Taiwanese Security Bureau Issues Warning on Chinese AI Apps Due to Data Breach Concerns
On November 16, the National Security Bureau (NSB) of Taiwan issued a cautionary statement advising citizens to exercise vigilance when using generative artificial intelligence (AI) models developed in China. This warning follows comprehensive assessments of five such applications—Deepseek, Doubao, Yiyan, Tongyi, and Yuanbao—that revealed alarming securities vulnerabilities and risks of disinformation.
The NSB, Taiwan’s leading intelligence authority, conducted a thorough review of these applications in collaboration with both the Ministry of Justice Investigation Bureau and the Criminal Investigation Bureau. This examination focused on the security frameworks of these apps, analyzing them against 15 critical markers categorized into five primary areas: personal data collection, excessive permissions, data sharing during transmission, system data extraction, and access to biometric information.
The findings were concerning: all five applications were identified as non-compliant across numerous indicators. Notably, Tongyi showed deficiencies in 11 of the 15 metrics, while Doubao and Yuanbao each violated 10. Yiyan fell short on 9 counts and Deepseek on 8, leading to serious implications for user communication security. The NSB’s report indicated that these Chinese apps commonly requested access to location data, collected screenshots, imposed unreasonable privacy agreements, and harvested device specifications.
Moreover, the assessment of the generative content produced by these apps revealed biases and instances of disinformation, particularly when discussing sensitive topics like cross-strait relations. The generated material frequently echoed official Chinese narratives, asserting claims such as “Taiwan is governed by the Chinese central government” and labeling Taiwan as “an inalienable part of China.” Such language reflects a deliberate avoidance of terms deemed politically sensitive within China, such as “democracy,” “freedom,” and “human rights.”
The implications of these findings extend beyond mere data privacy concerns; they underscore a potential for political manipulation through the content generated by these AI applications. The NSB confirmed that the models’ data systems appear to be influenced by political censorship imposed by the Chinese government, indicating a worrying trend in how AI technology is employed in information dissemination.
In light of these revelations, the NSB strongly recommends that the public exercises caution by avoiding downloads of these China-made applications, due to the significant cybersecurity threats they pose. The agency emphasized the need to protect both individual privacy and corporate confidentiality in an increasingly interconnected digital landscape.
Notably, since February 2025, Taiwan has prohibited the use of Deepseek on government devices due to these national security concerns. However, there currently exists no ban on the remaining four Chinese applications for public sector use or restrictions on Deepseek’s usage in private settings.
In conclusion, the recent findings by the NSB illustrate a pressing issue in cybersecurity, particularly for business owners and tech professionals. The vulnerabilities associated with these AI applications could align with various tactics outlined in the MITRE ATT&CK framework, such as initial access and privilege escalation, necessitating a proactive approach to cybersecurity hygiene among users and organizations alike.
By remaining informed and cautious, businesses can mitigate risks and protect sensitive data from potential cybersecurity threats linked to foreign applications.
