On the (Im)possibility of Preserving Utility and Privacy in Personalized Social Recommendations
Ashwin Machanavajjhala, Aleksandra Korolova, Atish Das Sarma
OOn the (Im)possibility of Preserving Utility and Privacy inPersonalized Social Recommendations
Ashwin [email protected] Aleksandra [email protected] Atish Das [email protected]
ABSTRACT
With the recent surge of social networks like Facebook, newforms of recommendations have become possible – personal-ized recommendations of ads, content, and even new socialand product connections based on one’s social interactions.In this paper, we study whether “social recommendations”,or recommendations that utilize a user’s social network, canbe made without disclosing sensitive links between users.More precisely, we quantify the loss in utility when existingrecommendation algorithms are modified to satisfy a strongnotion of privacy called differential privacy. We proposelower bounds on the minimum loss in utility for any recom-mendation algorithm that is differentially private. We alsopropose two recommendation algorithms that satisfy differ-ential privacy, analyze their performance in comparison tothe lower bound, both analytically and experimentally, andshow that good private social recommendations are feasibleonly for a few users in the social network or for a lenientsetting of privacy parameters.
1. INTRODUCTION
Making recommendations or suggestions to users to in-crease their degree of engagement is a common practice forwebsites. For instance, Facebook recommends friends toexisting users, Amazon suggests products, and Netflix rec-ommends movies, in each case with the goal of making as relevant a recommendation to the user as possible. Recom-mending the right content, product, or ad to an individual isone of the most important tasks in today’s web companies.With the boom in social networking many companies arestriving to incorporate the likes and dislikes of an individ-ual’s social neighborhood. There has been much researchand industrial activity to solve two problems: (a) recom-mending content, products, ads not only based on the indi-vidual’s prior history but also based on the history of thosethe individual trusts [12, 2], and (b) recommending otherswhom the individual might trust. Recommendations basedon social connections are especially effective for users who
Permission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies arenot made or distributed for profit or commercial advantage and that copiesbear this notice and the full citation on the first page. To copy otherwise, torepublish, to post on servers or to redistribute to lists, requires prior specificpermission and/or a fee.Copyright 200X ACM X-XXXXX-XX-X/XX/XX ... $ have seen very few movies, bought only a couple of products,or never clicked on ads; while traditional recommender sys-tems default to generic recommendations, a social-networkaware system can provide useful recommendations based onactive friends. Companies like TrustedOpinion and SoMR generate content and ad recommendations by leveraging so-cial networks. In fact, Facebook , Yahoo! and Google areopening their social networks to third party developers toencourage social network-aware recommender systems.In addition, a social network might want to use a differentunderlying social network, such as one derived from e-mailrecords or Instant Messenger connections, to suggest friends(e.g. Facebook already uses contacts imported from an ad-dress book as suggestions). Social connections could also beused to recommend products or advertisements to users—Netflix (or Opentable or Yelp) could recommend movies (orrestaurants) to a subscriber based on her friends’ activitiesand ratings. In fact, rather than using the entire socialgraph, the system could use only a subset of trusted edgesfor that application (for instance, a user might only trustthe movie recommendations of a subset of her friends).However, these improved recommendations based on so-cial connections come at a cost – a recommendation canpotentially lead to a privacy breach by revealing sensitiveinformation. For instance, while the social network linksmight be public, both the user-product links and the user-user-trust links must be kept secret. (Knowing that yourfriend doesn’t trust your judgement about books might bea breach of privacy). Similarly, revealing an edge in an e-mail graph, or revealing that a particular user purchaseda sensitive product, constitutes a potentially serious breachof user privacy. Recommendations can indeed lead to suchprivacy breaches even without the use of social connectionsin the recommendation algorithm [5]. The privacy concernsposed by recommender