Korea's Privacy Watchdog Questions DeepSeek's Data Handling Amid Global Scrutiny
The South Korean Personal Information Protection Commission (PIPC) is poised to question DeepSeek concerning its data protection practices after the launch of its new AI chatbot captured global attention.
On Friday, the PIPC announced plans to send an official questionnaire to the controversial Chinese startup DeepSeek, asking for details on its methods for gathering and managing personal data. The growing popularity of DeepSeek's app, which quickly rose to the top of the App Store following its release earlier this week, has spurred regulatory bodies worldwide to take notice.
According to DeepSeek's privacy policy, the startup gathers sensitive information from users, such as names, birth dates, email addresses, and phone numbers, all purportedly for the purpose of AI model training. Such data is stored on “secure servers” located in China. The policy also indicates the company may collect various types of content from users, including text and audio inputs, as well as chat history, sharing this data with third parties when deemed necessary.
The PIPC is mainly concerned with safeguarding user privacy and ensuring compliance with regulations. If any irregularities are identified upon reviewing DeepSeek's responses, the commission is ready to initiate formal investigations.
The scrutiny isn’t limited to South Korea. Following the app's rising popularity, numerous countries have started their inquiries. Italian officials representing Garante, the Italian Data Protection Authority, were swift to react, launching their own investigation and blocking the app following claims from DeepSeek about their operation status within Italy.
"The limitation order was necessary to protect Italian users’ data," Garante stated, noting the companies operating DeepSeek had indicated they did not manage data for users within Italy. This assertion was quickly deemed unsatisfactory by Italian regulators, indicating they intend to take significant steps to mitigate any potential risks.
Meanwhile, concerns about the security of DeepSeek’s database were highlighted by Wiz, a New York-based cloud security firm, who uncovered vulnerabilities exposing sensitive user data online. The public exposure included over a million lines of chat histories and proprietary information, posing significant risks for DeepSeek amid rising pressure from regulatory bodies.
"Such exposures could allow malicious actors to access sensitive logs and exfiltrate proprietary information from the server, which is extremely concerning," pointed out Gal Nagli, who heads external exposure research at Wiz. Following the responsible disclosure of the issue, DeepSeek acted swiftly to secure the exposed data.
French regulators, alongside counterparts from the United Kingdom, Ireland, and Australia, are also examining DeepSeek’s data handling practices to assess potential risks associated with the AI startup’s operations.
DeepSeek’s challenges aren’t limited to data protection inquiries. Simultaneously, the U.S. government is investigating whether the startup acquired restricted AI chips from abroad. U.S. officials have expressed concerns over DeepSeek's low-cost AI model, marking it as a potential risk to U.S. technological supremacy following its remarkable entrance to the market.
Reports indicate the U.S. Commerce Department is probing claims of illicit procurement of restricted chips, particularly those from Nvidia, which have specific shipping restrictions aimed at curbing advanced technology transfer to China. Questions arose after DeepSeek attracted attention with its model, reportedly less data-intensive and cheaper than its competitors, like OpenAI's ChatGPT.
Singapore’s Ministry of Trade and Industry added dimension to the matter, citing Nvidia’s statement clarifying there was “no reason to believe” DeepSeek obtained export-controlled products through Singapore. U.S. lawmakers have urged tighter regulations on shipments through third-party countries considered high-risk routes for transhipments to China.
Reportedly, Nvidia has stated much of its revenue from Singapore does not indicate improper diversions and insisted compliance with applicable laws across the board. The ministry noted it expected U.S. companies to comply with export regulations and reiterated their commitment to uphold the law against violations.
The global engagement surrounding DeepSeek reflects broader concerns about AI technology's rapid evolution and potential ramifications stemming from any lapses in governance or regulatory oversight. With data privacy and national security at the forefront, stakeholders from various countries are exercising vigilance to protect citizens' sensitive information.
DeepSeek's use of Nvidia chips has prompted speculation about the nature of its technology and potential access to sensitive data via AI models. The company claimed it legally acquired Nvidia’s H800 series chips, whose distribution rights fell within permissible limits as of 2023. The conversations surrounding these developments underline the interplay between technological innovation and the legislative frameworks catching up with fast-paced advances.
Finally, as authorities and analysts worldwide observe the situation, many are left wondering about the future of companies like DeepSeek. With significant regulatory scrutiny already underway, adapting to ever-evolving data protection standards and international regulations will be challenging yet imperative for the company's success.