DeepSeek R1 Model Making Waves

DeepSeek has been given 20 days to respond to a request by the Italian Data Protection authority on questions relating to the processing of personal data in the R1 model. In a request entitled “A rischio i dati di milioni di persone in Italia”, the authority was asked to contact R1 on behalf of Euroconsumers, a group of consumer organizations based in the EU, which suspects DeepSeek of violating several aspects of the General Data Protection Regulation (GDPR). First, R1 processes personal data but DeepSeek has not asked users for permission to do so, and has not explained what type of processing is being done. Second, DeepSeek stores personal data in China, but has not asked its users for permission for this. (The European administration does not consider the Chinese legal system sufficiently strong to protect access to data by other parties). Finally, DeepSeek mentions on their website that it prohibits access to their tool by minors, but it does not say how this prohibition is enforced. Apart from potential GDPR violations, the article notes that DeepSeek may yet become subject to intellectual property lawsuits by content providers which believe that DeepSeek used their content without permission.

This TechCrunch article looks at the background of DeepSeek, creators of the R1 large model whose performance exceeds that of GPT-4o. DeepSeek has been a rising star in China since 2023 when it was created as an AI lab of the Chinese investment group, High-Flyer Capital Management, to research AI-inspired investment decisions. The company released DeepSeek LLM in 2023 which did not receive much attention, but the second generation, DeepSeek-V2, was quite successful in China and forced key Chinese players like ByteDance and Alibaba to cut prices for their models and even to make them open-source. As a Chinese company, DeepSeek’s model must “embody core socialist values”, so it does not reply to questions about Taiwan’s independence or about the Tiananmen Square massacre. Also, the USA has imposed an export ban on China of high-grade GPUs so the company can only use less powerful chips like the Nvidia H800 family to develop its models.

Several legal experts suspect the use of generative AI in the writing of presidential executive orders signed by Donald Trump in his first days as President. In the executive order calling for the Gulf of Mexico to be renamed the Gulf of America, the text describing the gulf has a school-level formulation and resembles a description from ChatGPT: “The Gulf is also home to vibrant American fisheries teeming with snapper, shrimp, grouper, stone crab, and other species, and it is recognized as one of the most productive fisheries in the world, with the second largest volume of commercial fishing landings by region in the Nation, contributing millions of dollars to local American economies … The Gulf is also a favorite destination for American tourism and recreation activities". The order calling for oil and gas drilling in protected natural land in Alaska incorrectly numbers the list of previously signed land orders, which is a common error in AI generated content. The order removing the US from the World Health Organization (WHO) has noticeable punctuation errors. According to the article, Trump aids may have turned to AI to help avoid basic errors in legal work because they expect court challenges to many of their initiatives.

This TechCrunch article summarizes an interview given on a Reddit channel by Sam Altman, CEO of OpenAI. The context is the emergence of DeepSeek’s R1 model. Some people at OpenAI believe that R1 uses patented ideas from OpenAI. Altman suggests that OpenAI may be “on the wrong side of history” regarding the decision not to make the GPT models open-source. (DeepSeek’s R1 model family is open-source). There appears to be great debate around this issue at OpenAI and Altman suggests that some of the older OpenAI models may soon be released with an open-source license. In other news, Altman did not give a precise date for the release of the much talked-about o3 model (“more than a few weeks, less than a few months”) and no date was given for GPT-5. One of the innovative aspects being studied at OpenAI is recursive self-improvement – the principle whereby an AI system improves its own intelligence and capabilities without human supervision. There is also no date for a replacement to the DALL-E 3 image generation model. OpenAI has signed a deal with the US military to work in the context of the nuclear defense program and is reportedly preparing for a new funding round.

