South Korean officials have discovered AI company DeepSeek allegedly collecting Korean users’ data without consent. An investigation found the company gathering chat histories, prompts, IP addresses, and behavior analytics before transferring them to servers in China and America. Security experts uncovered publicly accessible databases with sensitive information stored in plaintext. The practices may violate GDPR and CCPA regulations. This case highlights growing concerns about cross-border data transfers in AI services.
Seoul officials have uncovered troubling evidence that AI company DeepSeek has been secretly collecting and transferring user data across borders without proper consent. Korean authorities launched investigations after discovering the company was gathering extensive personal information from users without clearly disclosing these practices.
The investigation revealed DeepSeek collects an alarming range of data including chat histories, input prompts, IP addresses, and behavioral analytics. This information was then transferred to servers in China and America, raising serious privacy concerns. Under Chinese law, this data could potentially be accessed by government agencies for national security purposes. The company’s privacy policy explicitly states that personal data may be processed and stored in China, with implications for international data processing.
Security experts identified multiple vulnerabilities in DeepSeek’s systems. Wiz Research discovered the company had a publicly accessible database containing over a million lines of log streams with sensitive information. Sensitive credentials and authentication tokens were found stored in plaintext within application files. The company’s databases were also reportedly accessible to external actors, creating significant security risks for users.
“The lack of transparent data handling processes is concerning,” said one privacy advocate familiar with the case. “Users weren’t properly informed about what data was being collected or how it would be used.”
DeepSeek’s practices may violate multiple regulations including GDPR and CCPA. The absence of clear consent mechanisms has drawn increased scrutiny from regulators worldwide. Korean officials are particularly concerned about undisclosed data processing and international data flows affecting their citizens. This type of data collection raises concerns similar to how microplastics penetrate cell membranes, with invisible threats accumulating in systems over time without users’ awareness.
Technical analysis of the application showed it transmits user interaction data to external analytics servers. The company’s privacy policy fails to provide sufficient information about data sharing with third parties, further complicating compliance issues.
For businesses using DeepSeek, these findings highlight significant vendor risks. The lack of robust AI governance and compliance mechanisms means companies may unknowingly expose their own data through these services.
As investigations continue, Korean authorities are likely to impose stricter requirements on AI companies operating within their borders. The case underscores growing tensions around cross-border data transfers and the need for greater transparency in AI systems.
References
- https://cdn.deepseek.com/policies/en-US/deepseek-privacy-policy.html
- https://www.wiz.io/blog/wiz-research-uncovers-exposed-deepseek-database-leak
- https://selectcommitteeontheccp.house.gov/sites/evo-subsites/selectcommitteeontheccp.house.gov/files/evo-media-document/DeepSeek Final.pdf
- https://www.exterro.com/resources/data-privacy-alerts/data-privacy-alert-global-scrutiny-over-deepseeks-data-practices-intensifies
- https://securityscorecard.com/blog/a-deep-peek-at-deepseek/
