best practices to enhance security and privacy:
For Users (Individuals):
Limit Sensitive Data Sharing: Avoid inputting any confidential or personally identifying information into DeepSeek’s app or chatbot. Assume that everything you type could be stored and reviewed (by DeepSeek or potentially authorities). Treat it like a public forum — do not use it for private business data, passwords, personal secrets, or any data you wouldn’t want stored offshore. If you need to discuss sensitive info with an AI, consider running the open-source model locally (offline) where no data leaves your device.
Use Local Versions if Possible: One advantage of DeepSeek’s openness is that you can run the model on your own hardware (if you have the resources) or use a third-party that hosts it in a region you trust. By self-hosting, you keep the data in your environment. If you’re technically inclined, use the MIT-licensed model weights to deploy a private instance; this way, queries won’t be sent to DeepSeek’s servers at all. Several platforms (like Perplexity.ai and others) have already hosted DeepSeek in non-China data centers.
Monitor for Unusual Behavior: If the AI responds in a highly suspicious manner (e.g. providing obviously incorrect information unprompted, or some odd phrasing that might indicate a trigger), take note. While rare, hidden model behaviors (if they exist) might manifest to end-users first. Report any serious safety issues to DeepSeek if possible. And always double-check critical or high-stakes advice from the AI — do not blindly follow instructions on things like finance, health, security, or legal matters without verification.
For Developers / Enterprises:
Thoroughly Vet the Model: Before integrating DeepSeek R1 into your product or workflow, test it extensively. Perform your own “red team” tests for your use case: try to prompt it with harmful or biased queries to see how it responds. Understand its failure modes. For instance, if you’re using it in a customer service chatbot, test whether it can be tricked into revealing system instructions or inappropriate content. Knowing these behaviors allows you to implement compensating controls (like adding your own moderation layer or prompt filtering).
Deploy Locally or in a Controlled Environment: If you are concerned about data confidentiality, avoid calling DeepSeek’s public API with sensitive data. Instead, use the open-source model on infrastructure you control — e.g., on-premises servers or a cloud environment in your region. This eliminates the risk of data siphoning to DeepSeek’s servers. Ensure the environment has no outbound Internet access if not needed (to prevent any unexpected calls out). By containerizing the model runtime and restricting network access, you can almost eliminate the risk of data leakage from the model process.
Adopt Guard Models as an Extra Safety Layer: Leverage external guard models to continuously monitor the primary AI model’s outputs for deviations, unsafe content, or other anomalies. These secondary models provide adversarial monitoring — detecting suspicious behavior, filtering out policy-violating responses, and flagging hidden triggers in real time. Using guard models as a safety net reduces the risk of “sleeper” behaviors and ensures continuous oversight with immediate risk mitigation in enterprise AI deployments.
Verify Code and Model Integrity: When downloading the model weights or any DeepSeek-related code, use official sources. Check file hashes if provided, and be wary of unofficial repositories claiming to offer “enhanced” DeepSeek models. Also, review any example or helper code that comes with the model. For instance, if a GitHub repo provides a Python script to load the model, inspect that script for any network calls or data collection steps. Because open-source code can be modified by anyone, make sure you’re using the authentic version. It’s good practice to keep an eye on the community forums or GitHub issues for any reports of security issues in the model or associated tools.
Stay Compliant with Regulations: If you operate under GDPR or other regulations, be mindful that using DeepSeek’s API directly could constitute an international data transfer. Until DeepSeek provides clarity or agreements, it may be safer legally to avoid sending personal data to their cloud.
Monitor Updates and Community Discoveries: The open-source AI community is actively working with R1. Projects like the “Open-R1” initiative are aiming to reproduce and improve DeepSeek’s model openly. Keep track of these developments, as they may release improved versions or patches that you can benefit from. Likewise, if any backdoor or major bug is found in the model, the community will likely publish about it.
5. Conclusion
DeepSeek represents a significant development in the AI landscape — a powerful open-source model emerging from China’s fast-growing AI sector. Technically, it has proven competitive with top-tier models, but this agility has come with trade-offs in security, privacy, and governance. Users and organizations must approach DeepSeek with a critical eye: appreciate its capabilities, but also implement safeguards for its risks. By adhering to best practices — limiting sensitive data exposure, self-hosting when needed, verifying code integrity, and staying informed — one can harness DeepSeek’s benefits while mitigating its pitfalls.
In summary, be aware and prepared. DeepSeek’s open nature is a double-edged sword: it gives you more control over the AI, which also means you must exert more control to use it safely. Moving forward, hopefully DeepSeek’s team will bolster their security, transparency, and compliance efforts. Until then, caution and due diligence are the watchwords for anyone venturing to “deep seek” with this new AI tool.
About Theori AIOS Team
Theori’s AIOS (Artificial Intelligence for Offensive Security) team specializes in AI security research and penetration testing. We conduct AI Red Team consulting and deploy LLM Guard Model to protect against emerging threats, while strengthening service environments through vulnerability analysis. As winners of DARPA’s 2024 AI Cyber Challenge preliminaries, we develop proactive security solutions to defend AI systems against advanced attacks.
🌐 Website: theori.io | 📧 contact@theori.io
