LAMP: Extracting Text from Gradients with Language Model Priors

TL;DR

LAMP is a novel attack method that effectively reconstructs original text from gradient updates in federated learning by leveraging language model priors and combined optimization techniques, revealing significant privacy risks.

Contribution

The paper introduces LAMP, the first attack to successfully recover text from gradients, using language priors and mixed optimization, extending privacy analysis to textual data.

Findings

LAMP reconstructs 5x more bigrams than prior methods.

It achieves 23% longer subsequence recovery.

First to recover inputs from batch sizes larger than 1.

Abstract

Recent work shows that sensitive user data can be reconstructed from gradient updates, breaking the key privacy promise of federated learning. While success was demonstrated primarily on image data, these methods do not directly transfer to other domains such as text. In this work, we propose LAMP, a novel attack tailored to textual data, that successfully reconstructs original text from gradients. Our attack is based on two key insights: (i) modeling prior text probability with an auxiliary language model, guiding the search towards more natural text, and (ii) alternating continuous and discrete optimization, which minimizes reconstruction loss on embeddings, while avoiding local minima by applying discrete text transformations. Our experiments demonstrate that LAMP is significantly more effective than prior work: it reconstructs 5x more bigrams and 23% longer subsequences on average. Moreover, we are the first to recover inputs from batch sizes larger than 1 for textual models. These findings indicate that gradient updates of models operating on textual data leak more information than previously thought.