Gallery

Contacts

405 W. Greenlawn Ave Lansing, Michigan 48910

contact@techjacksolutions.com

+1-616-320-4064

Twitter Facebook-f Pinterest-p Instagram
Which Model Was Tested Data Residency The Wiz Database Leak Jailbreak Research Censorship Government Bans DeepSeek's Response Who Should Weigh This FAQ
Light / Dark
DeepSeek

Security and Privacy Risks of DeepSeek: Censorship, Jailbreaks, and Bans (2026)

Go Deeper

Resources from across Tech Jacks Solutions

FREEAI Risk Management Template

Identify, assess, and mitigate AI deployment risks

EU AI Act Guide

Check your compliance obligations under the EU AI Act

FREEAI Bias Assessment

Evaluate bias risks before deploying any AI system

What Is Agentic AI?

Understand the architecture behind autonomous AI agents

AI Career Paths

Explore roles that work with these tools daily
100%
attack success rate against DeepSeek R1 across 50 HarmBench prompts, reported by Cisco and the University of Pennsylvania (Jan 31, 2025)
85%
of politically sensitive topics reportedly altered or suppressed, per the US House Select Committee on the CCP report (Mar 2025)
1M+
log entries, including chat history and auth keys, left exposed in a misconfigured database found by Wiz Research (Jan 2025)
8+
government and regulator actions restricting or reviewing DeepSeek between Jan 2025 and Apr 2026

DeepSeek's models are cheap, capable, and open-weight. They are also the subject of a growing body of security research, privacy complaints, and government restrictions. Multiple independent labs, data protection regulators, and a US congressional committee have raised concerns about jailbreak resistance, embedded censorship, and where user data goes. This breakdown collects those findings, attributes each one to the researcher or agency that produced it, and presents DeepSeek's own responses alongside the accusations.

One distinction matters more than any single statistic, so it comes first.

Which Model Was Actually Tested

Most of the independent jailbreak and censorship research below tested DeepSeek R1 or a distilled R1 variant such as R1-LLaMA-8B. It did not test V4, the company's most recent model family. This is the single most common error in coverage of DeepSeek security: a finding about R1 gets repeated as if it described every DeepSeek model. s11

Throughout this article, every security or censorship finding names the specific model that was examined, the researcher or agency that examined it, and the date. Where a claim is an allegation rather than a settled fact, it is framed as one. As of the sources reviewed here, DeepSeek V4 has not yet been independently red-teamed for jailbreak resistance or censorship behavior. The absence of published V4 testing is not evidence that V4 is safe; it means the public record on V4 is, for now, thin.

How to read the findings below: R1 is the original reasoning model. Distilled variants such as R1-LLaMA-8B are smaller open-weight models fine-tuned to imitate R1. V4 is a separate, newer family. A weakness measured in one does not automatically transfer to the others. Each finding is labeled with the exact model tested.

Data Residency and Chinese Law

DeepSeek's published privacy policy states that personal information collected through its consumer service is stored on servers located in the People's Republic of China. Data held in the PRC is subject to Chinese law, including the Cybersecurity Law, the Data Security Law, and the National Intelligence Law. The last of these obligates organizations to support and cooperate with state intelligence work when asked. s17

Feroot Security, a web security firm, reported finding code in DeepSeek's web infrastructure with backend links associated with China Mobile, a state-owned carrier. In March 2025, the US House Select Committee on the Chinese Communist Party published a report that characterized DeepSeek as a national security threat, citing data flows to China and the legal environment those flows are subject to. s17

These are statements about the company's cloud service and the laws that govern data held in China. They are not, by themselves, claims that data has been misused. The practical mitigation, discussed later, is that self-hosting the open weights keeps data off DeepSeek's servers entirely.

The Exposed Database (Wiz Research, January 2025)

In January 2025, Wiz Research reported that it had discovered a publicly accessible, misconfigured DeepSeek database. According to Wiz, the database exposed more than one million log entries, including plaintext chat history, backend details, and API authentication keys, with no authentication required to access it. s15

Wiz stated that it disclosed the exposure to DeepSeek, which then secured the database. The finding concerns an operational security lapse in DeepSeek's cloud infrastructure rather than a weakness in a specific model. It illustrates the broader point that data sent to a hosted service is only as safe as that service's configuration.

