Can we do a sanity check?
- So, where is the data stored?
- If you use the app, your data is sent to computer servers in China (see picture above). Credit where credit is due, they DO explicitly state this in their privacy policy. Caveat emptor!
- So, who has access to this data?
- The 'Data Controller' is identified as two entities - Hangzhou DeepSeek Artificial Intelligence Co., Ltd., and Beijing DeepSeek Artificial Intelligence Co., Ltd. Given there is no detail provided on which entity has access to what and the extent of access, we must assume both entities have access to your data.
- Rather oddly, the privacy policy does not provide a link to the websites of either of these entities nor does an internet search of these entities reveal a website to either.
- The terms of service agreement notes an address of 5th Floor, North Building, Block C, Rongke Information Center, No.2 South Science Academy Road, Haidian District, Beijing, China which turns out to be a building on a university campus (thanks Google Maps!). There is no clear address readily available of the address for the Hangzhou entity. In other words, the Terms of Service and Privacy Policy agreements that you sign when using the app are essentially with two rather nebulous entities.
- What do they collect?
- They are rather explicit and articulate about this topic in the Privacy Policy. There are three types of information collected:
- Information you provide: This includes user id, email, profile information, etc i.e. information that is directly linked to you.
- Automatically collected information: This includes your device identifiers but also very interestingly your keystrokes patterns and rhythms. This enables them to do cross mapping of device behavioral data with human behavioral data and uniquely identity both users and devices.
- Information from other sources: This gets VERY INTERESTING! They access information about you from advertisers to learn about your behaviors across websites and apps outside of DeepSeek including your shopping patterns (online and in person!), your internet browsing habits and more!
The net effect of all of the data collection and correlation is that the app and the underlying service has a clear human digital fingerprint of the user irrespective of which device they use and a clear device fingerprint of all devices used to access the service. What is also interesting is that the disclosures in the Privacy Policy clearly indicate that they are indeed collecting and correlating information and linking it to the user identity. This is a HUGE privacy and security risk!
Now, let us keep in mind that most users who down the app from their favorite app store WILL NOT take the time to review the above mentioned Privacy Policy in detail. A small subset of users might review the 'App Privacy' section of the app store. Note that the App Privacy section in the app store is information that is self-reported by app makers to companies like Apple and Google as part of their app store listing. We reviewed this and found a serious discrepancy. As noted above, hidden in the language of the Privacy Policy is the disclosure that they do indeed link the information collected about you to your identity. However, take a look at the picture below of what they disclose they collect and specifically the context of collection. There is misrepresentation of what they collect as well as how it is connected to the user. All this being said, it is also only fair to point out that the Terms of Service document associated with the DeepSeek app explicitly states that all inputs to the app are the user's responsibility - which put simply means, 'we told you so and if you use the app, you understand the risks'.