Online personalized recommendation services are generally hosted in the cloud
where users query the cloud-based model to receive recommended input such as
merchandise of interest or news feed. State-of-the-art recommendation models
rely on sparse and dense features to represent users' profile information and
the items they interact with. Although sparse features account for 99% of the
total model size, there was not enough attention paid to the potential
information leakage through sparse features. These sparse features are employed
to track users' behavior, e.g., their click history, object interactions, etc.,
potentially carrying each user's private information. Sparse features are
represented as learned embedding vectors that are stored in large tables, and
personalized recommendation is performed by using a specific user's sparse
feature to index through the tables. Even with recently-proposed methods that
hides the computation happening in the cloud, an attacker in the cloud may be
able to still track the access patterns to the embedding tables. This paper
explores the private information that may be learned by tracking a
recommendation model's sparse feature access patterns. We first characterize
the types of attacks that can be carried out on sparse features in
recommendation models in an untrusted cloud, followed by a demonstration of how
each of these attacks leads to extracting users' private information or
tracking users by their behavior over time