Government and Regulator Actions: 2025 to 2026
JAN 31, 2025
Italy: Garante Orders Block
Italy's data protection authority, the Garante, ordered DeepSeek's app blocked over data protection concerns and what it called insufficient answers to its questions.
JANUARY 2025
US: NASA and New York State Restrict
NASA and New York State moved to restrict DeepSeek on government devices and networks.
FEB 3, 2025
Taiwan: Government Devices
Taiwan's government barred DeepSeek from official devices, citing national security concerns.
FEB 4, 2025
Australia: Government Devices
Australia banned DeepSeek from government devices on the advice of its security agencies.
MARCH 2025
US: House Select Committee Report
The US House Select Committee on the CCP published a report labeling DeepSeek a national security threat and citing reported suppression of politically sensitive topics.
JUN 27, 2025
Germany: Berlin DPA Review Request
Berlin's data protection authority asked Apple and Google to review whether DeepSeek's app complied with EU data transfer rules, a step that can precede removal from app stores.
APR 24, 2026
US: State Department Cable
A US State Department diplomatic cable addressed model distillation and intellectual property concerns connected to DeepSeek.

Jailbreak and Safety Research

Three independent studies make up most of the published jailbreak evidence. Each tested R1 or a distilled R1 variant, and each is named and dated below.

Cisco and the University of Pennsylvania (January 31, 2025)

Researchers from Cisco and the University of Pennsylvania ran 50 prompts drawn from the HarmBench benchmark against DeepSeek R1. They reported a 100% attack success rate, meaning the model failed to block any of the 50 harmful prompts in that test set. The researchers framed this as a measure of R1's safety guardrails relative to other frontier models, several of which also performed poorly but not at 100%. This figure describes that specific 50-prompt test set against R1, not a property of every DeepSeek model. s11

Qualys TotalAI (March 16, 2026)

Qualys evaluated a distilled R1-LLaMA-8B model, an 8-billion-parameter open-weight variant, using its TotalAI testing suite. Qualys reported that the model failed 61% of 891 knowledge-base risk tests and 58% of 885 jailbreak attempts. Because this was the distilled 8B model rather than full R1 or V4, the results speak to the safety of that smaller open-weight variant specifically. s12

CrowdStrike (November 20, 2025)

CrowdStrike's Counter Adversary Operations team reported that when prompts to DeepSeek R1 contained trigger words sensitive to the Chinese Communist Party, the likelihood that the model produced code with severe vulnerabilities rose by up to roughly 50%, reaching 27.2% in those conditions compared with a lower baseline. CrowdStrike described what it called an intrinsic kill switch baked into R1's weights, and reported that R1 refused to generate code for a project associated with Falun Gong in about 45% of attempts. These findings are specific to R1 and to CrowdStrike's testing methodology. s13

Model scope, restated: Cisco and UPenn tested R1. Qualys tested the distilled R1-LLaMA-8B. CrowdStrike tested R1. None of these three studies tested V4. Treat each percentage as the result of that study on that model, not as a fixed attribute of DeepSeek as a whole.
FREE TEMPLATE

AI Risk Management Template

Identify, assess, and mitigate AI deployment risks

Download Free →

Censorship of Politically Sensitive Topics

Independent researchers report that DeepSeek's models suppress or alter answers on topics the Chinese government treats as sensitive. The US House Select Committee on the CCP report (Mar 2025) stated that a reported 85% of politically sensitive topics it examined were altered or suppressed. That figure reflects the committee's own testing and topic selection, not an audited universal rate. s16

The legal context is explicit. China's Interim Measures for the Management of Generative Artificial Intelligence Services require providers to uphold what the rules call core socialist values, which is widely understood to oblige domestic models to avoid politically disfavored content. A model built under those rules is expected to decline certain subjects by design. s16

Probing the Censorship: Thought Token Forcing (January 31, 2025)

Can Rager, an independent researcher, working with David Bau of Northeastern University and the BAIR group, published an analysis of DeepSeek R1 using a technique they called thought token forcing. By manipulating the model's visible reasoning trace, they reported surfacing knowledge the model normally withholds, including discussion of the 1989 Tiananmen Square events, and what they described as an internal list of forbidden topics covering Falun Gong, Tibet, Uyghurs, Taiwan, and Hong Kong. Their work targeted R1 specifically and demonstrated that the suppression sits in the model's behavior rather than only in a surface-level filter. s14

Why this matters for buyers: Censorship is not only a free-speech question. A model that silently alters answers on entire categories of subjects can produce incomplete or skewed output in research, due diligence, journalism, and education contexts, often without signaling that anything was withheld.

Government Bans and Regulatory Actions

Between January 2025 and April 2026, multiple governments and data protection authorities restricted DeepSeek or opened reviews. The timeline above lists the dated actions. Briefly: Italy's Garante ordered the app blocked on January 31, 2025; NASA and New York State moved to restrict it on government systems in January 2025; Taiwan barred it from government devices on February 3, 2025, and Australia did the same on February 4, 2025; the US House Select Committee published its report in March 2025; Berlin's data protection authority asked Apple and Google to review the app on June 27, 2025; and a US State Department cable addressed distillation and intellectual property concerns on April 24, 2026. s16

Most of these actions target the hosted consumer app and its data handling, not the open model weights as a mathematical object. That distinction matters for organizations weighing whether a self-hosted deployment changes their exposure.

