Fingerprint Attack: Client De-Anonymization in Federated Learning
This addresses privacy risks for participants in federated learning systems, revealing vulnerabilities in anonymization defenses.
The paper tackled the problem of client de-anonymization in federated learning by proposing a fingerprinting attack on gradients, showing that clustering breaks anonymization in language models on two corpora, and demonstrated that differential privacy defends against it.
Federated Learning allows collaborative training without data sharing in settings where participants do not trust the central server and one another. Privacy can be further improved by ensuring that communication between the participants and the server is anonymized through a shuffle; decoupling the participant identity from their data. This paper seeks to examine whether such a defense is adequate to guarantee anonymity, by proposing a novel fingerprinting attack over gradients sent by the participants to the server. We show that clustering of gradients can easily break the anonymization in an empirical study of learning federated language models on two language corpora. We then show that training with differential privacy can provide a practical defense against our fingerprint attack.