Personal Attribute Leakage in Federated Speech Models

Basic Information

• Paper ID: 2510.13357
• Title: Personal Attribute Leakage in Federated Speech Models
• Authors: Hamdan Al-Ali, Ali Reza Ghavamipour, Tommaso Caselli, Fatih Turkmen, Zeerak Talat, Hanan Aldarmaki
• Classification: cs.CL cs.AI
• Publication Date: October 15, 2025 (arXiv preprint)
• Paper Link: https://arxiv.org/abs/2510.13357v1

Abstract

Federated learning is a widely-used approach for privacy-preserving training of machine learning models. This paper analyzes the vulnerability of ASR models in federated environments to attribute inference attacks. Under a passive threat model, researchers tested non-parametric white-box attack methods against three ASR models (Wav2Vec2, HuBERT, and Whisper). The attack operates solely on weight differences without requiring access to the target speaker's original speech. The study demonstrates the feasibility of attacks on sensitive demographic and clinical attributes (gender, age, accent, emotion, and dysarthria). The research reveals that attributes underrepresented or absent in pretraining data are more susceptible to such inference attacks. Notably, accent information can be reliably inferred from all models.

Research Background and Motivation

Problem Definition

1. Core Issue: Whether ASR models in federated learning environments leak sensitive personal attribute information through model weight updates
2. Privacy Threats: Speech data contains rich personal information, including demographic characteristics (gender, age, accent), clinical conditions (dysarthria), and emotional states

Importance Analysis

1. Legal Compliance: Attribute leakage may violate GDPR, HIPAA, and anti-discrimination laws in the US and EU
2. Privacy Protection: The ADA protects individuals with disabilities from discrimination; leakage of speech disorder information carries severe consequences
3. Practical Threats: Even without identity disclosure, leakage of attributes such as accent or emotional state constitutes serious privacy violations

Limitations of Existing Approaches

1. Federated Learning Assumptions: While federated learning improves privacy by keeping raw audio on-device, model updates may still leak sensitive information
2. Research Gaps: Previous work primarily focused on speaker re-identification and membership inference attacks, but the scope of attribute leakage remains insufficiently explored
3. Threat Models: Lack of systematic research on attribute inference through weight updates alone

Core Contributions

1. First Systematic Study: First comprehensive analysis of personal attribute leakage vulnerabilities in federated ASR models
2. Multi-Attribute Evaluation: Assessment of three mainstream ASR models across five sensitive attributes (gender, age, accent, emotion, dysarthria)
3. Attack Methodology: Proposes a non-parametric white-box attack method based on weight differences, requiring no access to raw speech data
4. Key Findings: Discovers that attributes underrepresented in pretraining data are more susceptible to leakage, particularly accent information
5. Defense Insights: Provides empirical evidence for mitigating attribute leakage through diversified pretraining data

Methodology Details

Threat Model

The study adopts a passive server-side attacker model:

• Attacker Capabilities: Can access the global model Wg and the target speaker's locally trained model Ws
• Attack Constraints: Cannot access raw audio, transcriptions, or metadata
• Attack Objective: Infer protected personal attributes solely through weight differences
• Training Assumption: Each model is fine-tuned on a single utterance from a single speaker

Attribute Inference Attack Algorithm

1. Shadow Model Construction

Using public datasets to simulate the fine-tuning process:

For each sample (xi, yi), i = 1,...,n:
1. Fine-tune global model Wg on sample xi
2. Obtain shadow model Wi
3. Construct labeled dataset {(Wi, yi)}

2. Feature Extraction

Extract statistical summaries from each parameter tensor p ∈ Wi:

zi = concat([μp, σp, min(p), max(p)] for each p ∈ Wi)

where zi ∈ Rd is a fixed-length feature vector.

3. Class Centroid Calculation

Compute centroids for each class:

z̄c = (1/Nc) ∑(i=1 to Nc) zi, where zi ∈ class c

4. Attribute Inference

For target model Ws, extract feature vector zs and classify using normalized Euclidean distance:

ĉ = argmin_c (||zs - z̄c||2 / (||zs||2 · ||z̄c||2))

Technical Innovations

1. Non-parametric Approach: No need to train complex classifiers; uses only statistical summaries and distance metrics
2. Weight Difference Analysis: Directly extracts attribute information from model parameter changes
3. Scalability: Method naturally extends to multi-class settings
4. Practicality: Attack requires relatively modest computational resources and data volume

Experimental Setup

Datasets

Experimental Task Configuration

1. Gender Detection: 200 native English speakers, 100 male/100 female, 75/25 train-test split
2. Age Detection: 18-24 vs 35-44 years, 70 male speakers, 5-fold cross-validation
3. Accent Detection: 200 speakers, native vs non-native English speakers
4. Emotion Detection: Three binary classification tasks (calm vs angry, happy vs sad, calm vs fearful)
5. Dysarthria Detection: Leave-one-speaker-out cross-validation

ASR Models

1. Wav2Vec2-Base: 95 million parameters, LibriSpeech pretraining
2. HuBERT-Large: 300 million parameters, LibriSpeech training
3. Whisper-Small: 244 million parameters, trained on 680k hours of multilingual data