Published Findings at a Glance
Each bar shows a reported failure or success rate. Every bar names the model tested and the source.
Jailbreak / Attack Success (higher means weaker guardrails)
R1: HarmBench attack success (Cisco + UPenn, Jan 2025) 100%
R1-LLaMA-8B (distilled): jailbreak fail (Qualys, Mar 2026) 58%
R1-LLaMA-8B (distilled): KB risk fail (Qualys, Mar 2026) 61%
Censorship and Trigger-Word Behavior
Sensitive topics reportedly suppressed (US House report) 85%
R1: refused Falun Gong code (CrowdStrike, Nov 2025) 45%
R1: severe-vuln code under trigger words (CrowdStrike) 27.2%

DeepSeek's Response and the Mitigation

Each accusation deserves the other side. DeepSeek and connected parties have responded to several of the claims above.

On data protection, DeepSeek told EU regulators that GDPR did not apply to its service. Italy's Garante deemed that position totally insufficient and proceeded with its block. On intellectual property, the Chinese embassy rejected allegations of IP theft, and DeepSeek denied intentionally training on synthetic data generated by OpenAI. These are the company's and connected parties' stated positions; they do not resolve the underlying disputes, which remain contested. s16

The Self-Hosting Mitigation

The most consequential mitigation is structural. Because DeepSeek publishes open model weights under a permissive license, organizations can run the models on their own infrastructure rather than through DeepSeek's cloud service. A local or self-hosted deployment, for example using an inference server such as vLLM, keeps prompts and outputs on infrastructure the operator controls and off servers in the PRC. s17

Self-hosting addresses the data residency and cloud leak concerns directly. It does not change the censorship behavior or jailbreak findings, which are properties of the model weights themselves, nor does it automatically satisfy GDPR or sector-specific obligations. Operators still need their own data protection assessment for any system processing personal data.

Risk Categories, by Model Tested
DATA RESIDENCY
Cloud Data Stored in the PRC
DeepSeek's privacy policy stores personal data on PRC servers, subject to Chinese data and intelligence laws. Feroot Security reported China Mobile backend links; the US House Select Committee (Mar 2025) called the service a national security threat. Applies to the hosted consumer app, not self-hosted weights.
DATA LEAK
Exposed Database (Wiz, Jan 2025)
Wiz Research found a misconfigured, unauthenticated DeepSeek database exposing more than 1M log entries, including chat history and API keys. An infrastructure lapse in the cloud service, since secured after disclosure.
JAILBREAK: R1 + DISTILLED 8B
Weak Safety Guardrails in Testing
Cisco and UPenn reported a 100% attack success rate against R1 on 50 HarmBench prompts (Jan 2025). Qualys reported the distilled R1-LLaMA-8B failed 58% of jailbreak attempts and 61% of knowledge-base risk tests (Mar 2026). V4 was not tested in these studies.
CENSORSHIP: R1
Suppression of Sensitive Topics
The US House report cited a reported 85% suppression rate on sensitive topics. Rager and Bau (Jan 2025) used thought token forcing on R1 to surface a forbidden-topics list covering Falun Gong, Tibet, Uyghurs, Taiwan, and Hong Kong. CrowdStrike (Nov 2025) reported R1 refused Falun Gong code in about 45% of attempts.

Who Should Weigh These Risks

The findings land differently depending on who you are and how you deploy. Each group below is paired with the mitigation most relevant to it.

Audience and Mitigation
🏢
Enterprises with Sensitive Data
The cloud service stores data on PRC servers and has had at least one major exposure (Wiz). Mitigation: do not send regulated or confidential data to the hosted app; self-host the open weights so prompts never leave your infrastructure, and run a data protection assessment.
🏛
Government and Public-Sector Users
Several governments have already restricted the app on official devices, and a US committee labeled it a national security threat. Mitigation: follow your jurisdiction's guidance; where the model is still useful, restrict it to isolated, self-hosted environments with no sensitive data.
💻
Developers and Builders
R1 and the distilled 8B model showed weak jailbreak resistance in testing, and R1 produced more vulnerable code under CCP trigger words (CrowdStrike). Mitigation: add your own input and output guardrails, review generated code, and self-host to control the data path.
📚
Researchers and Knowledge Workers
Embedded censorship can silently omit information on sensitive subjects. Mitigation: do not rely on DeepSeek alone for politically sensitive research; cross-check against independent sources, and be aware that self-hosting does not remove the censorship behavior.

