RAIFLE: Reconstruction Attacks on Interaction-based Federated Learning with Active Data Manipulation

Federated learning (FL) has recently emerged as a privacy-preserving approach for machine learning in domains that rely on user interactions, particularly recommender systems (RS) and online learning to rank (OLTR). While there has been substantial research on the privacy of traditional FL, little attention has been paid to studying the privacy properties of these interaction-based FL (IFL) systems. In this work, we show that IFL can introduce unique challenges concerning user privacy, particularly when the central server has knowledge and control over the items that users interact with. Specifically, we demonstrate the threat of reconstructing user interactions by presenting RAIFLE, a general optimization-based reconstruction attack framework customized for IFL. RAIFLE employs Active Data Manipulation (ADM), a novel attack technique unique to IFL, where the server actively manipulates the training features of the items to induce adversarial behaviors in the local Figure 1: Schematic diagram of Interaction-based Federated FL updates. We show that RAIFLE is more impactful than existing Learning (IFL). Users interact with items sent by the server FL privacy attacks in the IFL context, and describe how it can and train the FL model using the items and their interactions undermine privacy defenses like secure aggregation and private information with the items. Users may apply privacy defense techniques retrieval. Based on our findings, we propose and discuss such as differential privacy to their updated models before countermeasure guidelines to mitigate our attack in the context of sending local updates to the server.