Researchers link China's DeepSeek chatbot to a state telecom, raising privacy concerns

The website of the Chinese artificial intelligence company DeepSeek, whose chatbot became the most downloaded app in the United States, has computer code that could send some user login information to a Chinese state-owned telecommunications company that has been barred from operating in the United States, security researchers say.

The web login page of DeepSeek’s chatbot contains heavily obfuscated computer script that when deciphered shows connections to computer infrastructure owned by China Mobile, a state-owned telecommunications company. The code appears to be part of the account creation and user login process for DeepSeek.

In its privacy policy, DeepSeek acknowledged storing data on servers inside the People’s Republic of China. But its chatbot appears more directly tied to the Chinese state than previously known through the link revealed by researchers to China Mobile. The U.S. has claimed there are close ties between China Mobile and the Chinese military as justification for placing limited sanctions on the company. DeepSeek and China Mobile did not respond to emails seeking comment.

The growth of Chinese-controlled digital services has become a major topic of concern for U.S. national security officials. Lawmakers in Congress last year on an overwhelmingly bipartisan basis voted to force the Chinese parent company of the popular video-sharing app TikTok to divest or face a nationwide ban though the app has since received a 75-day reprieve from President Donald Trump, who is hoping to work out a sale.

The code linking DeepSeek to one of China’s leading mobile phone providers was first discovered by Feroot Security, a Canadian cybersecurity company, which shared its findings with The Associated Press. The AP took Feroot’s findings to a second set of computer experts, who independently confirmed that China Mobile code is present. Neither Feroot nor the other researchers observed data transferred to China Mobile when testing logins in North America, but they could not rule out that data for some users was being transferred to the Chinese telecom.

The analysis only applies to the web version of DeepSeek. They did not analyze the mobile version, which remains one of the most downloaded pieces of software on both the Apple and the Google app stores.

The U.S. Federal Communications Commission unanimously denied China Mobile authority to operate in the United States in 2019, citing “substantial” national security concerns about links between the company and the Chinese state. In 2021, the Biden administration also issued sanctions limiting the ability of Americans to invest in China Mobile after the Pentagon linked it to the Chinese military.

“It’s mindboggling that we are unknowingly allowing China to survey Americans and we’re doing nothing about it,” said Ivan Tsarynny, CEO of Feroot.

“It’s hard to believe that something like this was accidental. There are so many unusual things to this. You know that saying ‘Where there’s smoke, there’s fire’? In this instance, there’s a lot of smoke,” Tsarynny said.

Stewart Baker, a Washington, D.C.-based lawyer and consultant who has previously served as a top official at the Department of Homeland Security and the National Security Agency, said DeepSeek “raises all of the TikTok concerns plus you’re talking about information that is highly likely to be of more national security and personal significance than anything people do on TikTok," one of the world’s most popular social media platforms.

Users are increasingly putting sensitive data into generative AI systems — everything from confidential business information to highly personal details about themselves. People are using generative AI systems for spell-checking, research and even highly personal queries and conversations. The data security risks of such technology are magnified when the platform is owned by a geopolitical adversary and could represent an intelligence goldmine for a country, experts warn.

“The implications of this are significantly larger because personal and proprietary information could be exposed. It’s like TikTok but at a much grander scale and with more precision. It’s not just sharing entertainment videos. It’s sharing queries and information that could include highly personal and sensitive business information,” said Tsarynny, of Feroot.

Feroot, which specializes in identifying threats on the web, identified computer code that is downloaded and triggered when a user logs into DeepSeek. According to the company’s analysis, the code appears to capture detailed information about the device a user logs in from — a process called fingerprinting. Such techniques are widely used by tech companies around the world for security, verification and ad targeting.

The company’s analysis of the code determined that there were links in that code pointing to China Mobile authentication and identity management computer systems, meaning it could be part of the login process for some users accessing DeepSeek.

The AP asked two academic cybersecurity experts — Joel Reardon of the University of Calgary and Serge Egelman of the University of California, Berkeley — to verify Feroot’s findings. In their independent analysis of the DeepSeek code, they confirmed there were links between the chatbot’s login system and China Mobile.

“It’s clear that China Mobile is somehow involved in registering for DeepSeek,” said Reardon. He didn’t see data being transferred in his testing but concluded that it is likely being activated for some users or in some login methods.