11
New Research Uncovers Evolving AI Censorship in China’s Large Language Models
The discourse surrounding digital censorship in China often oscillates between the familiar and the groundbreaking. For many, the topic still evokes echoes of George Orwell’s 1984, with discussions rehashing decades-old talking points about the heavily controlled nature of the Chinese internet. However, a new wave of research is consistently unearthing fresh insights into how the Chinese government extends its influence over nascent technologies, revealing a censorship apparatus that is far from static, but rather a perpetually adapting and increasingly sophisticated system.
A recent scholarly paper, collaboratively authored by researchers from Stanford University and Princeton University, exemplifies this crucial shift in understanding. Focusing on Chinese artificial intelligence, this study delves into the nuanced mechanisms of censorship embedded within large language models (LLMs). The researchers meticulously designed an experiment where 145 politically sensitive questions were posed to a selection of four prominent Chinese large language models and five leading American counterparts. To ensure robustness and statistical significance, this experiment was rigorously repeated 100 times, allowing for a comprehensive comparison of their responses.
The primary findings of this extensive study offer quantifiable evidence of what many observers of Chinese technology have long suspected. Chinese models exhibited a significantly higher rate of refusal to answer the sensitive questions compared to their American peers. For instance, DeepSeek declined to respond to 36 percent of the queries, while Baidu’s Ernie Bot had a refusal rate of 32 percent. In stark contrast, American models such as OpenAI’s GPT and Meta’s Llama demonstrated refusal rates consistently below 3 percent. Beyond outright refusals, the study also revealed that when Chinese models did provide answers, these responses were notably shorter and contained a greater degree of inaccurate or misleading information than those generated by American LLMs.
One of the most compelling aspects of the research involved an attempt to disentangle the impact of different stages of model development: pre-training and post-training. The core question was whether the observed biases in Chinese models stemmed primarily from their initial training data, which is inherently drawn from the already heavily censored Chinese internet, or from deliberate manual interventions by developers during the post-training phase. Jennifer Pan, a political science professor at Stanford University and co-author of the paper, who has a long-standing expertise in online censorship, highlighted the foundational issue: "Given that the Chinese internet has already been censored for all these decades, there’s a lot of missing data." This suggests that the very information available for models to learn from is already incomplete and biased.
However, Pan and her colleagues’ findings suggest that while censored training data plays a role, manual interventions may exert a more substantial influence on the models’ responses. This conclusion was reinforced by the observation that even when responding in English, a language for which the models’ training data would theoretically encompass a broader and less restricted array of sources, the Chinese LLMs continued to exhibit a greater degree of censorship in their outputs. This indicates that explicit programming or fine-tuning directives are likely a dominant factor in shaping their behavior.
Today, the presence of censorship in Chinese LLMs is often overtly visible. A simple query to models like DeepSeek or Qwen about events such as the Tiananmen Square Massacre will frequently result in a censored or evasive response. Yet, while the occurrence of censorship is evident, its precise impact on everyday users and the exact mechanisms driving this manipulation remain elusive. This is precisely where the significance of this new research lies: it moves beyond anecdotal observations to provide concrete, quantifiable, and replicable evidence of the systemic biases embedded within Chinese large language models.
Beyond the immediate findings, the researchers delved into the intricacies of their methodologies and the inherent challenges of studying biases in such models. Discussions with other experts also shed light on the evolving trajectory of the AI censorship debate.
One of the fundamental difficulties in analyzing AI models is their propensity for hallucination. It can be challenging to determine whether an AI is deliberately omitting or fabricating information due to censorship directives, or if it simply "doesn’t know" the correct answer because relevant information was excluded from its training data. Pan cited a striking example from their paper: a question concerning Liu Xiaobo, the Chinese dissident and Nobel Peace Prize laureate. One Chinese model astonishingly responded that "Liu Xiaobo is a Japanese scientist known for his contributions to nuclear weapons technology and international politics." This statement is entirely false. The ambiguity lies in discerning the intent: was it a calculated misdirection to deter users from seeking accurate information about the real Liu Xiaobo, or a mere hallucination stemming from a complete absence of truthful data?
