this post was submitted on 06 Feb 2025

415 points (96.6% liked)

Technology

62073 readers

5862 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related content.
Be excellent to each other!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, to ask if your bot can be added please contact us.
Check for duplicates before posting, duplicates may be removed
Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago

MODERATORS

[email protected]

415

DeepSeek iOS app sends data unencrypted to ByteDance-controlled servers (arstechnica.com)

submitted 5 days ago by [email protected] to c/[email protected]

53 comments fedilink hide all child comments

top 50 comments

sorted by: hot top controversial new old

[–] [email protected] 27 points 3 days ago

There's zero relationship between data being unencrypted and it being sent to chinese servers.

If you use a chinese service it's obvious that data is going to be sent to a chinese server and that the chinese server would be able to read it.

Unencrypted data transfer, it's a totally different thing. I would like to see if it's truly unencrypted or just not using apple proprietary encryption.

I luckily don't own any apple product, but I have deepseek app on my android device. If I'm bored later I'll try to intercept my own data to see if it's truly unencrypted. This is easy to test. If it's not true that newspaper is going to my "block list" asap.

[–] [email protected] 20 points 3 days ago (1 children)

surprised pikachu no one could see this coming from a few thousand miles away

[–] [email protected] 7 points 3 days ago (1 children)

To be honest, not using TLS nowadays is pretty surprising.

[–] [email protected] 6 points 3 days ago

Yeah, it's actually easier to use TLS than not due to browser checks.

[–] [email protected] 13 points 3 days ago

Basically anything else you use here in the west sends all data to Amazon-controlled servers. But they make sure its encrypted so only them can see it. Nice.

[–] [email protected] 156 points 5 days ago (1 children)

Absolutely "shocked" I tell you.

[–] [email protected] 9 points 5 days ago

loudly places hand on side of face

[–] [email protected] 75 points 5 days ago (3 children)

This is dumb.

Even if you encrypt network traffic, the receiving server still knows what you're doing. All it does is prevent third parties from snooping.

Usually.

[–] [email protected] 41 points 5 days ago (1 children)

Yes, so not only are they doing something shady, they're doing something shady and exposing your data to anyone wanting to snoop it. What's dumb about criticising the latter part?

[–] [email protected] 25 points 5 days ago (2 children)

The fact that anyone thinks they have any semblance of privacy when typing into an online AI chatbot is saddening.

Of course anything you type into a externally hosted AI is going to be harvested and sold.

But sure, in this case you are also potentially exposing your queries to your ISP or someone listening on your local network too.

[–] [email protected] 24 points 5 days ago* (last edited 5 days ago) (3 children)

Regardless of the downstream server, you should expect the interim traffic to be encrypted in transit

load more comments (3 replies)

[–] [email protected] 19 points 5 days ago

Privacy is not the same as security

[–] [email protected] 13 points 5 days ago

Yep it also prevents anyone in the airport impersonating the WiFi and the bytedance server (which is trivial) and crafting payloads that run insecure code on your phone ( not that easy but there's heaps of CVEs like this in apps like Safari over the years, so there's at least 2x as many in an app like this)

[–] [email protected] 3 points 5 days ago (1 children)

Maybe they want 3rd parties snooping?

[–] [email protected] 6 points 5 days ago (1 children)

If you are implying that a government wants your data, they can just buy it or request it from the company directly. They don't have to snoop to get it. Also SSL isn't going to stop them.

[–] [email protected] 2 points 4 days ago

Oh, no. I don't mean USA government. I do mean some governments, but also any company between here an there.

Imagin that your company wants to sell user data. There are limits on what your company can sell due to contracts or laws, due to having a relationship with the customers.
Your company leases internet connections from another company, ISP or not, that can sell the data. Sending the data without SSL provides an okay, if not ideal, method to move that data.

[–] [email protected] 79 points 5 days ago (6 children)

The hell? There’s no reason to use plain HTTP instead of HTTPS.

And symmetric encryption is wildly irresponsible as well.

[–] [email protected] 43 points 5 days ago (2 children)

Not for s second do I believe this was a accidental oversight.

I am sure they had very good reasons, all alligned with their actual interests with no thought spared to even consider consequences for small fish users.

[–] [email protected] 27 points 5 days ago (2 children)

i just can't think of any. like the article says, i fully expected the app to send data to china. but even if you are maliciously spying on users, why would you send the stolen data on unsecured channels? so that everyone in the path takes advantage of the data your wanted to steal?

