pith. sign in

arxiv: 2605.01987 · v1 · submitted 2026-05-03 · 💻 cs.LG

Misclassification Rate and Privacy-Utility Trade-offs in Graph Convolutional Networks via Subsampling Stability

Yexin Zhang , Zhongtian Ma , Qiaosheng Zhang , Zhen Wang This is my paper

Pith reviewed 2026-05-09 17:25 UTC · model grok-4.3

classification 💻 cs.LG
keywords differential privacygraph convolutional networkssubsampling stabilitymisclassification rateprivacy-utility trade-offgraph neural networkssubsampling probability
0
0 comments X

The pith

Subsampling stability in GCNs produces explicit upper bounds on misclassification rate under differential privacy and identifies feasible ranges for the subsampling probability that balance privacy and accuracy.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper shows that graph convolutional networks trained with differential privacy admit upper bounds on their misclassification rate that are stated directly in terms of the subsampling probability used in the privacy mechanism. These bounds arise from the networks' subsampling stability property, which controls how the addition or removal of a single data point affects the output distribution. The work then locates intervals for this probability in which the stability condition yields non-vacuous privacy guarantees while the accuracy loss remains limited. Outside these intervals either the privacy proof becomes vacuous or predictive performance drops sharply. The resulting characterization supplies the first explicit theoretical handle on the privacy-utility trade-off for this model class.

Core claim

Upper bounds on the misclassification rate of differentially private GCNs can be derived that depend explicitly on the subsampling probability p_s; feasible ranges for p_s exist in which the stability-based privacy condition is satisfied with non-vacuous guarantees while accuracy does not deteriorate excessively.

What carries the argument

The subsampling stability property of GCNs, which bounds the change in output distribution when a single node or edge is added or removed under random subsampling with probability p_s.

If this is right

  • Misclassification rate admits an explicit upper bound linear in or otherwise dependent on the chosen subsampling probability.
  • When p_s exceeds an upper threshold the stability condition for privacy can no longer be met with non-vacuous parameters.
  • When p_s falls below a lower threshold the resulting accuracy becomes arbitrarily poor.
  • The feasible interval for p_s therefore supplies a concrete prescription for selecting the subsampling rate in private GCN training.
  • The same stability argument applies to both node classification and link prediction tasks on graphs.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same stability-based bounding technique could be applied to other message-passing architectures beyond the basic GCN.
  • Practitioners could pre-compute the feasible p_s interval for a given graph and privacy budget before training begins.
  • Tighter bounds might be obtained by replacing the worst-case stability analysis with average-case or data-dependent versions.
  • The framework suggests that privacy noise can be calibrated directly through subsampling rather than through explicit noise injection at every layer.

Load-bearing premise

The subsampling stability property of GCNs can be leveraged to obtain non-vacuous and explicitly computable upper bounds on misclassification rate while the resulting feasible intervals for p_s remain practically relevant.

What would settle it

An explicit counter-example or numerical instance in which the derived upper bound on misclassification rate is violated for a value of p_s that satisfies the stability condition, or an empirical setting where no non-empty interval of p_s satisfies both the privacy condition and a target accuracy level.

read the original abstract

We study differential privacy (DP) in Graph Convolutional Networks (GCNs) through the framework of \textit{subsampling stability}. We derive upper bounds on the misclassification rate that depend explicitly on the subsampling probability $p_s$. Furthermore, we characterize the \textit{privacy--utility trade-off} by identifying feasible ranges of $p_s$; if $p_s$ is too large, the stability-based privacy condition becomes difficult to satisfy, yielding vacuous guarantees, whereas if it is too small, accuracy deteriorates. Our results provide the first rigorous theoretical framework for understanding subsampling stability in GCNs under DP.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

0 major / 1 minor

Summary. The paper studies differential privacy in Graph Convolutional Networks (GCNs) through the lens of subsampling stability. It derives upper bounds on the misclassification rate that depend explicitly on the subsampling probability p_s and characterizes the privacy-utility trade-off by identifying feasible ranges of p_s, where large p_s yields vacuous privacy guarantees and small p_s degrades accuracy. The work positions itself as providing the first rigorous theoretical framework for subsampling stability in GCNs under DP.