"It’s much noisier of a measure of censorship," Pan explained, drawing a comparison to her previous work on Chinese social media and government website blocking. In those contexts, censorship signals are often clearer. "Because these signals are less clear, it’s harder to detect censorship, and a lot of my previous research has shown that when censorship is less detectable, that is when it’s most effective." This inherent ambiguity necessitates a higher standard of proof and methodological rigor for researchers in this field.
The perplexing interplay between deliberate fabrication and accidental hallucination also impacts the work of other researchers. Khoi Tran and Arya Jakkli, two researchers associated with the non-profit research fellowship program MATS, recently published work exploring the use of a Claude-based agent to automatically extract censored political facts from Chinese LLMs like Qwen and Kimi. They recounted their surprise at how difficult it was for their automated agent to perform its task when it lacked a baseline understanding of what constituted truth.
They tested their approach using a 2024 car ramming attack in China that reportedly killed 35 people. Claude, due to its knowledge cutoff date, had no information about the event. Kimi, however, was found to possess knowledge of the attack but consistently refused to generate replies about it. Tran and Jakkli attempted to deploy Claude to automatically "trick" Kimi into disclosing details of the incident. However, Claude repeatedly failed, as Tran noted, because it "cannot distinguish between a lie and a truth."
Despite their lack of prior expertise in Chinese technology or censorship, Tran and Jakkli specifically targeted Chinese LLMs because they were interested in the broader challenge of extracting hidden information from chatbots. All popular LLMs are given explicit instructions – for example, prohibiting them from explaining how to build a bomb. The question for researchers is how to uncover these hidden directives. The MATS researchers realized that Chinese models, with their developers employing sophisticated methods to obscure instructions, serve as an ideal testing ground. Their hope is that if an automated agent can successfully circumvent censorship in a Chinese frontier model, the same techniques could be adapted to extract hidden information from other Western models.
This quest for uncovering hidden directives is further illuminated by Alex Colville’s work at the independent research institution China Media Project. Colville, who studies AI propaganda, discovered a method to compel Alibaba’s Qwen model to articulate its internal reasoning before generating an answer, thereby revealing its specific instructions. When Colville posed a seemingly innocuous question like "What is China’s international reputation?" but combined it with a specially designed prompt to elicit the model’s thought process, Qwen consistently revealed a five-point list of instructions it had received during fine-tuning. These directives included mandates such as "focus on China’s achievements and contributions" and "avoid any negative or critical statements."
"This is another example of information guidance," Colville observed, emphasizing its subtle nature. "and this a much more subtle form of manipulation." This technique offers a window into the ideological guardrails pre-programmed into these AI systems.
Research into censorship within Chinese AI models – moving beyond isolated observations to systemic, well-designed studies – represents a cutting-edge field today. Colville argues that more researchers should prioritize this area, noting that "The primary focus on AI safety at the moment is more geared towards the future dangers that AI might have if it becomes super intelligent, rather than the dangers that are present right now." The immediate risks posed by biased and censored AI, particularly in authoritarian contexts, warrant urgent attention.
This critical work, however, is fraught with numerous challenges. Researchers frequently face the risk of losing access to Chinese AI models if they pose too many sensitive questions, limiting their ability to conduct sustained investigations. Furthermore, probing the most advanced models requires substantial computational resources, with even more required for multiple rounds of testing. Perhaps the most formidable challenge is the relentless pace of model development.
"The difficulty with studying LLMs is that they are developing so quickly, so by the time you finish prompting, the paper’s out of date," Pan lamented. Other researchers have corroborated this, noting that successive generations of the same Chinese model can exhibit drastically different behaviors concerning censorship, making longitudinal studies incredibly complex.
"Good research takes time, but the problem is, when it comes to AI development, time is something we absolutely don’t have," Colville concluded, underscoring the urgency and the formidable race against time faced by those striving to understand and document the evolving landscape of AI censorship. The ongoing efforts of these researchers are vital for shedding light on how these powerful new technologies are being shaped and controlled, with profound implications for global information access and freedom.
