Label Leakage in Federated Inertial-based Human Activity Recognition

TL;DR

This paper evaluates the vulnerability of federated human activity recognition systems to label leakage attacks, revealing high attack success rates and limited privacy protections from differential privacy techniques.

Contribution

It is the first comprehensive analysis of label leakage attacks in federated HAR, highlighting key factors affecting leakage and assessing privacy defenses.

Findings

High label reconstruction accuracy (>90%) on benchmark datasets.

Limited effectiveness of differential privacy techniques against attacks.

Factors like class imbalance and sampling strategy significantly influence leakage.

Abstract

While prior work has shown that Federated Learning updates can leak sensitive information, label reconstruction attacks, which aim to recover input labels from shared gradients, have not yet been examined in the context of Human Activity Recognition (HAR). Given the sensitive nature of activity labels, this study evaluates the effectiveness of state-of-the-art gradient-based label leakage attacks on HAR benchmark datasets. Our findings show that the number of activity classes, sampling strategy, and class imbalance are critical factors influencing the extent of label leakage, with reconstruction accuracies reaching well-above 90% on two benchmark datasets, even for trained models. Moreover, we find that Local Differential Privacy techniques such as gradient noise and clipping offer only limited protection, as certain attacks still reliably infer both majority and minority class labels. We conclude by offering practical recommendations for the privacy-aware deployment of federated HAR systems and identify open challenges for future research. Code to reproduce our experiments is publicly available via github.com/mariusbock/leakage_har.