systems and use of the social networkgraph have been at the forefront of industry discussion onthe topic. In 2007, Facebook attempted to incorporate theproduct purchases made by one’s friends into the stream ofnews one receives while visiting the site through a productcalled Beacon. Their launch showed that people interactwith many websites and products in a way that they wouldnot want their friends to know about, leading to severalprivacy lawsuits, and an eventual complete removal of the http://developers.facebook.com/connect.php http://developer.yahoo.com/yos/intro/ a r X i v : . [ c s . D S ] A p r eature by Facebook.In this paper, we present the first theoretical study ofthe privacy-utility trade-offs in social recommender systems.While there are many different settings where social recom-mendations are used (friend/product recommendations, ortrust propagation), and each leads to a slightly different for-mulation of the privacy problem (the sensitive informationis different in each case), all these problems have the fol-lowing common structure – recommendations are made ona graph where some subset of edges are sensitive. For clar-ity of exposition, we ignore (by and large) scenario specificconstraints, and focus on the following general model. Weconsider a graph where all the edges are sensitive, and analgorithm that recommends a single node v in the graphto some target node u . We assume that the algorithm isbased on a utility function that encodes the “goodness” ofrecommending each node in the graph to this target node.Suggestions for utility functions include number of commonneighbors, weighted paths and PageRank distributions [21].We consider an attacker who wishes to deduce the existenceof a single edge ( x, y ) in the graph by passively observing therecommendation ( v, u ). We measure the privacy of the algo-rithm using differential privacy – the ratio of the likelihoodsof the algorithm recommending ( v, u ) on the graphs withthe edge ( x, y ) and without the edge ( x, y ), respectively. Inthis setting, we ask the question: to what extent can edgerecommendations be accurate while preserving differentialprivacy? Our Contributions and Overview.
In this paper wepresent the following results on the accuracy of differentiallyprivate social recommendations. • We present a trade-off between the accuracy and pri-vacy of any social recommendation algorithm that isbased on any general utility function. This trade-offshows an inevitable lower bound on the privacy pa-rameter (cid:15) that must be incurred by an algorithm thatwishes to guarantee any constant-factor approximationof the maximum utility. (Section 4) • We present lower bounds on accuracy and privacy foralgorithms based on specific utility functions previ-ously suggested for recommending edges in a socialnetwork – number of common neighbors and weightedpaths [21]. Our trade-offs for these specific utility func-tions present stronger lower bounds than the generalone that is applicable for all utility functions. (Section5) • We adapt two well known privacy preserving algo-rithms from the differential privacy literature for theproblem of social recommendations. The first (whichwe call Laplace), is based on adding random noisedrawn from a Laplace distribution to the utility vector[8] and then recommending the highest utility node.The second (Exponential), is based on exponential smooth-ing [15]. We analyze and compare the accuracy of thetwo algorithms and comment on their relative merits.(Section 6) • We perform experiments on a real graph using thenumber of common neighbors utility function. Theexperiments compare the algorithms Laplace, Expo-nential, and our lower bound. Our experiments sug-gest three takeaways: (i) For most nodes, the lower bounds suggest that there is a huge inevitable trade-off between privacy and accuracy when making socialrecommendations; (ii) The more natural Laplace algo-rithm performs as well as Exponential; and (iii) For alarge fraction of nodes, both Laplace and Exponentialalmost achieve the maximum accuracy level suggestedby our theoretical lower bound. (Section 7) • We briefly consider the setting when an algorithm maynot know (or be able to compute efficiently) the entireutility vector. We recognize that both Laplace and Ex-ponential algorithms assume the knowledge of all theutilities (for every node) when recommending to a tar-get node. We propose and analyze a sampling basedlinear smoothing algorithm that does not require allutilities to be pre-computed. We conclude by men-tioning several directions for future work. (Section 8)We now discuss related work and then formalize the mod-els and definitions in Section 3.
