Re-evaluating the Privacy Benefit of Federated Learning

Abstract

Federated Learning’s (FL) main attractive privacy feature of data localisation only holds if FL participants can trust the coordinating server not to carry out data reconstruction attacks, under both honest-but-curious as well as actively malicious threat models. Motivated by our study of the FL system present in Gboard’s virtual keyboard, we provide a reassessment of FL’s added privacy benefit, and point to three aspects of FL whose effect on privacy requires further research, namely the model architecture, the high levels of trust required to maintain privacy, and vulnerabilities in concrete implementations of the FL protocol.