Home/Tools & Ecosystem/Federated Learning
Tools & Ecosystem

Federated Learning

Training a shared model across devices without collecting the data — and "your data never leaves" is not the guarantee it sounds like.

Reading level: Curious
Pick your depth ↓

When not to use it

  • For privacy, without secure aggregation and DP. Gradients leak the data. It's an architecture, not a guarantee.
  • With highly non-IID data and plain FedAvg. Averaging models that found different local minima gives you neither.
  • When you could just centralise. It's dramatically more complex. Use it when you legally can't.
  • When you'd need to debug. You can't look at the data. That's the point and it's also the cost.

Reach for something else instead

  • Centralised training with DP — simpler, and the guarantee is cleaner.
  • On-device inference only — if you don't need to train on the data, this is far simpler and more private.
  • Synthetic data — train on generated data with the collapse caveats.
  • Secure enclaves — different trust model, less complexity.

Sources & further reading

  • McMahan et al. (2017), Communication-Efficient Learning of Deep Networks from Decentralized Data — FedAvg; the founding paper.
  • Zhu, Liu & Han (2019), Deep Leakage from Gradients — you can reconstruct training data from updates. Read this before trusting the pitch.
  • Kairouz et al. (2021), Advances and Open Problems in Federated Learning — the comprehensive and unusually honest survey.

Primary sources, listed so you can check the claims on this page rather than take them on trust.

Where people go wrong

  • Believing "data never leaves the device" means private. Gradients carry the information — reconstruction is demonstrated.
  • Shipping without secure aggregation. Then the server sees individual updates, which is the data.
  • Quoting DP without ε. It's a real guarantee at 0.1 and a marketing line at 10.
  • Selling it on privacy when the honest argument is regulatory — that the alternative is no model at all.

At a glance

FieldTools & Ecosystem
The ideasend the model to the data; only updates come back
The base algorithmFedAvg, and it works better than it should
The catchgradients leak; training data is reconstructible (Zhu et al., 2019)
What makes it actually privatesecure aggregation + differential privacy, both
The best argumentnot privacy, but that the alternative is no model
DifficultyAdvanced
Flashcards for this concept
Question
Answer
1 / 4

Often compared with

Federated learning vs. centralised training with DP — one moves the data's location and needs cryptography plus noise to be private anyway; the other is simpler with a cleaner guarantee. Use the first when the law forbids the second.