Federated learning (FL) enables several users to train machine-learning models jointly without explicitly sharing data with one another. This regime is particularly helpful in cases where keeping the data private and secure is essential (e.g., medical records). However, recent work has shown that FL does not guarantee privacy—in classification tasks, the training-data labels, and even the inputs, may be reconstructed from information users share during training.
Using an analytic derivation, our work offers a new label-extraction attack called Label Leakage from Bias Gradients (LLBG). Compared to prior work, ours makes fewer assumptions and applies to a broader range of classical and modern deep learning models, regardless of their non-linear activation functions. Crucially, through experiments with two datasets, nine model architectures, and a wide variety of attack scenarios (e.g., with and without defenses), we found that LLBG outperformed prior attacks in almost all settings explored, pushing the boundaries of label-extraction attacks.