Significance. If the bounds are non-vacuous and the feasible p_s ranges are both computable and tight, the results would supply a concrete theoretical tool for analyzing privacy-utility trade-offs in graph neural networks. This could guide the selection of subsampling parameters in privacy-sensitive GCN applications and extend stability-based analyses beyond simpler models.

minor comments (1)
  1. Abstract: the phrase 'stability-based privacy condition' is introduced without a brief inline definition or reference to its formal statement, which reduces immediate readability for readers outside the subsampling-stability literature.

Simulated Author's Rebuttal

0 responses · 0 unresolved

We thank the referee for their summary of our work on differential privacy in GCNs via subsampling stability. We appreciate the assessment that the results could provide a concrete theoretical tool if the bounds are non-vacuous and the p_s ranges are computable and tight. No specific major comments were listed in the report.

Circularity Check

0 steps flagged

No significant circularity detected

full rationale

The paper derives explicit upper bounds on GCN misclassification rate as a function of subsampling probability p_s directly from the subsampling stability property, then identifies feasible p_s intervals that trade off the stability-based privacy condition against accuracy. No load-bearing step reduces by construction to a fitted parameter, self-referential definition, or self-citation chain; the bounds and ranges are presented as independent consequences of the stability framework with no internal reduction to the inputs. The derivation chain remains self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

Only abstract available; the central claim rests on standard differential privacy definitions and the existence of a subsampling stability property for GCNs whose quantitative form is not shown here.

axioms (2)
  • standard math Standard differential privacy definitions and composition rules
    Invoked to translate stability into privacy guarantees.
  • domain assumption Subsampling stability of GCNs can be quantified and used to bound misclassification rate
    This is the load-bearing modeling assumption that enables the explicit p_s dependence.

pith-pipeline@v0.9.0 · 5408 in / 1322 out tokens · 31540 ms · 2026-05-09T17:25:44.546380+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

26 extracted references · 5 canonical work pages · 2 internal anchors

  1. [1]

    INTRODUCTION Graph signal processing has become instrumental in many domains, such as network science, recommendation systems, and cybersecurity [1, 2]. Graph Neural Networks (GNNs), and in particular Graph Convolutional Networks (GCNs), have emerged as powerful tools for learning from such data, leveraging iterative aggregation of neighborhood informa- t...

    work page internal anchor Pith review Pith/arXiv arXiv 2026

  2. [2]

    Graph Convolutional Networks Given an input graphG= (V, E)withn=|V|nodes, the adjacency matrix of the graph is denoted byA∈ {0,1} n×n

    PRELIMINARIES AND PROBLEM SETUP 2.1. Graph Convolutional Networks Given an input graphG= (V, E)withn=|V|nodes, the adjacency matrix of the graph is denoted byA∈ {0,1} n×n. We denote the degree matrixD= diag(d 1, . . . , dn)with di =Pn j=1 Aij, and the (combinatorial) graph Laplacian as L=D−A. When only first-order neighborhood information is retained (i.e...

  3. [3]

    , Gm}via edge- level subsampling, where each edge is retained independently with probabilityp s ∈(0,1]

    SUBSAMPLING STABILITY MECHANISM Given an input graphG= (V, E)withn=|V|nodes, we generatemindependent subgraphs{G 1, . . . , Gm}via edge- level subsampling, where each edge is retained independently with probabilityp s ∈(0,1]. For each subsampled graph Gℓ, a base GCN classifier produces a binary node labeling ˆy(Gℓ)∈ {±1} n. The stability of this classifie...

