In a move that was widely expected, U.S. lawmakers have proposed a DeepSeek ban on any and all federal government devices. The Hangzhou-based service already raised similar national security concerns to those that TikTok has been battling for years now, but the move was also prompted by analysis of DeepSeek code that seems to show a direct connection to the Chinese Communist Party (CCP).
The DeepSeek ban was proposed by U.S. Representatives Josh Gottheimer (NJ) and Darin LaHood (IL), both members of the House Permanent Select Committee on Intelligence, and is seen as a bipartisan measure that has a high likelihood of passing. The Trump administration has extended some clemency to TikTok recently, but the two situations are very different and DeepSeek has already proven itself combative when questioned about its data handling by EU regulators.
U.S. lawmakers look for quick, initial federal-level ban for national security purposes
The “No DeepSeek on Government Devices Act” would apply only to government-issued devices for federal employees, and thus is quite likely to be taken up by Congress. A number of agencies have already taken initiative to issue similar DeepSeek bans on their own; these include the Pentagon, the Navy, and NASA. U.S. lawmakers in Congress have also been formally advised to be aware of its security risks, and use of it has been limited on all official devices and banned it for use on staffer work devices.
Any app that sends data back to China is potentially on the chopping block due to national security concerns, as the ongoing TikTok saga has demonstrated. But the U.S. lawmakers behind the DeepSeek ban proposal point out that an analysis of the app’s code points to it sending data to the government-owned China Mobile, which has been banned by the Federal Communications Commission (FCC) for use in the United States and delisted from the New York Stock Exchange.
The analysis, performed by Feroot Security, found hidden code that indicates user login information may be passed to China Mobile. The code was found in the browser-based version of DeepSeek and is passing logins and other user data to CMPassport.com, China Mobile’s online registry. The researchers also say that the app is fingerprinting users to track their activity across the internet without their knowledge.
If U.S. lawmakers pass the bill, the DeepSeek ban would extend to any other apps published by parent company “High-Flyer.” Federal agencies would be given 60 days to develop standards and guidelines for removing the group’s apps from devices. Limited exceptions would be granted for researchers to study these apps. State governments largely continue to allow DeepSeek to be available, with Texas the only one thus far to ban it from employee devices.
J Stephen Kowski, Field CTO at SlashNext, notes that the threat of stealing login credentials adds a new element to the situation: “While DeepSeek’s AI capabilities are impressive, security researchers have identified multiple vulnerabilities that could allow malicious actors – whether nation-states or cyber criminals – to exploit the application as a delivery mechanism for credential theft and data exfiltration. The discovery of hidden code capable of transmitting login credentials to China Mobile servers highlights how AI chatbots can become unwitting conduits for cyber-attacks, which is particularly concerning given that millions of users have already downloaded and integrated these tools into their daily workflows. The rapid response by Australia, Italy, Taiwan and South Korea to implement bans demonstrates the seriousness of these security gaps, especially since advanced threat detection could have identified these concealed communication channels before they put sensitive data at risk. Modern organizations need real-time protection that can detect and block sophisticated technical threats hiding within seemingly innocent AI applications, regardless of their country of origin.”
DeepSeek ban proposal comes amidst percolating trade war
While DeepSeek has yet to comment on the proposed ban by U.S. lawmakers, its recent interactions with Italy’s data protection regulators indicate that it is not particularly interested in cooperation. A request for more information about data processing by Italy’s “Garante” privacy agency was met with defiance from the Chinese company, leading to a temporary DeepSeek ban pending an investigation and improved communication.
Italian and U.S. lawmakers are not alone in taking early action against the app. Australia, South Korea and Taiwan have already issued their own DeepSeek bans. There has also been substantial private sector action as Bloomberg reports that hundreds of companies have asked their enterprise cybersecurity services to block the app.
The DeepSeek bans have put the spotlight back on a problem that has been ongoing since ChatGPT burst onto the scene in late 2022: employees feeding sensitive information into LLMs, including confidential company information and personal data, which then becomes unaccountable and essentially unrecoverable. This is generally done out of a combination of a desire to simplify work and lack of awareness of the security risks of dumping private information into models that use user queries for training, something that has already led to similar workplace ChatGPT bans from a variety of organizations.
The US is also in an ongoing struggle for AI dominance with China, which has prompted broader legal maneuvering. U.S. lawmakers are also presently considering a bill that would forbid any parties in the country from aiding in the development of AI capabilities in China, with the largest corporate violators looking at fines of up to $100 million and even up to 20 years in prison for executives. The Biden administration also severely limited advanced computer chips that can be legally exported to China. The Trump administration has additionally slapped steep new tariffs on Chinese goods, though this has been framed as more of an anti-drug-trafficking measure than as part of the technology war.
Satyam Sinha, CEO and Co-founder at Acuvity, notes that measures against Chinese apps are likely only in the early stages as this geopolitical situation continues to unfold: “For the US government, espionage is a daily challenge and exposing workers to GenAI services such as DeepSeek, which clearly state that data will reside in China and will be used to improve the models and services, is an obvious risk. The move to block the mobile application and website is clearly a recommended approach. However, the issue at hand is much bigger than just DeepSeek. First, there are several other apps with similar origins and risks as DeepSeek – for example Qwen. Focusing on the trending GenAI service is just a stopgap. What we should be thinking about is the overall categories of risk. Second, GenAI services, regardless of their origin, are under constant cyberattack. And it only takes one successful attack for sensitive information such as login credentials to be stolen in mass. What I would like to see is for us to take a stronger stance on security of GenAI application usage across the board and start requiring an extra layer of cybersecurity. By moderating the information that is initially shared, we can reduce the risk associated with GenAI applications, whether those risks stem from intended design or cyberattacks.”
