Table 8.1
A summary of how different privacy principles are addressed under the FL 2017-2020 practice, the FL 2021-2024 practice, and an updated 2025+ goal-state based on the new FL definition we propose. Adapted from [Dal+24].
Privacy PrinciplesFL 2017–2020FL 2021–2024FL 2025–?
Data minimizationData remain on devices; focused updates and immediate aggregation for model training.Trusted and cryptographic aggregation methods can additionally guarantee unaggregated updates invisible to the service provider.Secured data on device or cloud with access verifiably limited to specific workloads and immediately revocable (or within a short TTL).
Data anonymizationNo formal anonymization, but messages are collected for the purpose of immediate aggregation.Distributed DP can provide acceptable utility for some tasks, and protection from an honest-but-curious service provider; central DP can provide better utility, and strong DP protection for the model released to end users but assumes a trusted aggregator.Achieve the utility of current Central DP approaches, while also offering strong protection against even a malicious service provider; users can verify that only anonymized results are released, and can enforce their privacy preferences.
Transparency and controlUsers can choose whether to participate in training, and potentially inspect the on-device binaries and network usage.Users can additionally inspect the source code of some FL instances such as Private Compute Core [Mar+22], while others remain closed source and proprietary.Users can view a human-readable summary of the purpose and (privacy) properties of any computation their data participated in, and those properties can be verified. Users can make fine-grained choices about which FL workloads to run, or delegate that power to an organization of their choice.
Verifiability and auditabilityWhere code is open-sourced, it can be inspected; verifying the identity of the code running on devices is possible but difficult.Same as FL 2017–2020Client and server-side code verify each others’ integrity via remote attestation. Clients can verify the data minimization and anonymization properties of server-side computation. Clients and servers verify each others’ authenticity via (ideally independent) Public Key Infrastructure (PKI).

or Create an Account

Close Modal
Close Modal