South Korea’s Personal Information Protection Commission (PIPC) announced today that the Chinese AI chatbot DeepSeek transmitted sensitive user data to servers controlled by ByteDance, TikTok’s Beijing-based parent company.
The findings follow a technical audit revealing critical security flaws, including unencrypted data transfers, deprecated encryption protocols, and deliberate bypassing of Apple’s App Transport Security (ATS) safeguards.
The PIPC’s investigation, supported by analyses from cybersecurity firms NowSecure and SecurityScorecard, uncovered alarming practices in DeepSeek’s iOS and Android applications. Key findings include:
.png
)
Disabled ATS Protections: DeepSeek’s iOS app globally disables ATS, a critical iOS security feature enforcing HTTPS encryption. This allowed unencrypted transmission of registration data—such as device OS versions, SDK details, and language settings—to ByteDance’s Volcano Engine cloud servers.
Weak Encryption Standards: The app employs 3DES (Triple Data Encryption Standard), a symmetric-key algorithm deprecated by NIST in 2016 due to vulnerabilities. Additionally, symmetric keys were hardcoded into the app, exposing all users to decryption risks.
SQL Injection Risks: SecurityScorecard identified insecure database queries in DeepSeek’s backend, enabling potential unauthorized access to user records.
Data Sovereignty Concerns: Despite some traffic routing through U.S.-based IPs, DeepSeek’s privacy policy confirms data storage in China, raising red flags under South Korea’s strict data localization laws.
Regulatory Response and DeepSeek’s Compliance Failures
Under South Korea’s Personal Information Protection Act, explicit user consent is mandatory for third-party data sharing.
The PIPC found no evidence of such consent, prompting a temporary suspension of DeepSeek’s app downloads pending “remedial measures”.
According to Yonhap News Agency, while DeepSeek appointed a local representative and acknowledged lapses in compliance with South Korean law, the company has not explained why ATS was disabled or why 3DES was prioritized over contemporary protocols such as AES 256.
Security researchers also detected connections to Chinese state-linked domains, amplifying fears of potential surveillance under China’s National Intelligence Law.
The incident underscores systemic risks in globally distributed AI systems. NowSecure’s report highlighted DeepSeek’s Android app as “even less secure,” with unencrypted analytics sent to ByteDance-controlled endpoints.
Meanwhile, the U.S. Congress is advancing the No DeepSeek on Government Devices Act, mirroring bans in Italy, Australia, and Taiwan over espionage concerns.
The PIPC advised citizens to avoid sharing personal data with DeepSeek, while LG and Samsung suspended internal usage of the chatbot.
Cybersecurity experts warn that DeepSeek’s open-source model, while efficient, lacks transparency in training data sourcing and third-party SDK integrations.
As South Korea intensifies scrutiny of foreign AI tools, this case highlights the clash between rapid AI innovation and regulatory enforcement.
With DeepSeek’s global app downloads surpassing 10 million, the incident serves as a cautionary tale for data sovereignty in an era of geopolitical tech rivalry.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here