2. RELATED WORK
Several papers propose that the social connections avail-able can be effectively utilized for enhancing online appli-cations [12, 2]. Golbeck [10] uses the trust relationshipsexpressed through social connections for personalized movierecommendations and shows that the accuracy of the ratingsoutperform those produced by a collaborative filtering algo-rithm not utilizing the social graph. Mislove et al. [16] at-tempt an integration of web search with social networks andexplore the use of trust relationships, such as social links, tothwart unwanted communication [17]. Approaches incorpo-rating trust models into recommender systems are gainingmomentum both in academic research [25], [18], [23], and inreal products. Examples include, Chorus , which providessocial app recommendations for the iPhone; Fruggo.com ,a social e-commerce site; and WellNet’s online social net-working program for health care coordination .Calandrino et al. [5] demonstrate that algorithms thatrecommend products based on a friends’ purchases have verypractical privacy concerns: “passive observations of Ama-zon.com’s recommendations are sufficient to make valid in-ferences about individuals’ purchase histories”. McSherry etal. [14] show how to adapt the leading algorithms used in theNetflix prize for movie recommendations to make privacy-preserving recommendations. Their work does not applyto algorithms that rely on the underlying social graph be-tween users, as the user-user connections have not been re-leased as part of the Netflix competition. A¨ımeur et al. [1]study the problem of personalized recommendations in gen-eral. Dwork et al. [9] pose the problem of constructingdifferentially private analysis of social networks. Toubianaet al. [24] propose a framework for privacy preserving tar-geted advertising – while targeting based on user historyis considered, targeting based on social interactions is notconsidered.A related and independent work [4] considers the problemof mining top-k frequent item-set. Although they considermechanisms analogous to the ones we propose, since we solve http://fruugo.com/ wo different problems, the focus of their analysis, notion ofutility, and conclusions substantially differ from ours.
3. MODEL
In this section, we describe the model for privacy-preservingsocial recommendations. We first define a social recommen-dation algorithm and then mention notions of monotonicityand accuracy of an algorithm. We then define axioms fol-lowed by typical utility functions that such algorithms arebased on. Finally, we define differential privacy.
Let G = ( V, E ) be the graph that describes the social net-work. Each recommendation is an edge ( i, r ), where node i is recommended to the target node r . Given a graph G , anda target node r , we denote the utility of recommending node i to node r by u G,ri . Further, we assume that a recommen-dation algorithm R is a probability vector on all nodes. Let p G,ri denote the probability of recommending node i to node r in graph G by a specified algorithm. When the graph G and the source node r are clear from context, we drop G and r from the notation – u i denotes the utility of recommend-ing i , and p i denotes the probability that R recommends i .We further define u max = max i u i .We consider algorithms that attempt to maximize the ex-pected utility ( (cid:80) i u i · p i ) of each recommendation. If weassume (without loss of generality) that the utility of theleast useful recommendation is 0, the accuracy of such analgorithm can be defined as: Definition 1 (Accuracy).
An algorithm A is said tobe (1 − δ ) -accurate if given any set of utilities u i (for all i )denoted by (cid:126)u , A recommends node i with probability p i suchthat (1 − δ ) = min (cid:126)u (cid:80) u i p i u max . Therefore, an algorithm is said to be (1 − δ )-accurate if forany utility vector, the algorithm’s expected utility is at least(1 − δ ) times the utility of the highest utility node in the givenutility vector. It is easy to check that for the case when theutility of the least useful recommendation is u min , in all ofour subsequent discussions, the definition of accuracy weuse is equivalent to accuracy defined as the fraction of thedifference between u max and u min . Scale Invariance of Sensitivity and Utility Func-tions.
We initiate a small discussion on what happenswhen the utility values for all potential recommendable nodesare scaled by a multiplicative factor, or changed by an addi-tive constant. Intuitively, since the scale of utilities is chosenarbitrarily, one would expect the algorithms and the anal-ysis to be invariant to such numeric changes. However, be-cause of the constraints imposed by the desire to be privacy-preserving, where the privacy-preservation is with respect toa presence or absence of a particular edge, the scale invari-ance assumptions require a more careful articulation. Inparticular, the crucial point of interaction between the pri-vacy requirement and the utility function is the concept ofsensitivity, denoted by ∆ f , which is the maximum changein a utility vector (cid:126)u that can occur due to an addition orremoval of one edge in the graph. Observe that if we scale autility function by a multiplicative constant, the sensitivityof the utility function is scaled as well by the same constant.Without loss of generality, and for ease of subsequent expo-sition, we assume that ∆ f = 1, an assumption that implies that the magnitudes of the utilities are now meaningful, asthe higher utility magnitude corresponds to more edges thatneed to be added or removed in the graph in order to achieveit. Equivalently, we could have chosen to let the utilities bescale invariant, but would then need to compute and reasonin terms of the sensitivity of the utility function.Another property that is natural of a recommendationalgorithm is monotonicity: Definition 2 (Monotonicity).
