Fingerprint attack: client de-anonymization in federated learning

Qiongka Xu*, Trevor Cohn, Olga Ohrimenko

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference proceeding contributionpeer-review

20 Downloads (Pure)


Federated Learning allows collaborative training without data sharing in settings where participants do not trust the central server and one another. Privacy can be further improved by ensuring that communication between the participants and the server is anonymized through a shuffle; decoupling the participant identity from their data. This paper seeks to examine whether such a defense is adequate to guarantee anonymity, by proposing a novel fingerprinting attack over gradients sent by the participants to the server. We show that clustering of gradients can easily break the anonymization in an empirical study of learning federated language models on two language corpora. We then show that training with differential privacy can provide a practical defense against our fingerprint attack.

Original languageEnglish
Title of host publicationECAI 2023
Subtitle of host publication26th European Conference on Artificial Intelligence September 30–October 4, 2023, Kraków, Poland including 12th Conference on Prestigious Applications of Intelligent Systems (PAIS 2023) proceedings
EditorsKobi Gal, Ann Nowé, Grzegorz J. Nalepa, Roy Fairstein, Roxana Rădulescu
Place of PublicationAmsterdam, Netherlands
PublisherIOS Press
Number of pages10
ISBN (Electronic)9781643684376
ISBN (Print) 9781643684369
Publication statusPublished - 2023
Externally publishedYes
Event26th European Conference on Artificial Intelligence, ECAI 2023 - Krakow, Poland
Duration: 30 Sept 20234 Oct 2023

Publication series

NameFrontiers in Artificial Intelligence and Applications
PublisherIOS Press


Conference26th European Conference on Artificial Intelligence, ECAI 2023

Bibliographical note

Copyright the Author(s) 2023. Version archived for private and non-commercial use with the permission of the author/s and according to publisher conditions. For further rights please contact the publisher.


Dive into the research topics of 'Fingerprint attack: client de-anonymization in federated learning'. Together they form a unique fingerprint.

Cite this