Two Models are Better than One: Federated Learning Is Not Private For Google GBoard Next Word Prediction
This exposes privacy risks for millions of GBoard users, highlighting a critical flaw in a widely deployed production system.
The paper demonstrates that federated learning, as used in Google's GBoard for next word prediction, is vulnerable to attacks that can recover users' typed words and sentence order with high accuracy, despite countermeasures like mini-batches and local noise.
In this paper we present new attacks against federated learning when used to train natural language text models. We illustrate the effectiveness of the attacks against the next word prediction model used in Google's GBoard app, a widely used mobile keyboard app that has been an early adopter of federated learning for production use. We demonstrate that the words a user types on their mobile handset, e.g. when sending text messages, can be recovered with high accuracy under a wide range of conditions and that counter-measures such a use of mini-batches and adding local noise are ineffective. We also show that the word order (and so the actual sentences typed) can be reconstructed with high fidelity. This raises obvious privacy concerns, particularly since GBoard is in production use.