Imagine stepping into the future on January 10, 2025, when a groundbreaking AI app called DeepSeek took the digital world by storm. Developed by a Chinese developer, this app quickly rose to fame, surpassing ChatGPT to claim the top spot on both the Google Play Store and Apple’s App Store.
However, amidst its meteoric rise, concerns raised by privacy experts cast a shadow over DeepSeek’s success. The app’s data collection practices and potential sharing of user information with servers in China raised red flags. Additionally, questions surrounding its approach to alignment and censorship added to the growing list of worries.
In the first part of a riveting two-part series, we delve deep into DeepSeek’s privacy stance specifically on its Android app. The upcoming second part will compare DeepSeek with other popular AI apps like ChatGPT, Claude, and Perplexity. Our tool of choice, Privado’s Mobile App Scanning product, will dissect each app’s inner workings, analyzing the SDKs they utilize, the permissions they require, and where user data travels during regular app usage.
Our mission goes beyond the surface-level privacy policy jargon. We seek to uncover the truth behind the scenes, relying on tangible evidence rather than vague policy statements. Privacy policies can be misleading, either overly broad or too narrow, leaving users in the dark about the actual data practices.
How do we evaluate a mobile app’s privacy stance, you ask? We follow a comprehensive set of criteria:
1. Permissions: What permissions does the app demand, and how do they impact user data?
2. SDKs: Which third-party software kits are integrated, and what data do they collect?
3. Data Collected: What user or device data does the app gather?
4. Third Parties: Who else receives user data, based on the app’s network traffic?
5. Cross-Border Flows: Does the app transmit data to foreign countries, raising compliance concerns?
6. Privacy Policy Disclosure Mismatch: Do the policies align with the actual data practices observed?
Now, let’s shine a spotlight on DeepSeek’s privacy landscape. Despite a broad privacy policy encompassing all possible data collection scenarios, our findings reveal that DeepSeek collects less data than stated. Nevertheless, data flows to China are apparent, raising eyebrows.
The app requests eight permissions, including a sensitive Camera permission. It collects various data points like unique IDs, device specifics, location, language, and user inputs, sharing them with industry giants like Google and ByteDance. DeepSeek integrates SDKs from Google, Tencent, and ByteDance for authentication, analytics, and marketing purposes.
As we venture further into DeepSeek’s privacy labyrinth, we uncover a tapestry of data points collected, shared, and transmitted. Unique identifiers, device details, user inputs, and more find their way to China, both internally and to third parties.
The integration of SDKs from Google, Tencent, and ByteDance underscores the app’s ties to China, raising concerns about data security and privacy. Network traffic analysis sheds light on profiling-related calls, hinting at location detection, telemetry, and device profiling activities.
Privacy Policy Disclosure Mismatch reveals discrepancies between stated policies and actual data practices. While some aspects align, like unique identifiers and device information, others, like keystroke data and granular location details, hint at potential overdisclosure.
The road ahead for DeepSeek is shrouded in uncertainty, with data flows to China and potential privacy pitfalls looming large. The broad privacy policy, coupled with unobserved keystroke data, underscores the need for vigilant monitoring of data practices.
In conclusion, the journey through DeepSeek’s privacy landscape unveils a complex web of data flows and potential risks. As we navigate this digital landscape, staying informed and vigilant is key to safeguarding our privacy in an interconnected world.
(Methodology: Testing conducted with Privado’s Mobile App Scanning product, simulating user interactions from California. The analysis, based on the latest Play Store version as of Jan 27, 2025, serves as a research tool to uncover DeepSeek’s privacy practices.)
[Original content source: Privado]
