| Privacy Principles | FL 2017–2020 | FL 2021–2024 | FL 2025–? |
|---|---|---|---|
| Data minimization | Data remain on devices; focused updates and immediate aggregation for model training. | Trusted and cryptographic aggregation methods can additionally guarantee unaggregated updates invisible to the service provider. | Secured data on device or cloud with access verifiably limited to specific workloads and immediately revocable (or within a short TTL). |
| Data anonymization | No formal anonymization, but messages are collected for the purpose of immediate aggregation. | Distributed DP can provide acceptable utility for some tasks, and protection from an honest-but-curious service provider; central DP can provide better utility, and strong DP protection for the model released to end users but assumes a trusted aggregator. | Achieve the utility of current Central DP approaches, while also offering strong protection against even a malicious service provider; users can verify that only anonymized results are released, and can enforce their privacy preferences. |
| Transparency and control | Users can choose whether to participate in training, and potentially inspect the on-device binaries and network usage. | Users can additionally inspect the source code of some FL instances such as Private Compute Core [Mar+22], while others remain closed source and proprietary. | Users can view a human-readable summary of the purpose and (privacy) properties of any computation their data participated in, and those properties can be verified. Users can make fine-grained choices about which FL workloads to run, or delegate that power to an organization of their choice. |
| Verifiability and auditability | Where code is open-sourced, it can be inspected; verifying the identity of the code running on devices is possible but difficult. | Same as FL 2017–2020 | Client and server-side code verify each others’ integrity via remote attestation. Clients can verify the data minimization and anonymization properties of server-side computation. Clients and servers verify each others’ authenticity via (ideally independent) Public Key Infrastructure (PKI). |
| Privacy Principles | FL 2017–2020 | FL 2021–2024 | FL 2025–? |
|---|---|---|---|
| Data minimization | Data remain on devices; focused updates and immediate aggregation for model training. | Trusted and cryptographic aggregation methods can additionally guarantee unaggregated updates invisible to the service provider. | Secured data on device or cloud with access verifiably limited to specific workloads and immediately revocable (or within a short TTL). |
| Data anonymization | No formal anonymization, but messages are collected for the purpose of immediate aggregation. | Distributed DP can provide acceptable utility for some tasks, and protection from an honest-but-curious service provider; central DP can provide better utility, and strong DP protection for the model released to end users but assumes a trusted aggregator. | Achieve the utility of current Central DP approaches, while also offering strong protection against even a malicious service provider; users can verify that only anonymized results are released, and can enforce their privacy preferences. |
| Transparency and control | Users can choose whether to participate in training, and potentially inspect the on-device binaries and network usage. | Users can additionally inspect the source code of | Users can view a human-readable summary of the purpose and (privacy) properties of any computation their data participated in, and those properties can be verified. Users can make fine-grained choices about which FL workloads to run, or delegate that power to an organization of their choice. |
| Verifiability and auditability | Where code is open-sourced, it can be inspected; verifying the identity of the code running on devices is possible but difficult. | Same as FL 2017–2020 | Client and server-side code verify each others’ integrity via remote attestation. Clients can verify the data minimization and anonymization properties of server-side computation. Clients and servers verify each others’ authenticity via (ideally independent) Public Key Infrastructure (PKI). |
Sharing content requires targeting cookies to be enabled. Please update your cookie preferences to use this feature.