  4. [4]

    We then provide a quantitative characterization of the privacy–utility trade-off exhibited by AsampGCN (Theorem 5)

    THEORETICAL RESULTS We first derive upper bounds on the misclassification rate for both a single subsampled graph and the fullA sampGCN (Theorem 3 and Theorem 4). We then provide a quantitative characterization of the privacy–utility trade-off exhibited by AsampGCN (Theorem 5). Theorem 3(Misclassification Rate of GCN on a Single Sub- sampled Graph).Let bG...

  5. [5]

    Thus the output of the subsampled graph isf(eG) :=σ (h0I+ h1eL)x

    PROOF OF THEOREM 3 We consider a one-layer GCNf(G) :=σ (h0I+h 1L)x , whereh 0, h1 ∈Rare the filter parameters,x∈R n represents node feature vector, andσis the nonlinear activation function. Thus the output of the subsampled graph isf(eG) :=σ (h0I+ h1eL)x . The feature-level change is measured byd f(G,eG) := f(G)−f( eG) 2 .For convenience, we writeH(L) := ...

  6. [6]

    CONCLUSION In this work, we study differential privacy in GCNs through the framework of subsampling stability, and formalize a stability-based PTR mechanism (AsampGCN) built on edge- level subsampling and majority-vote aggregation for private node labeling. We derive misclassification-rate bounds that depend explicitly on the subsampling probabilityp s, a...

  7. [7]

    The graph neural network model,

    Franco Scarselli, Marco Gori, Ah Chung Tsoi, Markus Hagenbuchner, and Gabriele Monfardini, “The graph neural network model,”IEEE Transactions on Neural Networks, vol. 20, no. 1, pp. 61–80, 2008

    2008

  8. [8]

    Graph neural networks for social recommendation,

    Wenqi Fan, Yao Ma, Qing Li, Yuan He, Eric Zhao, Jil- iang Tang, and Dawei Yin, “Graph neural networks for social recommendation,” inThe World Wide Web Con- ference, 2019, pp. 417–426

    2019

  9. [9]

    Semi-Supervised Classification with Graph Convolutional Networks

    TN Kipf and Max Welling, “Semi-supervised classifica- tion with graph convolutional networks,”arXiv preprint arXiv:1609.02907, 2016

    work page internal anchor Pith review arXiv 2016

  10. [10]

    Graph neural networks for node classification,

    Jian Tang and Renjie Liao, “Graph neural networks for node classification,” inGraph Neural Networks: Foundations, Frontiers, and Applications, pp. 41–61. Springer, 2022

    2022

  11. [11]

    Private analysis of graph structure,

    Vishesh Karwa, Sofya Raskhodnikova, Adam Smith, and Grigory Yaroslavtsev, “Private analysis of graph structure,”Proceedings of the VLDB Endowment, vol. 4, no. 11, pp. 1146–1157, 2011

    2011

  12. [12]

    Stealing links from graph neu- ral networks,

    Xinlei He, Jinyuan Jia, Michael Backes, Neil Zhenqiang Gong, and Yang Zhang, “Stealing links from graph neu- ral networks,” in30th USENIX Security Symposium, 2021, pp. 2669–2686

    2021

  13. [13]

    Membership inference attack on graph neural net- works,

    Iyiola E Olatunji, Wolfgang Nejdl, and Megha Khosla, “Membership inference attack on graph neural net- works,” in2021 Third IEEE International Conference on Trust, Privacy and Security in Intelligent Systems and Applications, 2021, pp. 11–20

    2021

  14. [14]

    The algorithmic foundations of differential privacy,

    Cynthia Dwork and Aaron Roth, “The algorithmic foundations of differential privacy,”Foundations and Trends® in Theoretical Computer Science, vol. 9, no. 3–4, pp. 211–407, 2014

    2014

  15. [15]

    Progap: Progressive graph neural networks with differential pri- vacy guarantees,

    Sina Sajadmanesh and Daniel Gatica-Perez, “Progap: Progressive graph neural networks with differential pri- vacy guarantees,” inProceedings of the 17th ACM Inter- national Conference on Web Search and Data Mining, 2024, pp. 596–605

    2024

  16. [16]

