The new AI marvel Deepseek has reportedly bypassed numerous censorship blocks by the Chinese state. However, these can be easily circumvented. On January 27, a significant event shook the US chip manufacturer Nvidia. The company’s stock value plummeted by $600 billion, marking the largest single-day loss in Wall Street history.
The reason for this was the Chinese AI company Deepseek. Their open-source chatbot, Deepseek-R1, not only outperformed Chat-GPT-o1 in several benchmarks but also remarkably conserved hardware resources. This could significantly reduce the demand for expensive high-performance chips, impacting the AI industry’s investments in Nvidia’s products.
Immediately, this AI model replaced Chat-GPT as the top-rated free AI application in the app store. However, the software has a drawback: censorship by the Chinese Communist Party (CCP) causes the AI tool to respond with propaganda texts instead of facts.
The experts at the open-source LLM test project Promptfoo tested the extent of this censorship and suggested ways to bypass it. They used a prompt dataset of 1,360 critical prompts with topics sensitive to the CCP, such as questions about Taiwan’s independence, historical narratives around the Cultural Revolution, or state leader Xi Jinping.
Not surprisingly, Deepseek provided responses aligned with the CCP’s party line for the majority of these prompts. 85 percent, or 1,156 of the prompts, were answered with censorship responses. The experts noticed that these responses did not match Deepseek’s usual behavior, leading them to conclude that these were retroactively implemented censorship blocks, which should generally be easy to bypass.
Indeed, the Deepseek jailbreak was easier than expected, according to the Promptfoo experts. Apparently, the censorship blocks were inserted “with blunt force,” and the programmers at Deepseek only did the bare minimum to meet the government’s requirements.
To bypass the censorship, it is often sufficient to replace China with another state in the prompt, even if it is a hypothetical state X. Immediately, the chatbot is ready to provide information on strategies to undermine the narratives of an authoritarian state X to promote independence efforts.
Other common strategies to evade blocks also work with Deepseek. For example, one can generalize the prompt or request the answer in the form of a fictional text. Technical jailbreak methods through prompt injections also showed success.
LLM experts suspect that all these methods will soon become unnecessary as Deepseek is likely to be replicated by other manufacturers without these restrictions in the coming weeks. They plan to test US chatbots on sensitive topics next. Even though there is (still) no direct state censorship in the US, there is always a bias in LLM models due to the source material used for training the AI.