An algorithm is saidto be monotonic if ∀ i, j , u i ≥ u j implies that p i ≥ p j . We now define two axioms that we believe should be sat-isfied by any meaningful utility function in the context ofrecommendations on a social network. These axioms arelater used in proving our theoretical results. Our axioms areinspired by the work of [21] and the specific utility functionsthey consider, which include: number of common neighbors,sum of weighted paths, and PageRank based utility mea-sures.
Axiom 1 (Exchangeability).
Let G be a graph andlet h be an isomorphism on the nodes giving graph G h , s.t.for target node r , h ( r ) = r. Then ∀ i : u G,ri = u G h ,rh ( i ) . This axiom captures the intuition that the utility of anode i should not depend on the node’s name. Rather, itsutility with respect to target node r only depends on thestructural properties of the graph, and so, nodes that areisomorphic from the perspective of the target node r shouldhave the same utility. Axiom 2 (Concentration Axiom).
There exists S ⊂ V ( G ) , such that | S | = β , and (cid:80) i ∈ S u i ≥ Ω(1) (cid:80) i ∈ V ( G ) u i . This says that there are some β nodes that together haveat least a constant fraction of the total utility mass. This ax-iom is likely to be satisfied for small enough β , since usuallythere are some nodes that are very good for recommendationand many that are not so good.In the subsequent lower bound sections, we only considermonotonic algorithms for utility functions that satisfy theexchangeability axiom as well as the concentration axiomfor a reasonable choice of β .A running example throughout the paper of a utility func-tion that satisfies these axioms in practical settings and isoften deployed [21] is that of the number of common neigh-bors utility function : given a target node r and a graph G , the common neighbors utility metric assigns a utility u G,ri = c ( i, r ), where c ( i, r ) is the number of common neigh-bors between i and r . Differential privacy [6] is a strong definition of privacythat is based on the following principle: an algorithm pre-serves the privacy of an entity if the algorithm’s output isnot sensitive to the presence or absence of the entity’s infor-mation in the input data set. In our setting of graph-basedsocial recommendations, we wish to maintain the presence(or absence) of an edge in the graph private. Hence, theprivacy definition can be formally stated as follows. efinition A recommendation algorithm R satisfies (cid:15) -differential privacy if for any pair of graphs G and G (cid:48) thatdiffer in one edge (i.e., G = G (cid:48) + { e } or vice versa ) andevery set of possible recommendations S , P r [ R ( G ) ∈ S ] ≤ exp ( (cid:15) ) × P r [ R ( G (cid:48) ) ∈ S ] (1) where the probabilities are over the random coins of R . Differential privacy has been widely used in the privacy liter-ature [3, 8, 13, 15, 7], since it is even resilient to adversarieswho know all but one edges in the graph, and guaranteesprivacy for multiple runs of the algorithm. While weakernotions of privacy have also been considered in the litera-ture, in this paper we focus on the strong differential privacydefinition only. Since in social recommendations protectingprivacy is extremely important, it seems reasonable to firstexplore and understand the strongest notions of privacy.In this paper, we only consider the utility of a single socialrecommendation. We note that in this setting, we can relaxthe differential privacy definition such that Equation 1 onlyholds for graphs G and G (cid:48) that differ in an edge e that isnot incident on r , the target of the recommendation. Thismirrors the natural setting where (a) one recommendationis made to the attacker ( r ), (b) only the target node (theattacker) sees the recommendation. By considering G and G (cid:48) that differ in e = ( i, r ), the adversary can only learnabout his neighborhood (which he is aware of to start with)and not learn whether two legitimate nodes in the graphare connected. While we consider a single recommendationthroughout the paper, we use the relaxed variant of differ-ential privacy only in Sections 5 and 7.
