GRAND: Graph Release with Assured Node Differential Privacy

TL;DR

GRAND delivers a practical node-differentially private graph-release mechanism that preserves structural properties under broad latent-space models. It uses a holdout-based, data-perturbation pipeline to privatize latent coordinates via distribution-invariant transformations and then reconstructs a private network whose distribution matches the original asymptotically. Theoretical guarantees show DP for the released network and distributional/moment convergence of latent vectors and motif densities, with simulations and real-data experiments demonstrating superior structure preservation relative to naive noise methods. The approach enables privacy-protective sharing of complete networks with node-level guarantees while maintaining utility for downstream motif and centrality analyses.

Abstract

Differential privacy is a well-established framework for safeguarding sensitive information in data. While extensively applied across various domains, its application to network data -- particularly at the node level -- remains underexplored. Existing methods for node-level privacy either focus exclusively on query-based approaches, which restrict output to pre-specified network statistics, or fail to preserve key structural properties of the network. In this work, we propose GRAND (Graph Release with Assured Node Differential privacy), which is, to the best of our knowledge, the first network release mechanism that releases networks while ensuring node-level differential privacy and preserving structural properties. Under a broad class of latent space models, we show that the released network asymptotically follows the same distribution as the original network. The effectiveness of the approach is evaluated through extensive experiments on both synthetic and real-world datasets.

Figures (12)

• Figure 1: The proposed privacy-preserving scheme illustrated: An $N \times N$ adjacency matrix $A$ is used as the input, and a private version of a $n \times n$ subnetwork $A^{11}$, namely $\tilde{A}^{11}$, is generated as the output. All privacy vulnerable quantities are colored in red. Each of the latent vectors of nodes $i \le n$ is separately estimated by a node-wise estimation with the help of hold-out estimates $\{\hat{Z}_i\}_{i> n}$.
• Figure 2: Comparison of node-level statistic distribution preservation for $\rho=0.05$ with $n=4000$ and $d=3$ under the inner product latent space model (LSM) and random dot product graph (RDPG) model. Values are the average Wasserstein distance over 100 replications. The average distances are more than ten times larger than their corresponding standard errors; therefore, standard errors are omitted for brevity.
• Figure 4: The distributions of five local statistics of the privatized Caltech social network with privacy budget $\varepsilon=1$.
• Figure 5: The distributions of five local properties of the privatized statisticians' coauthorship network with privacy budget $\varepsilon=1$.
• Figure 6: The distributions of four node (true/privatized) attributes across two communities in the (true/privatized) friendship network. The color of each cell indicates the proportion of the combination of values.

Theorems & Definitions (67)

• Definition 1: Node Differential Privacy
• Definition 2: General Latent Space Model
• Example 1: Inner Product Latent Space Model hoff2002latent
• Example 2: Random Dot Product Graph young2007random
• Remark 1
• Remark 2
• Remark 3: Privacy of the Holdout Set
• Remark 4: Tradeoff for the Private Network Size
• Remark 5
• Theorem 1