Experimental Results

Primary Attack Success Rates

Key Experimental Findings

1. Significant Attribute Differences: Age and accent show the strongest leakage (80-100% accuracy), while gender is most difficult to predict (46-64%)
2. Model Differences: Whisper demonstrates >70% leakage accuracy on all attributes except gender
3. Statistical Significance: Age detection results achieve statistical significance across all models (95% confidence interval)

Layer-wise Analysis Results

Through layer-wise analysis of Wav2Vec2:

• Age Information: Maintains consistent high detection rates across all layers
• Emotion and Dysarthria: Show greater variability in middle and later layers
• Layer Specificity: Performance on certain specific layers sometimes exceeds full-model inference

Fine-grained Accent Classification

Multi-class classification experiments on 10 most common accents:

• Before Defense: All test accents achieve ≥90% accuracy
• After Defense: Attack success rate drops to <20% after fine-tuning on diversified accent data
• Generalization Capability: Maintains high attack success rates on unseen accents (Japanese, Italian, German, Polish, Macedonian)

Related Work

Federated Learning Privacy Attacks

1. Membership Inference Attacks: Shokri et al. first proposed membership inference attacks against machine learning models
2. Collaborative Learning Leakage: Melis et al. studied unintended feature leakage in collaborative learning
3. Speech Domain Attacks: Previous work primarily focused on speaker re-identification and membership inference

Speech Attribute Inference

1. Traditional Methods: Attribute recognition based on raw speech signals
2. Privacy Protection: Sensitivity and privacy protection requirements of speech data
3. This Paper's Contribution: First to focus on attribute inference through model weights alone

Conclusions and Discussion

Main Conclusions

1. Vulnerability Confirmation: Federated ASR models indeed risk leaking personal attributes through weight updates
2. Attribute Correlation: Leakage degree is closely related to attribute representation in pretraining data
3. Defense Strategy: Diversifying pretraining data can effectively mitigate leakage of known attributes

Limitations

1. Experimental Scale: Some tasks have limited sample sizes, potentially affecting result generalizability
2. Language Constraints: Primarily focuses on English speech; leakage in multilingual environments requires further investigation
3. Attack Model: Only considers passive attackers; active attacks may produce more severe leakage
4. Practical Constraints: The single-utterance fine-tuning assumption may not fully align with real federated learning scenarios

Future Directions

1. Defense Mechanisms: Develop more effective privacy protection techniques such as differential privacy and secure aggregation
2. Multilingual Research: Extend to multilingual and cross-lingual scenarios
3. Dynamic Defense: Research methods for real-time detection and defense against attribute leakage
4. Theoretical Analysis: Analyze the fundamental causes of attribute leakage from a theoretical perspective

In-depth Evaluation

Strengths

1. Significant Research Value: First systematic revelation of attribute leakage vulnerabilities in federated ASR models with important privacy protection implications
2. Reasonable Methodology Design: Attack method is simple and effective; threat model is realistic and credible
3. Comprehensive Experiments: Covers multiple attributes, multiple models, and detailed analytical experiments
4. Deep Insights: Discovers important correlation between pretraining data diversity and privacy protection
5. Practical Value: Provides important guidance for privacy protection in federated learning systems

Weaknesses

1. Dataset Limitations: Some experiments use relatively small datasets, potentially affecting statistical reliability of results
2. Attack Assumptions: Single-utterance fine-tuning assumption is oversimplified; practical applications typically use more data
3. Limited Defense Evaluation: Defense method evaluation is relatively limited; requires more comprehensive security analysis
4. Computational Complexity: Lacks detailed analysis of attack computational costs and feasibility

Impact

1. Academic Contribution: Opens new research directions in federated learning privacy, expected to inspire related research
2. Practical Guidance: Provides important security considerations for industrial deployment of federated ASR systems
3. Policy Impact: Research results may influence formulation and implementation of relevant privacy protection regulations
4. Technology Advancement: Promotes development of safer federated learning algorithms and privacy protection techniques

Applicable Scenarios

1. Federated ASR Systems: Directly applicable to security assessment of various federated speech recognition applications
2. Privacy Auditing: Can serve as a security auditing tool for privacy protection systems
3. Model Design: Provides important reference for designing safer speech models
4. Regulatory Compliance: Helps organizations assess and ensure compliance of speech AI systems

References

1. Baevski et al. "wav2vec 2.0: A framework for self-supervised learning of speech representations." NeurIPS 2020.
2. Hsu et al. "HuBERT: Self-supervised speech representation learning by masked prediction of hidden units." IEEE/ACM TASLP 2021.
3. Radford et al. "Robust speech recognition via large-scale weak supervision." ICML 2023.
4. Shokri et al. "Membership inference attacks against machine learning models." IEEE S&P 2017.
5. Melis et al. "Exploiting unintended feature leakage in collaborative learning." IEEE S&P 2019.

This paper reveals important privacy risks in federated learning within the speech domain, providing valuable insights and guidance for building safer speech AI systems. The research not only possesses significant academic value but also carries profound implications for practical applications.