4. GENERAL LOWER BOUND
In this section we prove a lower bound on the privacyparameter (cid:15) on any differentially private recommendationalgorithm that (a) achieves a constant accuracy and (b) isbased on any utility function that satisfies the exchangeabil-ity and concentration.Let us first sketch the proof technique for the lower boundusing the number of common neighbors utility metric, andthen state the lower bound for a general utility metric. Aninterested reader can find the full proofs in the Appendix.Recall that given a target node r and a graph G , the commonneighbors utility metric assigns a utility u G,ri = c ( i, r ), where c ( i, r ) is the number of common neighbors between i and r .The nodes in any graph can be split into two groups – V rhi ,nodes which have a high utility for the target node r and V rlo , nodes that have a low utility. In the case of commonneighbors, all nodes i in the 2-hop neighborhood of r (whohave at least one common neighbor with r ) can be part of V rhi and the rest in V rlo . Since the recommendation algorithmhas to achieve a constant accuracy, it has to recommend oneof the high utility nodes with constant probability.By the concentration axiom, there are only a few nodesin V rhi , but there are many nodes in V rlo ; in the case of com-mon neighbors, node r may only have 10s or 100s of 2-hopneighbors in a graph of millions of users. Hence, there existsa node i in the high utility group and a node (cid:96) in the lowutility group such that Γ = p i /p (cid:96) is very large (Ω( n )). Atthis point, we show that we can carefully modify the graph G by adding and/or deleting a small number ( t ) of edges insuch a way that the node (cid:96) with the smallest probability ofbeing recommended in G becomes the node with the highest utility in G (cid:48) . By the exchangeability axiom, we can showthat there always exist some t edges that make this possi-ble. For instance in the common neighbors case, we can dothis by adding edges between a node i and t of r ’s neigh-bors, where t > max i c ( i, r ). It now follows from differentialprivacy that (cid:15) ≥ t log ΓMore generally, let V rhi be the set of nodes 1 , . . . , k each ofwhich have utility u i > (1 − c ) u max , and let V rlo be the nodes k + 1 , . . . , n each of which have u i ≤ (1 − c ) u max utility ofbeing recommended to target node r . Recall that u max isthe utility of the highest utility node. Let t be the numberof edge alterations required to turn a node with the smallestprobability of being recommended from the low utility groupinto a node of maximum utility in the modified graph. Thefollowing lemma states the main trade-off relationship be-tween the accuracy parameter δ and the privacy parameter (cid:15) of a recommendation algorithm. Lemma (cid:15) ≥ t (cid:0) ln( c − δδ ) + ln( n − kk +1 ) (cid:1) This lemma gives us a lower bound on the privacy guar-antee (cid:15) in terms of the utility parameter δ . Equivalently, Corollary
1. 1 − δ ≤ − c ( n − k ) n − k +( k +1) e (cid:15)t By using the concentration axiom with parameter β wecan prove the following. Lemma For (1 − δ ) = Ω(1) and β = o ( n/ log n ) , (cid:15) ≥ log n − o (log n ) t (2)This expression can be intuitively interpreted as follows:in order to achieve good accuracy with a reasonable amountof privacy (where (cid:15) is independent of n ), either the numberof nodes with high utility needs to be very large (i.e. β needsto be very large, Ω( n/ log n )), or the number of steps neededto bring up any node’s utility to the highest utility needs tobe large (i.e. t needs to be large, Ω(log n )).We shall use this relationship from Lemma 2 in the sub-sequent section to prove stronger lower bounds for specificutility functions. Below we mention a generic lower boundthat applies to any utility function. Note that we only needan upper bound on t . The tighter upper bound we are ableto prove on t , the better lower bound we get for (cid:15) .Using the exchangeability axiom, we can show that t ≤ ∗ d max in any graph. Consider the highest utility node andthe lowest utility node, say x and y respectively. Thesenodes can be interchanged by deleting all of x ’s currentedges, adding edges from x to y ’s neighbors, and doing thesame for y . This requires at most 4 ∗ d max changes. Hence, Theorem For a graph with maximum degree d max = α log n , a