Assessing if DeepSeek is safe to use in the enterprise
The AI vendor has found popularity with its reasoning model. However, based on geopolitical tensions and safety tests, there are questions about whether enterprises should use it.
Chinese generative AI startup DeepSeek found success in the past few weeks since releasing its new DeepSeek-R1 reasoning model. Still, it has faced challenges that have led some AI experts to question whether using the model is safe for enterprises.
DeepSeek also faced large-scale malicious attacks on Jan. 27 that forced it to limit user registrations. Recent reports found that DeepSeek had been hit with multiple DDoS attacks since it released the model on Jan. 20. DDoS attacks are cyberattacks that disrupt traffic to a server, making it inaccessible.
The attacks alone highlight concerns about whether the vendor's technology is secure, and enterprises should be cautious, said Bradley Shimmin, an analyst at Omdia, a division of Informa TechTarget.
"Don't log in to DeepSeek, just don't," Shimmin said. "It seems to need to prove to us that they're able to secure its services."
The startup stunned the Western and Far Eastern tech communities when its open-weight model DeepSeek-R1 triggered such a vast wave that DeepSeek appeared to challenge Nvidia, OpenAI and even Chinese tech giant Alibaba.
[DeepSeek] seems to need to prove to us that they're able to secure its services.
Bradley ShimminAnalyst, Omdia
Days after DeepSeek-R1's release, Nvidia's stock price plummeted in the U.S. stock market. DeepSeek replaced OpenAI's ChatGPT as the most downloaded free app on Apple's App Store. In response, Alibaba released its latest Qwen 2.5 Max model a day before the Chinese New Year holiday, showing the panic that DeepSeek brought about even in China.
Data and China
Other than the inability to secure its servers, the fact that DeepSeek is a Chinese vendor that has to comply with China's Personal Information Protection Law is also concerning, according to Nemertes CEO and co-founder Johna Till Johnson.
PIPL regulates how personal information is handled and applies to organizations and individuals who process personally identifiable information, both in and outside China. It also allows the Chinese government to access and examine data held by companies within its jurisdiction under specific circumstances.
As an AI and cloud vendor, DeepSeek collects users' data, such as usage, prompts and information about users' partners.
"If you log in from Google, it pulls everything from Google -- it's legally allowed to do, and all that is sitting in China," Shimmin said.
Because of this, Johnson said enterprises should avoid DeepSeek's AI systems and tools.
"Any enterprise that for any reason considers that it is working with any form of proprietary information, which pretty much every enterprise is, should not be using a tool that automatically feeds that data back to what in the U.S. is considered a hostile nation-state," she said. "I would not go anywhere near it."
However, data leakage and usage arguments can also apply to other AI vendors like OpenAI, said Tim Dettmers, a research scientist at the Allen Institute for AI, a nonprofit AI research lab.
"If you send them the user data, they will use it to improve the model," Dettmers said.
Besides the possibility of data leakage to China, the DeepSeek-R1 model was trained with a Chinese worldview, raising concerns because of the country's authoritarian government and well-documented incursions on the privacy of its citizens.
"It is compliant with the Chinese government's worldview," said Mike Mason, chief AI officer at AI and IT consultancy Thoughtworks. The model will respond based on its worldview if asked a particular question, he said.
"Depending on your use case, you might be concerned about the cultural or worldview bias happening there," Mason continued. "If you're using it for generating software program code, maybe you don't care about that."
However, Dettmers said it is too early to know the model's reasoning process fully.
"This is something we need to figure out, and because DeepSeek is open, we can now figure it out," he said. "If you share things openly, you can very quickly figure out how to make them safe, but that means at the beginning is sort of a period where things are less aligned."
Meanwhile, OpenAI, whose o1 model DeepSeek-R1 has been compared to, is secretive about how its models think, Dettmers added.
Open source models are geared toward what enterprises want -- models they can control.
DeepSeek did not immediately respond to Informa TechTarget's request for comment.
Failing safety tests
Despite DeepSeek's open source structure, the R1 model has failed some safety tests, adding to the argument that enterprises should stay away.
For example, researchers from the University of Pennsylvania and digital communications vendor Cisco found that R1 had a 100% attack success rate when tested against 50 random prompts covering six categories of harmful behaviors, such as cybercrime, misinformation, illegal activities and general harm. The model did not block any of the harmful prompts, according to the researchers.
Moreover, Chatterbox Labs, a vendor specializing in measuring quantitative AI risk, used its AIMI platform, an automated AI safety testing tool, to test DeepSeek-R1 for categories such as fraud, hate speech, illegal activity, security and malware. DeepSeek-R1 failed to pass the safety testing in all the categories.
However, Chatterbox compared DeepSeek's results with Google Gemini 2.0 Flash -- Google's reasoning model -- and OpenAI o1-preview. Gemini 2.0 Flash also failed the safety test, and the OpenAI model passed in only three categories.
"The key that we want to say to organizations, though, is that you have to test this stuff," said Stuart Battersby, CTO at Chatterbox Labs. "It doesn't matter which model you use. You can't rely on those things to be safe."
Chatterbox Labs' AIMI system ran a safety test on the reasoning models from DeepSeek, OpenAI and Google.
Using a third party
Some AI experts have suggested that accessing DeepSeek using a third-party hosting service might be better.
"You can go with hosting providers, hosting it stateside," Shimmin said. AWS, Microsoft Azure and others are hosting the model in their model platforms. "Go with a trusted cloud provider if you use these models."
The distinction between running the model by itself and using a trusted hosting provider is significant, Mason said.
"If you're going to, say, AWS Bedrock, and you're using DeepSeek on Bedrock, you're no longer sending your data to China," he said, referring to Amazon's generative AI and machine learning platform.
However, enterprises must still take precautions regardless of the medium they use to access the model.
"Any model that you've decided to use, you have to run it through the gauntlet that you've put down for responsible AI practices," Shimmin said. "Is it secure? Can I protect it? If anybody tries to jailbreak my model, are protections built into it?"
Testing the model once is also not enough because the models continually change and iterate, Battersby said.
"To get to a point that is safe for your organization, you need to continually, iteratively test, update your guardrails, update your models [and] adapt to any changes made externally at your organization," he said.
Esther Shittu is an Informa TechTarget news writer and podcast host covering artificial intelligence software and systems.