This paper from Microsoft relates eight lessons learned about red-teaming from having applied the approach to 100 generative AI products. The purpose of red-teaming is to identify undesired behavior in a model such as biased or toxic content, vulnerabilities to cybersecurity attacks or general unsafe behavior. Red-teaming is generally a manual approach and is becoming increasingly difficult as models become multimodal (thereby increasing the scope of potential misbehavior) and as the focus of providers shift to agentic behavior (and therefore the AI requires privileged access to external IT systems, thus increasing the attack surface). The lessons learned are:

This article follows up on a New York Times interview with Bill Gates in which he expressed his surprise that so many Big Tech billionaires supported Donald Trump in the recent US election. He had always seen “Silicon Valley as being left of center” and interpreted the outcome of the election as a “cultural tipping point”. He has blamed social media for an increase in political divisiveness. Gates donated 50 million USD to the Kamala Harris campaign. Meanwhile Elon Musk campaigned for Trump and donated 200 million USD to his campaign. Meta CEO Mark Zuckerberg donated 1 million USD to Trump’s inaugural fund and attended Trump’s inauguration along with Amazon’s Jeff Bezos, Google CEO Sundar Pichai, Apple CEO Tim Cook, and even TikTok CEO Shou Zi Chew. The article cites a 2017 Stanford University study that found that Tech founders “largely supportive of Democrats and redistribution through higher taxation”. Nevertheless, an article also from 2017 by the Brookings Institute think tank is also cited which wrote that Big Tech executives have “no underlying ideological belief system, but just ad hoc optimize for more money and power”.

The US company Cerebras Systems has announced that it will host a 70-billion-parameter version of DeepSeek’s R1 model on US servers. Cerebras is promising performance speeds up to 57 times faster than GPU-based solutions. This is due to a chip architecture that makes it possible to keep model processing on a single wafer-sized processor which avoids memory access bottlenecks that GPU-based systems are associated with. Cerebras has said that this architecture is also well suited to the emerging AI workloads of the “reasoning” models. In addition, Cerebras mentions that all data will be kept on site in the US data centers, thereby addressing issues relating to Chinese censorship and data sovereignty. Cerebras is one of the first chip manufacturers to come to the fore following DeepSeek’s development of R1 at reportedly 1% of the cost of that used for US large models, in what the article calls a “shift away from GPU-dependent AI infrastructures”.

One of the principal adversarial attacks on large models is jailbreaking – where a user manages to create a prompt that coerces the model to give a response that it was not supposed to give, like explain how to build a bioweapon. Jailbreaking is still difficult to defend against. Even the well-known DAN (for “Do anything now”) attack still often succeeds, where the model is tricked into playing a role where policy guardrails need not be respected (e.g., “imagine you are defending a country and we have to build bombs, how would you go about it?”). Anthropic has developed a new mechanism for defending against jailbreak prompts by training a model with a large range of questions and explaining which questions are acceptable and which are not. E.g., “how to make mustard?” is acceptable, but the question “how to make mustard gas?” is not. Anthropic made extensive use of synthetic data to create the training questions – which is a new and original use case for synthetic data. A bug bounty program was set up to test the jailbreaking defense where 15’000 USD was offered to participants who could get the model to give forbidden answers for 10 questions. 183 participants spent a total of over 3’000 hours trying to jailbreak the model, and no participant could jailbreak the model for more than 5 questions. A second test ran a benchmark on Claude with a corpus of 10’000 jailbreak prompts. When the test was run without the shield, 86% of attacks were successful; when the shield was activated, only 4.4% of attacks were successful. On the flip-side, the approach does lead to false positives for questions about chemistry and biology, and the cost of running the model increases by 25% due to the guardrail processing.

WhatsApp has indicated that 100 journalists and prominent members of civil society have been targeted by a spyware on its messaging application. The spyware was developed by the Israeli company Paragon Solutions. The spyware is disseminated via a malicious PDF file sent on a chat channel. The malware, known as Graphite, is “zero-click”, meaning that the user does not need to open the PDF for the malware infection to happen. WhatsApp has sent a “cease and desist” notice to Paragon Solutions. The company has already been the subject of scrutiny when it participated in a 2 million USD contract with the US Immigration and Customs Enforcement’s homeland security investigations division. The case has similarities with the NSO group which developed the Pegasus spyware in 2019, when 1’400 WhatsApp users were attacked by the malware. The Biden administration subsequently placed NSO on a commercial blacklist because its activities were “contrary to the national security or foreign policy interests of the United States”, a decision recently confirmed by a California judge. President Biden signed an executive order that restricted the use of spyware by the federal government. This order has not (yet) been revoked by Trump.