Federated learning (FL) is becoming a key component in many technology-based
applications including language modeling -- where individual FL participants
often have privacy-sensitive text data in their local datasets. However,
realizing the extent of privacy leakage in federated language models is not
straightforward and the existing attacks only intend to extract data regardless
of how sensitive or naive it is. To fill this gap, in this paper, we introduce
two novel findings with regard to leaking privacy-sensitive user data from
federated language models. Firstly, we make a key observation that model
snapshots from the intermediate rounds in FL can cause greater privacy leakage
than the final trained model. Secondly, we identify that privacy leakage can be
aggravated by tampering with a model's selective weights that are specifically
responsible for memorizing the sensitive training data. We show how a malicious
client can leak the privacy-sensitive data of some other user in FL even
without any cooperation from the server. Our best-performing method improves
the membership inference recall by 29% and achieves up to 70% private data
reconstruction, evidently outperforming existing attacks with stronger
assumptions of adversary capabilities.

我们介绍了关于从联邦语言模型中泄露隐私敏感用户数据的两个新发现：一是中间轮次的模型快照可能引起比最终训练模型更严重的隐私泄露，二是通过篡改模型的选择权重，可以加剧隐私泄露，并显示了恶意客户端如何在联邦学习中泄露某个其他用户的隐私敏感数据，甚至无需服务器的任何合作。我们的最佳方法提高了成员推理召回率 29%，可达到 70% 的私密数据重构，显然优于现有的攻击方法，其对对手能力有更强的假设。