differentially private algorithm can guarantee con-stant accuracy only if (cid:15) ≥ α (cid:18) − o (1) (cid:19) (3)In the next section, we present stronger lower bounds fortwo well studied utility functions – common neighbors andweighted paths. . LOWER BOUNDS FOR SPECIFIC UTIL-ITY FUNCTIONS In this section, we start from Lemma 2 and prove strongerlower bounds for specific utility functions by proving strongerupper bounds on t . Proofs and more details can be foundin the Appendix. Consider a graph and a target node r . As we saw in theprevious section, we can make any node x have the highestutility by adding edges to all of r ’s neighbors. If d r is r ’sdegree, it suffices to add t = d r + O (1) edges to make a nodethe highest utility node. We state the following theorem fora more general version of common neighbors utility functionbelow. Theorem Let U be a utility function that depends onlyon and is monotonically increasing with c ( x, y ) , the numberof common neighbors between x and y . A recommendationalgorithm based on U that guarantees any constant approx-imation to utility for target node r has a lower bound onprivacy given by (cid:15) ≥ − o (1) α where d r = α log n . As we will show in Section 7, this is a very strong lowerbound. Since a significant fraction of nodes in real-worldgraphs have small d r (due to a power law degree distribu-tion), we can expect no algorithm based on common neigh-bors utility to be both accurate on most nodes and satisfydifferential with a reasonable (cid:15) . A natural extension of the common neighbors utility func-tion and one whose usefulness is supported by the literature[21], is the weighted path utility function, defined as score( s, y ) = (cid:80) inf l =2 γ l − | paths ( l )( s,y ) | , where | paths ( l )( s,y ) | denotes the number of length l paths from s to y . Typically, one would consider using small values of γ , such as γ = 0 . r be the target node. To make node y the highestutility node, we add edges such that y has cd r commonneighbors with r . Now, the goal is to choose c > y has the highestutility. This is done by showing that (a) no other nodehas more than d r common neighbors with r , and (b) theutility derived from paths of length ≥ y and r (for suitablysmall γ ). Finally, we show that this requires adding only t < d r + 2 ∗ ( c −
1) + O (1). Theorem For weighted paths based utility functionswith parameter γ , we have t ≤ (1 + o (1)) d r when makingrecommendations for node r , if γ = o ( d max ) . Therefore, foran algorithm to guarantee constant approximation to utility,the privacy must be (cid:15) ≥ α (1 − o (1)) where d r = α log n .
6. PRIVACY-PRESERVING RECOMMENDA-TION ALGORITHMS
There has been a wealth of literature on developing differ-entially private algorithms [3, 8, 15]. In this section we willadapt two well known tools, Laplace noise addition [8] and exponential smoothing [15], to our problem. For the pur-pose of this section, we will assume that given a graph anda target node, our algorithm has access to (or can efficientlycompute) the utilities u i for all other nodes in the graph.Given this vector of utilities, our goal is to compute a vec-tor of probabilities p i such that (a) (cid:80) i u i · p i is maximized,and (b) differential privacy is satisfied.Clearly, maximum accuracy is achieved by recommendingthe node with utility u max . However, it is well known thatany algorithm that satisfies differential privacy must recom-mend every node, even the ones that have zero utility, with anon-zero probability [20]. Indeed, suppose for graph G andtarget node r , an algorithm assigns 0 probability to somenode x with utility u G,rx and a positive probability to somenode y , with utility u G,ry . Transform G into G (cid:48) as follows:connect x to all of y ’s neighbors in G and disconnect x fromall its neighbors in G . Do the same for y . This in turns cre-ates an isomorphism h between G and G (cid:48) , where h ( r ) = r .Hence, by the exchangeability axiom, the algorithm will rec-ommend y with 0 probability. Thus, there is a path from G to G (cid:48) of length t such that p y goes from a positive numberto 0. This leads to a breach of differential privacy.The following two algorithms ensure differential privacy: The exponential mechanism creates a smooth probabilitydistribution from the utility vector and then samples fromthat.
