Federated Learning
Training a shared model across devices without collecting the data — and "your data never leaves" is not the guarantee it sounds like.
When not to use it
- For privacy, without secure aggregation and DP. Gradients leak the data. It's an architecture, not a guarantee.
- With highly non-IID data and plain FedAvg. Averaging models that found different local minima gives you neither.
- When you could just centralise. It's dramatically more complex. Use it when you legally can't.
- When you'd need to debug. You can't look at the data. That's the point and it's also the cost.
Reach for something else instead
- Centralised training with DP — simpler, and the guarantee is cleaner.
- On-device inference only — if you don't need to train on the data, this is far simpler and more private.
- Synthetic data — train on generated data with the collapse caveats.
- Secure enclaves — different trust model, less complexity.
Sources & further reading
- McMahan et al. (2017), Communication-Efficient Learning of Deep Networks from Decentralized Data — FedAvg; the founding paper.
- Zhu, Liu & Han (2019), Deep Leakage from Gradients — you can reconstruct training data from updates. Read this before trusting the pitch.
- Kairouz et al. (2021), Advances and Open Problems in Federated Learning — the comprehensive and unusually honest survey.
Primary sources, listed so you can check the claims on this page rather than take them on trust.
Where people go wrong
- Believing "data never leaves the device" means private. Gradients carry the information — reconstruction is demonstrated.
- Shipping without secure aggregation. Then the server sees individual updates, which is the data.
- Quoting DP without ε. It's a real guarantee at 0.1 and a marketing line at 10.
- Selling it on privacy when the honest argument is regulatory — that the alternative is no model at all.