Federated learning reduces raw data movement, but it doesn’t eliminate privacy risk. A new overview catalogs practical attacks (reconstruction, model inversion, membership inference) and the mitigations teams actually need to operationalize.
Survey: federated learning’s core privacy risks are reconstruction, inversion, and membership inference
A chapter-style survey on federated learning (FL) argues that “keeping data local” is only a partial privacy story. FL enables multiple parties to train a shared model without centralizing raw training data, but the training process can still leak sensitive information through updates, gradients, or model behavior.
The survey highlights three recurring classes of attacks: data reconstruction (recovering aspects of the original training data), model inversion (inferring sensitive features from model outputs or parameters), and membership inference (determining whether a specific record was part of training). The takeaway for builders is that FL should be treated as an attackable system—especially when models are trained across devices, business units, or organizations with different incentives.
- Threat modeling can’t stop at “no raw data leaves the device.” Data teams should assume model updates and outputs can be probed, logged, and attacked, then design controls accordingly.
- Privacy risk becomes a lifecycle problem. Monitoring for leakage (and documenting mitigations) needs to be part of training, evaluation, and deployment—not a one-time architecture decision.
- Cross-organization FL raises governance stakes. When participants have different incentives, the practical likelihood of adversarial behavior increases, making safeguards and auditability more important.
“Keeping data local” reduces exposure, but reconstruction, inversion, and membership inference can still reveal sensitive information.