Definition Exponential mechanism:
Given nodeswith utilities ( u , . . . , u i , . . . , u n ) , algorithm A E ( (cid:15) ) recom-mends node i with probability e (cid:15) ∆ f u i / (cid:80) nk =1 e (cid:15) ∆ f u k , where (cid:15) ≥ is the privacy parameter,and ∆ f is the sensitivity of the utility function . Theorem [15] A E ( (cid:15) ) guarantees (cid:15) differential privacy. Unlike the exponential mechanism, the Laplace mecha-nism mimics the optimal mechanism. It first adds randomnoise drawn from a Laplace distribution, and like the opti-mal mechanism, picks the node with the maximum noise-infused utility.
Definition Laplace mechanism:
Given nodes withutilities ( u , . . . , u i , . . . , u n ) , algorithm A L ( (cid:15) ) first computesa modified utility vector ( u (cid:48) , . . . , u (cid:48) n ) as follows: u (cid:48) i = u i + r where r is a random variable chosen from the Laplace distri-bution with scale ( ∆ f(cid:15) ) independently at random for each i . Then, A L ( (cid:15) ) recommends node z whose noisy utility ismaximal among all nodes, i.e. z = arg max i u (cid:48) i . Theorem A L ( (cid:15) ) guarantees (cid:15) differential privacy. Proof.
The proof follows from the privacy proof of theLaplace mechanism in the context of publishing privacy-preserving histograms [8] by observing that one could treateach node as a histogram bin and release the noisy countfor the value in that bin, u (cid:48) i . Since A L ( (cid:15) ) is effectively doingpost-processing by releasing only the name of the bin withthe highest noisy count, the algorithm remains private. ∆ f = max r max G,G (cid:48) : G = G (cid:48) + e || (cid:126)u G,r − (cid:126)u G (cid:48) ,r || In this distribution, the pdf at y is (cid:15) f exp( −| y | (cid:15)/ ∆ f )n astute reader might remark at this point that theLaplace mechanism as stated does not satisfy the mono-tonicity property that we relied upon in our lower boundproofs. Indeed, the Laplace mechanism satisfies the prop-erty only in expectation; however, that is not an obstacle toour analysis since in order to meaningfully compare the per-formance of Laplace mechanism with other mechanisms andwith the theoretical bound on performance, we would needto evaluate its expected, rather than one-time, performance. It is natural to ask whether there is an equivalence be-tween the two approaches of transforming a non-private al-gorithm to a privacy-preserving algorithm or how they wouldcompare, perhaps depending on the setting. We present pre-liminary results on comparing the utilities when there areonly two possible recommendations ( n = 2). The theoremis stated below and the proof can be found in the Appendix. Theorem Let U E and U L denote the utilities achievedby A E ( (cid:15) ) and A L ( (cid:15) ) on input vector ( u , u ) , respectively.Wlog, assume u ≥ u . Then U E = u e (cid:15)u e (cid:15)u + e (cid:15)u + u e (cid:15)u e (cid:15)u + e (cid:15)u and U L = u (1 − e − (cid:15) ( u − u ) − (cid:15) ( u − u )4 e (cid:15) ( u − u ) + u ( e − (cid:15) ( u − u ) + (cid:15) ( u − u )4 e (cid:15) ( u − u )To our knowledge, in the course of the proof we give thefirst explicit closed form expression for the probabilities ofeach of the two nodes being recommended by Laplace mech-anism (the work of [19] gives a formula that does not applyto our setting).Although the expressions for U E and U L are difficult tocompare by eye-balling, by plugging in various values of u and u into the formulas, one infers that the Exponen-tial mechanism slightly outperforms the Laplace mechanism,when (cid:15) is very small and the difference between u and u islarge. We leave it for future work to simplify these as wellas extend the analysis to the n > Implementation efficiency.
The Laplace mechanism ismore intuitive than the Exponential mechanism, and morelikely to receive executive buy-in in a real-world environ-ment. Furthermore, it has the advantage that it can beimplemented more easily than the Exponential mechanism. A L requires computing the noisy utilities and then selectingthe node with the highest noisy utility, which takes lineartime. A E requires first computing a set of smoothed utilitiesand then sampling from the probability distribution inducedby them, which can be accomplished in linear time using thealias-urn method suggested by [22], but likely slightly lesspractically efficiently than A L .
