Graph Neural Networks: Unmasking Privacy Risks in a Connected World

Graph neural networks (GNNs) have become the go-to solution for tasks like node classification and link prediction. But there's a looming shadow in their widespread use: privacy risks. Training-data leakage in GNNs isn't just a hypothetical concern. it's a real issue amplified by the very structure that makes these networks powerful.

The Graph-Specific Privacy Quandary

Privacy risks in GNNs aren't your typical data leakage problems. Most research has borrowed privacy assumptions from non-graph domains, ignoring the fact that graphs are inherently different. Picture a web where nodes and edges weave complex patterns, and you begin to see the unique challenge. A graph-specific analysis of privacy risk is essential, yet often overlooked.

One area of concern is membership inference (MI) over node-neighborhood tuples. Two major dimensions shape this discussion: how we construct training graphs and what edges we access during inference. Both factors play significant roles in either safeguarding or exposing sensitive data.

Sampling Techniques: A Double-Edged Sword

The choice between snowball sampling and uniform random node sampling for training graph construction isn't trivial. Snowball sampling, while structure-aware, ironically hampers generalization due to its coverage bias. It's like trying to learn from an echo chamber. On the flip side, uniform random node sampling often provides a more generalized picture, promoting better data privacy.

Yet, the story doesn't end there. Allowing access to inter-train-test edges during inference improves test accuracy and narrows the train-test gap. However, it's a double-edged sword. This access can either amplify or reduce membership advantage, making privacy a moving target rather than a fixed concern.

Rethinking Privacy Auditing in Graphs

Here's the kicker: the generalization gap, a traditional measure of model performance, fails as a reliable proxy for membership inference risk. Membership advantage can swing wildly, independent of changes in this gap. Often, inference-time edge access holds the secret to these fluctuations.

Why should you care? Because for node-level tasks, standard privacy-auditing results don't translate to inductive graph settings. In graphs, training and test nodes aren't just interchangeable data points, they're structurally intertwined. This interconnectedness defies conventional privacy audits.

If our privacy measures can't adapt to this complexity, do they really protect us? If it's not private by default, it's surveillance by design. The chain remembers everything, and that's a cause for concern, especially when privacy is a prerequisite for freedom.

For those interested, the code and data behind these findings are publicly available. But let's not fool ourselves. This isn't just an academic exercise. It's a clarion call for those who champion privacy in a hyper-connected world.