- The DeepSeek app disables an iOS data security measure called App Transport Security (ATS), which prevents sensitive data from being sent over unencrypted channels. Once this protection is disabled, the app is able to send unencrypted data. Not only can DeepSeek servers receive all that data (and indeed also reroute this to other web entities), it also makes these transmissions additionally vulnerable to anyone’s snooping on a network.
- NowSecure points out it is a badly made app (perhaps by design) including insecure symmetric encryption algorithm, which they say is a “poor choice to protect the confidentiality of data”.
- There is some level of certainty that the DeepSeek app on iPhone is sending unencrypted data to Volcengine, a cloud services platform owned by another Chinese tech company ByteDance. You may remember this who hullabaloo around TikTok in the US because of user data security concerns. ByteDance owns TikTok.
- Data is also being sent to other third party platforms, again likely in unencrypted format, which could make it very easy to de-anonymise that data and link it back to users. That is how virtual profiles are made, and that is how users get tracked.
“In reviewing the sensitive APIs accessed and methods tracked, the DeepSeek iOS app exhibits behaviours that indicate a high risk of fingerprinting and tracking,” a rather worrying summary by the researchers, who make it clear that more examination of the app’s behaviour is very much in progress. You may ask — why isn’t Apple (and when it pertains to them, Google) identifying these potential risks? The answer is simple — Apple, Google or any application platform cannot eliminate risky apps from their platform with 100% accuracy. They have measures in place to detect nefarious behaviour, but often, these tend to hidden nicely by developers. As it is, in DeepSeek’s iOS app.
More analysis about AI and many an intersection:
CENSORSHIP
A few days ago, the good folks over at Proton shared some rather interesting data — how 2024 was in terms of internet censorship. The year gains more significance as understand many trends, because this period of 12 months saw 64 countries hold national elections, including US, India and the UK. But internet shutdowns and censorship attempts aren’t solely linked to elections, something that was illustrated in Bangladesh, France, Turkey, Pakistan, Brazil and Venezuela, to name a few. Brazil’s tiff with Elon Musk owned X, being an example.
Proton says they observed spikes in signups to Proton VPN in 119 countries, including 6 countries with at least one spike in signups of over 5,000%, 4 countries with at least one spike in signups of over 10,000%. In terms of the volume of these spikes on the back of some crackdown or censorship, Latin America and the Caribbean lead with 20 spikes in downloads through 2024, while South Asia (15 spikes) and Sub-Saharan Africa, Central Asia and Eastern Europe (13 spikes each) follow.
Proton’s anti-censorship suite is as strong as it comes, across VPN apps worth the money you pay for subscriptions. There’s a Smart Protocol methodology to detect when VPN protocols are typically being blocked by a network and can switch to a different one. There’s also alternate routing of web traffic for a user via third-party servers in case Proton’s servers are blocked.
Our extensive commentary of VPN platforms…
BACKDOOR
Turns out, the security agencies in the UK want Apple to build a backdoor allowing them access to any user’s otherwise encrypted iCloud data. Apple hasn’t commented yet on the matter, but there are reports suggest the UK Home Office’s “technical capability notice” under the Investigatory Powers Act (IPA) is a way to get Apple into the fold for providing data to assist law enforcement agencies. Apple’s always says data privacy is a “fundamental human right”, and their stance on this would be interesting. As and when they do something next.
Irrespective of how this goes (whether Apple complies, or withdraws certain services from the UK market), you do have a choice to safeguard your data. There is something called Advanced Data Protection (ADP) that’s a part of iOS 18. Here is what you need to do: Settings > iCloud > Advanced Data Protection > Turn on. At this point, you’ll have the choice of setting up a recovery contact or a recovery key. Apple makes it clear, you’ll be responsible for data recovery, in the future. “If you use Advanced Data Protection, you’re responsible for your data recovery. Because Apple won’t have the keys required to recover your data, you’ll need to have a Recovery Contact or Recovery Key set up on your account.” Keep that key or contact close to you, needless to say! This could, in due course, remain the safest course of action if data privacy of everything you have on iCloud, is important.
