Robbing the Fed:  Directly Obtaining Private Data in Federated Learning with Modified Models

Liam H Fowl; Jonas Geiping; Wojciech Czaja; Micah Goldblum; Tom Goldstein

Robbing the Fed: Directly Obtaining Private Data in Federated Learning with Modified Models

Liam H Fowl, Jonas Geiping, Wojciech Czaja, Micah Goldblum, Tom Goldstein

Published: 28 Jan 2022, Last Modified: 13 Feb 2023ICLR 2022 PosterReaders: Everyone

Keywords: Privacy, Federated Learning, Gradient Inversion

Abstract: Federated learning has quickly gained popularity with its promises of increased user privacy and efficiency. Previous works have shown that federated gradient updates contain information that can be used to approximately recover user data in some situations. These previous attacks on user privacy have been limited in scope and do not scale to gradient updates aggregated over even a handful of data points, leaving some to conclude that data privacy is still intact for realistic training regimes. In this work, we introduce a new threat model based on minimal but malicious modifications of the shared model architecture which enable the server to directly obtain a verbatim copy of user data from gradient updates without solving difficult inverse problems. Even user data aggregated over large batches – where previous methods fail to extract meaningful content – can be reconstructed by these minimally modified models.

Supplementary Material: zip

12 Replies

Loading