    Node-level differentially private graph neural networks,

    Ameya Daigavane, Gagan Madan, Aditya Sinha, Abhradeep Guha Thakurta, Gaurav Aggarwal, and Pra- teek Jain, “Node-level differentially private graph neural networks,”arXiv preprint arXiv:2111.15521, 2021

    work page arXiv 2021

  17. [17]

    Deep learning with differential privacy,

    Martin Abadi, Andy Chu, Ian Goodfellow, H Brendan McMahan, Ilya Mironov, Kunal Talwar, and Li Zhang, “Deep learning with differential privacy,” inProceed- ings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 2016, pp. 308–318

    2016

  18. [18]

    Training differen- tially private graph neural networks with random walk sampling,

    Morgane Ayle, Jan Schuchardt, Lukas Gosch, Daniel Z¨ugner, and Stephan G ¨unnemann, “Training differen- tially private graph neural networks with random walk sampling,”arXiv preprint arXiv:2301.00738, 2023

    work page arXiv 2023

  19. [19]

    {GAP}: Differen- tially private graph neural networks with aggregation perturbation,

    Sina Sajadmanesh, Ali Shahin Shamsabadi, Aur ´elien Bellet, and Daniel Gatica-Perez, “{GAP}: Differen- tially private graph neural networks with aggregation perturbation,” in32nd USENIX Security Symposium (USENIX Security 23), 2023, pp. 3223–3240

    2023

  20. [20]

    Differentially private community de- tection for stochastic block models,

    Mohamed S Mohamed, Dung Nguyen, Anil Vullikanti, and Ravi Tandon, “Differentially private community de- tection for stochastic block models,” inInternational Conference on Machine Learning. PMLR, 2022, pp. 15858–15894

    2022

  21. [21]

    On the price of differential privacy for spectral clus- tering over stochastic block models,

    Antti Koskela, Mohamed Seif, and Andrea J Goldsmith, “On the price of differential privacy for spectral clus- tering over stochastic block models,”arXiv preprint arXiv:2505.05816, 2025

    work page arXiv 2025

  22. [22]

    Differentially private sketch-and- solve for community detection via semidefinite pro- gramming,

    Mohamed Seif, Yanxi Chen, Andrea J Goldsmith, and H Vincent Poor, “Differentially private sketch-and- solve for community detection via semidefinite pro- gramming,”IEEE Journal on Selected Areas in Infor- mation Theory, vol. 5, pp. 331–346, 2024

    2024

  23. [23]

    Differen- tially private feature selection via stability arguments, and the robustness of the lasso,

    Abhradeep Guha Thakurta and Adam Smith, “Differen- tially private feature selection via stability arguments, and the robustness of the lasso,” inConference on Learning Theory. PMLR, 2013, pp. 819–850

    2013

  24. [24]

    Stability of graph convolutional neural networks through the lens of small perturbation analysis,

    Lucia Testa, Claudio Battiloro, Stefania Sardellitti, and Sergio Barbarossa, “Stability of graph convolutional neural networks through the lens of small perturbation analysis,” inICASSP 2024 IEEE International Con- ference on Acoustics, Speech and Signal Processing (ICASSP). IEEE, 2024, pp. 6865–6869

    2024

  25. [25]

    When do graph neural networks help with node classification? investigating the homophily principle on node distinguishability,

    Sitao Luan, Chenqing Hua, Minkai Xu, Qincheng Lu, Jiaqi Zhu, Xiao-Wen Chang, Jie Fu, Jure Leskovec, and Doina Precup, “When do graph neural networks help with node classification? investigating the homophily principle on node distinguishability,”Advances in Neu- ral Information Processing Systems, vol. 36, pp. 28748– 28760, 2023

    2023

  26. [26]

    Pac-bayes un-expected bernstein inequality,

    Zakaria Mhammedi, Peter Gr ¨unwald, and Benjamin Guedj, “Pac-bayes un-expected bernstein inequality,” Advances in Neural Information Processing Systems, vol. 32, 2019

    2019