Inverting Gradients -- How easy is it to break privacy in federated learning?

TL;DR

This paper demonstrates that sharing gradients in federated learning can compromise user privacy, as images can be reconstructed from gradients even in realistic settings, challenging assumptions about privacy guarantees.

Contribution

The study reveals that gradient sharing in federated learning can be exploited to reconstruct input data, showing vulnerabilities previously underestimated.

Findings

Images can be reconstructed from gradients at high resolution.

Gradient averaging over multiple images or iterations does not prevent reconstruction.

Analytical reconstruction is possible for inputs to fully connected layers.

Abstract

The idea of federated learning is to collaboratively train a neural network on a server. Each user receives the current weights of the network and in turns sends parameter updates (gradients) based on local data. This protocol has been designed not only to train neural networks data-efficiently, but also to provide privacy benefits for users, as their input data remains on device and only parameter gradients are shared. But how secure is sharing parameter gradients? Previous attacks have provided a false sense of security, by succeeding only in contrived settings - even for a single image. However, by exploiting a magnitude-invariant loss along with optimization strategies based on adversarial attacks, we show that is is actually possible to faithfully reconstruct images at high resolution from the knowledge of their parameter gradients, and demonstrate that such a break of privacy is possible even for trained deep networks. We analyze the effects of architecture as well as parameters on the difficulty of reconstructing an input image and prove that any input to a fully connected layer can be reconstructed analytically independent of the remaining architecture. Finally we discuss settings encountered in practice and show that even averaging gradients over several iterations or several images does not protect the user's privacy in federated learning applications in computer vision.