Federated learning (FL) is a popular paradigm for collaborative training which avoids direct data exposure between clients. However, data privacy issues still remain: FL-trained large language models are capable of memorizing and completing phrases and sentences contained in training data when given with their prefixes. Thus, it is possible for adversarial and honest-but-curious clients to recover training data of other participants simply through targeted prompting. In this work, we demonstrate that a popular and simple fine-tuning strategy, low-rank adaptation (LoRA), reduces memorization during FL up to a factor of 10. We study this effect by performing a medical question-answering fine-tuning task and injecting multiple replicas of out-of-distribution sensitive sequences drawn from an external clinical dataset. We observe a reduction in memorization for a wide variety of Llama 2 and 3 models, and find that LoRA can reduce memorization in centralized learning as well. Furthermore, we show that LoRA can be combined with other privacy-preserving techniques such as gradient clipping and Gaussian noising, secure aggregation, and Goldfish loss to further improve record-level privacy while maintaining performance.

翻译：联邦学习（FL）是一种避免客户端间直接数据暴露的协作训练范式。然而，数据隐私问题依然存在：经过联邦学习训练的大型语言模型在给定前缀时，能够记忆并补全训练数据中包含的短语和句子。因此，恶意或诚实但好奇的客户端仅通过针对性提示即可恢复其他参与者的训练数据。在本工作中，我们证明了一种流行且简单的微调策略——低秩适应（LoRA），可将联邦学习过程中的记忆效应降低高达10倍。我们通过执行医疗问答微调任务并注入来自外部临床数据集的多份分布外敏感序列副本，研究了这种效应。我们在多种Llama 2和3模型中均观察到记忆减少，并发现LoRA在集中式学习中也能降低记忆。此外，我们证明LoRA可与梯度裁剪与高斯噪声注入、安全聚合及Goldfish损失等其他隐私保护技术结合，在保持性能的同时进一步提升记录级隐私保护水平。