Is DeepSeek AI Safe? Security Flaws and Privacy Risks Explained

A new AI-powered chatbot app, DeepSeek, has skyrocketed in popularity, quickly becoming one of the most downloaded apps on Apple’s App Store and Google Play. However, cybersecurity experts are warning that DeepSeek poses serious security and privacy risks, making it a potential threat to users’ personal data.

Unencrypted Data Transfers and Weak Security Protections

One of the biggest concerns with DeepSeek is how it handles user data. Security researchers at NowSecure discovered that the app transmits sensitive user information—such as chat content, device details, and network data—over unencrypted connections. This means that hackers, internet service providers, or malicious actors could easily intercept and access this data.

Even more troubling, all of this information is sent to servers belonging to ByteDance, the Chinese company behind TikTok. ByteDance has previously faced scrutiny over data privacy concerns, and its connection to DeepSeek raises further red flags.

The fact that user conversations and personal details are being sent to China without proper encryption is leading some to question whether DeepSeek could be used as a potential tool for mass surveillance or data exploitation.

Additionally, researchers found that DeepSeek has intentionally disabled an iOS security feature called App Transport Security (ATS). This built-in Apple feature is designed to protect users by enforcing encrypted data transfers. Turning off ATS allows user data to be transmitted in plain text over the internet, making it more at risk of interception.

Fig 1. A diagram breaking down the security risks of DeepSeek Source: NowSecure

While DeepSeek does use some encryption, experts found it relies on an outdated and insecure algorithm—3DES (Triple DES), which was deprecated nearly a decade ago due to security flaws. This weak encryption makes it easier for attackers to decrypt and access user data.

Even worse, the encryption keys used to secure data are hardcoded into the app itself. This means that if someone is able to extract these keys—for example, a skilled hacker—they could decrypt all user data sent by the app. The use of hardcoded keys is widely considered a severe security oversight, as it effectively removes any real protection the encryption was supposed to provide.

User Tracking, Privacy Risks, and Government Bans

Beyond security issues, DeepSeek appears to collect an excessive amount of personal data that could be used for tracking and identifying users. This includes:

• Device name, which often includes the user’s real name.
• IP address and network details, which can be used to track a person’s location.
• User interactions with the app, potentially allowing behavior profiling.

This level of data collection raises concerns about potential uses beyond those typical for an AI chatbot, including user profiling, targeted advertising, or broader data analysis.

Due to these severe privacy risks, multiple governments and organizations have banned or restricted the use of DeepSeek. The Pentagon, NASA, the U.S. Navy, and congressional offices have all issued warnings against using the app. Italy and Taiwan have already blocked DeepSeek over security concerns, and more countries may follow.

What Users Should Do Now

Security experts strongly recommend deleting the DeepSeek app immediately. The combination of unencrypted data transmission, weak security protections and excessive data collection makes it a serious privacy risk.

If you want to test DeepSeek’s AI, experts suggest running it locally on a computer instead of using the mobile app, as this prevents sensitive data from being transmitted online.