Characterizing the Implementation of Censorship Policies in Chinese LLM Services
Anna Ablove
Network and Distributed System Security (NDSS) Symposium 2026 · Day 1 · AI Security
This talk presents a systematic study of how five major Chinese LLM services -- **DeepSeek**, **Kimi**, **Qwen**, **Doubao**, and **Baidu Chat (Wenxiaoyan)** -- implement censorship through combinations of **input filtering**, **search-phase filtering**, and **output filtering**. By man-in-the-middling traffic between client and server, the researchers discover significant **information leaks**: services transmit censored content to the client before blocking it, including near-complete responses, search results from websites blocked in China (Wikipedia, Human Rights Watch), and detailed political content that is subsequently truncated in the UI.
AI review
A technically rigorous MITM study of Chinese LLM censorship infrastructure that reveals significant information leaks, including complete censored responses hidden only by client-side JavaScript. The finding that DeepSeek, Kimi, and Doubao share ByteDance analytics infrastructure is a notable OSINT contribution. The filter evasion results confirm brittleness but the methodology -- building separate traffic analysis pipelines for each service amid rapid ecosystem changes -- is genuinely impressive operational research.