Where the Concern Is Highest

  • Regulated and privacy-sensitive organizations using the hosted app: data residency in the PRC and the Wiz exposure are direct concerns; self-hosting addresses the data path but not compliance on its own
  • Applications needing uncensored historical or geopolitical content: the suppression behavior documented on R1 sits in the weights and is not removed by self-hosting
  • Teams generating code from user text that may contain CCP-sensitive terms: CrowdStrike's trigger-word finding on R1 is relevant; review output and add guardrails

Where the Concern Is Lower

  • Self-hosted deployments for non-sensitive coding, data analysis, and writing that do not touch suppressed topics, with prompts kept on controlled infrastructure
  • Isolated experimentation with the open weights, where no personal or confidential data is involved

For the self-hosting path in detail, see Running DeepSeek V4 Cost-Effectively. For the broader context, visit the DeepSeek hub.

Frequently Asked Questions

DeepSeek Security and Privacy FAQ
Most of them have not been tested on V4. The Cisco and University of Pennsylvania study (Jan 2025) and the CrowdStrike report (Nov 2025) tested DeepSeek R1. The Qualys study (Mar 2026) tested the distilled R1-LLaMA-8B model. None of these tested V4. As of the sources reviewed here, V4 has not been independently red-teamed for jailbreak resistance or censorship behavior. That absence of testing is not proof that V4 is safe; it means the public record on V4 is thin. Treat each finding as a result about the specific model named, not about DeepSeek as a whole.
Yes, for the data-path concerns. DeepSeek publishes open model weights, so you can run the models on your own infrastructure using an inference server such as vLLM. When you self-host, prompts and outputs stay on systems you control and do not reach DeepSeek's servers in China. That directly addresses the data residency concern and the cloud database exposure that Wiz Research found. It does not change the censorship behavior or jailbreak findings, which live in the model weights, and it does not by itself make a deployment GDPR-compliant. You still need your own data protection assessment.
In January 2025, Wiz Research reported finding a publicly accessible, misconfigured DeepSeek database that required no authentication. According to Wiz, it exposed more than one million log entries, including plaintext chat history, backend details, and API authentication keys. Wiz disclosed the exposure to DeepSeek, which secured the database. The issue was an operational lapse in the cloud infrastructure rather than a flaw in a specific model.
Italy's Garante ordered the app blocked on January 31, 2025. NASA and New York State restricted it on government systems in January 2025. Taiwan barred it from government devices on February 3, 2025, and Australia on February 4, 2025. The US House Select Committee on the CCP published a report labeling it a national security threat in March 2025. Berlin's data protection authority asked Apple and Google to review the app on June 27, 2025. A US State Department cable addressed distillation and intellectual property concerns on April 24, 2026. Most of these actions target the hosted app, not the open weights.
DeepSeek told EU regulators that GDPR did not apply to its service, a position Italy's Garante deemed totally insufficient before proceeding with its block. On intellectual property, the Chinese embassy rejected allegations of IP theft, and DeepSeek denied intentionally training on synthetic data from OpenAI. These are the stated positions of the company and connected parties; they do not resolve the disputes, which remain contested.
Researchers from Cisco and the University of Pennsylvania reported on January 31, 2025, that DeepSeek R1 failed to block any of 50 harmful prompts drawn from the HarmBench benchmark, giving a 100% attack success rate on that test set. The figure is accurate as a description of that specific 50-prompt test against R1. It is not a universal property of every DeepSeek model, and it was not measured on V4. Several other frontier models also performed poorly in the same study, though not at 100%.
Video Resources
DeepSeek Security and Privacy Risks: What to Know
YouTube Search
DeepSeek R1 Censorship and Jailbreak Research
YouTube Search
Self-Hosting DeepSeek for Data Privacy
YouTube Search
Related Reading
Guide
Running DeepSeek V4 Cost-Effectively
The self-hosting path: how to run DeepSeek on your own infrastructure so prompts stay off external servers.
Comparison
DeepSeek V4 vs Frontier Models
How V4 stacks up against leading Western models on capability, cost, and openness.
Breakdown
What Is DeepSeek?
The company, the model lineup, and why a low-cost Chinese AI lab disrupted the industry.
Guide
Running DeepSeek V4 Cost-Effectively
Updated May 2026. DeepSeek V4-Pro vs Claude Opus 4.8: benchmarks, pricing, open-source vs closed-source, and coding capabilities compared…
Guide
Running DeepSeek V4 Cost-Effectively
DeepSeek is one of the most capable open-weight large language models available in 2026, and it is entirely free to start using. Whether …
Fact-checked against independent security research and official sources, June 2026.

DeepSeek is a trademark of its respective owner. CrowdStrike, Cisco, Qualys, Wiz, Feroot Security, Anthropic, OpenAI, Apple, Google, and Nvidia are trademarks of their respective owners. This article is editorially independent and is not affiliated with, endorsed by, or sponsored by any vendor named. Findings are attributed to the cited researchers, agencies, and official records.