6.5.8 · D5Research Frontiers & Practice
Question bank — Federated learning
True or false — justify
Federated learning means no data ever leaves the device, so it is automatically private.
False. Raw data stays local, but the updates (gradients / weight deltas) can leak information — gradient-inversion attacks can reconstruct training images from a single small-batch gradient. Privacy needs an extra layer like Differential Privacy.
FedAvg with one local epoch (, full-batch) is exactly ordinary gradient descent on the global loss .
True. Averaging with weights pulls the out and leaves , one clean GD step.
Increasing local epochs always speeds up training because you compute more per round.
False. More means fewer communication rounds but each client drifts toward its own local minimum, adding the drift error. On heterogeneous data too-large can make the global model worse.
Weighting client updates by dataset size is a nice-to-have, not essential.
False. The weighting is the definition of the global objective . Drop it and you're optimizing a different problem where a 10-sample client counts as much as a 10 000-sample one.
If every client had identical (IID) data, the choice of which 10% to sample each round wouldn't matter much.
True. With IID data every client's gradient is an unbiased estimate of the global gradient, so any subset gives a similar update. Sampling only bites when data is heterogeneous / non-IID.
Adding Gaussian noise for differential privacy costs you accuracy.
True. The noise blurs the true update; larger (smaller , more privacy) means a noisier gradient and lower final accuracy — the core privacy–utility trade-off.
A smaller in -DP means weaker privacy.
False. Smaller means the output distribution barely changes when one person's data is added/removed (), so more privacy. Big is the weak setting.
Federated learning removes the need for a central server entirely.
False (for FedAvg). Standard FedAvg still needs a server (orchestrator) to broadcast and aggregate. Fully decentralized variants exist, but the vanilla algorithm is centrally coordinated, data-decentralized.
Sending model weights instead of raw data always reduces total bandwidth.
Usually, not always. For big datasets the model is far smaller than the data (300× savings in the ResNet example). But for a tiny dataset with a huge model over many rounds, repeatedly shipping the model can cost more than shipping the data once — see Model Compression for the fix.
Spot the error
"To combine models, just average all the weights equally: ."
The error is equal weights. It should be , weighted by data size; equal averaging lets a noisy 10-sample client sway the model as much as a 10 000-sample one and can cause divergence.
"After local training, each client sends back its raw gradients so the server can do the descent step."
In FedAvg with epochs there is no single gradient to send — the client sends its updated weights after several SGD steps, and the server averages weights, not gradients.
"Clipping gradients at norm is a performance tweak; for DP just add noise."
Clipping is required for DP, not optional. Without a bounded sensitivity , one record could change the update arbitrarily, demanding infinite noise to hide it — clipping caps that sensitivity so finite noise suffices.
"The aggregation weight uses , the total data across all clients."
In each round it uses , the total over the sampled subset, since only those clients contribute that round. Using the global would under-weight everyone.
" measures how much noise client adds for privacy."
No — measures client drift: the distance between client 's local optimum and the global optimum, i.e. how heterogeneous the data is. It's unrelated to the DP noise .
"Because gradients are just numbers, they can't reveal the images they came from."
They can. Gradient-inversion attacks solve for the input that would produce the observed , and for small batches / high-res images the reconstruction can be startlingly accurate.
"With more communication rounds the drift term shrinks."
Only the first term shrinks with . The drift term depends on , , and gradient variance — raising alone leaves it untouched; you must lower or to shrink it.
Why questions
Why do we send the model to the data instead of the data to the model?
Raw data is huge, sensitive, and often legally immovable (GDPR/HIPAA); model updates are small compressed "knowledge" and keep raw records under user control — solving privacy, bandwidth, and regulation at once.
Why weight each client's contribution by rather than treating clients equally?
Because the global loss is an average over all data points, not over clients; a client with more samples has estimated its slice of the loss more reliably and should steer the shared model proportionally.
Why does non-IID data slow convergence even though the algorithm is unchanged?
Each client's local optimum sits somewhere different, so their updates pull in conflicting directions; the averaged step partly cancels, and the model zig-zags instead of heading straight to .
Why isn't "raw data never leaves the device" enough for a formal privacy guarantee?
It's a design property, not a proof. Updates still carry information and can be attacked; only a mechanism like $(\epsilon,\delta)$-DP gives a mathematical bound on how much any individual's data can leak.
Why do we sample only ~10% of clients per round instead of all of them?
Coordinating billions of intermittently-connected edge devices every round is infeasible; a random subset gives an unbiased-enough gradient estimate while slashing communication and straggler costs.
Why can too much noise for privacy make the model useless, not just less accurate?
When swamps the true signal in each update, the averaged step becomes nearly random; the model then does a slow random walk and never converges — privacy is bought at the price of learning anything at all.
Why might personalized layers help on heterogeneous clients?
A shared global body captures common structure while small per-client layers absorb the drift , so each device fits its own distribution without forcing everyone to compromise on one averaged model — the Multi-Task Learning view.
Edge cases
What happens if a client has zero data points ()?
Its weight , so it contributes nothing to the average — correct behaviour. In code you simply must not divide by inside its local loss, or you get a ; skip empty clients entirely.
What if only one client is sampled in a round ()?
The aggregation weight , so the global model becomes that single client's local model — maximal drift and the noisy-averaging failure in the extreme. This is why a minimum cohort size matters.
What if all clients have identical data?
Every equals , so all local optima coincide with the global one, drift , and FedAvg behaves exactly like centralized SGD regardless of or sampling — the best-case degenerate scenario.
What happens in the limit (train each client to full local convergence before averaging)?
Each client returns its own optimum ; averaging those gives , which for non-IID data is generally not — the model can plateau at a wrong point despite perfect local training.
What if a malicious client sends a huge, adversarial update?
Plain FedAvg has no defence — a large-norm poisoned update can dominate the weighted average. This is exactly the gap Byzantine Robust Learning closes with robust aggregation (median, trimmed mean) instead of a raw weighted average.
What happens to DP as the number of participating clients grows very large?
With more honest participants each round, the added noise averages out relative to the aggregated signal, so you can often reach the same target with less per-client noise — large-scale deployments like Gboard's billion devices exploit exactly this.
Recall One-line summary of the traps
Weight by data size, average weights not raw gradients, clip then add noise, and remember: "data stays local" is a design choice, not a privacy proof.
The two silent killers ::: client drift on non-IID data, and update leakage without differential privacy.
See also: Optimization Theory · Privacy-Preserving ML · Federated learning