[–] [email protected] 7 points 5 days ago

Sounds plain sloppy lol

Badest AI, rookie opsec

[–] [email protected] 1 points 3 days ago

If forced to relocate servers to a US partner,it leaves an attack vector.

[–] [email protected] 5 points 5 days ago

Yep I'm with you.

It's so easy to use https with secure encryption. It's the default. You have to go out of your way to use s symmetric key or to even allow http without SSL in xcode or Android studio.

[–] [email protected] 13 points 5 days ago

Well many of China's websites don't even use HTTPS. Look at china.org.cn, or en.people.cn for example

load more comments (4 replies)

[–] [email protected] 45 points 5 days ago (2 children)

And that's why you use local instances...

[–] [email protected] 2 points 3 days ago (1 children)

True, but you need powerful server in order to run the most capable Deepseek model, which most people don't have.

[–] [email protected] 7 points 3 days ago (1 children)

That’s an understatement. It won’t even fit well in 8xA100, you need an EPYC server to run it in CPU RAM, very slowly.

[–] [email protected] 2 points 3 days ago* (last edited 3 days ago)

To run the 671B parameter R1, my napkin math was something like 3/4 of a million dollars in hardware. But that (plus the much lower training cost) made this a millionaire's game rather than a billionaire's. Plus the distillations do seem better than anything else we have at the smaller sizes at the moment. That said, I'm more looking forward to the first use of deepseek's methods with google's Titan architectures.

[–] [email protected] 1 points 3 days ago

2nd place is duck.AI in via tor browser

[–] [email protected] 10 points 4 days ago* (last edited 4 days ago) (2 children)

Does this actually matter so long as I just ask it questions I want answers to? I’m not feeding it any personal information. Sincere question. Enlighten me if so.

[–] ILikeBoobies 5 points 3 days ago (1 children)

Having an app installed gives it a lot of information

Unencrypted just means people on the way to that server can peek

[–] [email protected] 1 points 3 days ago

I've started using Firefox to install sites 'as a web app'. I use that for cloud services and things I self host. Basically works like a native app but way more control over data.

[–] [email protected] 7 points 4 days ago* (last edited 4 days ago) (1 children)

You wouldn't believe how little information can be personally identifying, especially when combined with other little pieces.

Also, knowing what's on the mind of western people, how they write, how they engage in conversations can be extremely valuable information.

[–] [email protected] 7 points 3 days ago

Oh no. They will know that I don’t know how to implement cache invalidation in python. /s

[–] [email protected] 46 points 5 days ago* (last edited 5 days ago) (2 children)

[–] [email protected] 28 points 5 days ago (1 children)

🌕🌕🌕🌕🌕🌕🌕🌕

🌕🌕🌕🌕🌕🎩🌕🌕

🌕🌕🌕🌕🌘🌑🌒🌕

🌕🌕🌕🌘🌑🌑🌑🌓

🌕🌕🌖🌑👁️🌑👁️🌓

🌕🌕🌗🌑🌑🫦🌑🌔

🌕🌕🌘🌑🌑🌑🌒🌕

🌕🌕🌘🌑🌑🎀🌓🌕

🌕🌕🌘🌑🌑🌑🌔🌕

🌕🌕🌘🌔🍆🌑🌕🌕

🌕🌖🌓🌕🌗🌒🌕🌕

🌕🌗🌓🌕🌗🌓🌕🌕

🌕🌘🌔🌕🌗🌓🌕🌕

🌕👠🌕🌕🌕👠🌕🌕

[–] [email protected] 9 points 5 days ago

How the fuck do I explain this boner, now?

[–] [email protected] 6 points 5 days ago

Ah, the ol' Blahaj Pik-a-choo

[–] [email protected] 18 points 5 days ago* (last edited 5 days ago) (1 children)

Volcengine is a platform of cloud services released by Bytedance in 2021 to help enterprises with digital transformation. Bytedance connection to China is well established. Sensitive data or data effective for fingerprinting and tracking are in bold.

So they use a Chinese CDN or hosting? Shocking stuff. Hilarious that a company so bad at basic security beat OpenAI.

[–] [email protected] 7 points 5 days ago (4 children)

I sincerely doubt they're bad at it.

load more comments (4 replies)

[–] [email protected] 10 points 5 days ago

its nice of them not to encrypt it at least. it can get harvested along the way!

[–] [email protected] 10 points 5 days ago

Fucking duh

[–] [email protected] 4 points 5 days ago

No shit?

load more comments