7. UTILITY ACHIEVABLE IN PRACTICEON A REAL GRAPH
In this section we present experimental results on a realgraph and for the
For our experiments we use the Wikipedia vote network[11] available from Stanford Network Analysis Package .Some users in Wikipedia are administrators, who have ac-cess to additional technical features. Users are elected tobe administrators via a public vote of other users and ad-ministrators. The Wikipedia vote network consists of allusers participating in the elections (either casting a vote orbeing vote on), since inception of Wikipedia until January2008. We turn the network of [11] into an undirected net-work, where each node represents a user and an edge fromnode i to node j represents that user i voted on user j oruser j voted on user i . This obtained network consists of7,115 nodes and 100,762 edges. Although the Wikipediavote network is publicly available, and hence the edges in itare not private, we believe that the graph itself exhibits thestructure and properties of some of the graphs in which onewould want to preserve privacy, such as the graph of socialconnections and people’s product purchases.For each pair of nodes in the social network, except nodesthat share an edge, we compute the number of commonneighbors they have in the Wikipedia vote network. Then,assuming we will make one recommendation for each node inthe graph, we compute the expected accuracy of recommen-dation for that node. For the Exponential mechanism andthe theoretical bound, given the utilities of recommendingeach node to a given node v , we can compute the expectedaccuracy and the theoretical bound on accuracy exactly. Forthe Laplace mechanism, we compute its expected accuracyby running 1 ,
000 independent trials of the Laplace mecha-nism, and averaging the utilities obtained in those trials, foreach node in the graph. We first observe in Figure 1 that for all nodes in theWikipedia vote network, the Laplace mechanism achievesnearly identical accuracy as the Exponential mechanism.This confirms our hypothesis of Section 6 that Exponentialand Laplace mechanisms are nearly equivalent in practicalsettings, and implies that one can use the more intuitive andeasily implementable Laplace mechanism in practice.
We now proceed to evaluate the accuracy of the Exponen-tial mechanism and compare it with the best accuracy onecan hope to achieve using a privacy-preserving recommen-dation algorithm, as computed according to our theoreticalbound of Corollary 1.For ease of visual presentation, we assume that we do notcare about node identities; we number the nodes in decreas-ing order of the accuracy one can hope for when makingthe recommendation for that node, as predicted by the the-oretical bound. For each node, the graph in Figure 2 showsthe theoretical bound and the accuracy achieved by the Ex- http://snap.stanford.edu/data/wiki-Vote.html Out of the 7,115 nodes, there are 60 nodes that have nocommon neighbors with anyone except nodes they are al-ready connected to. We omit those nodes from our analysis. igure 1:
Accuracy achieved by Exponential andLaplace mechanisms on Wikipedia vote network using (cid:15) = 0 . , the bottom -for (cid:15) = 0 . . ponential mechanism. Due to our chosen numbering of thenodes, the theoretical bound is a smooth monotonically de-creasing function of the node number, whereas the achievedaccuracy is not necessarily monotonically decreasing (andthus, in places, does not appear as a line).As can be seen in Figure 2 and Figure 3, for some nodes,the Exponential mechanism performs quite well, achievingnearly perfect accuracy. However, the number of such nodesis fairly small - the Exponential mechanism achieves betterthan 0.9 approximation for less than 1.5% of the nodes when (cid:15) = 0 . (cid:15) = 0 .
5, itachieves better than 0.8 approximation for less than 2% ofthe nodes when (cid:15) = 0 . (cid:15) = 0 .
5. This matches the intuition that by makingthe privacy requirement more lenient, one can hope to makebetter quality recommendations for more nodes; however,this also pinpoints the fact that for most nodes, the Expo-nential mechanism does not achieve good accuracy.Although there is a possibility that one could develop bet-ter privacy-preserving recommendation mechanisms than Ex-ponential or Laplace, this experiment shows that for a largenumber of target nodes, our theoretical bound limits thebest accuracy one can hope to achieve privately quite severely.For example, for (cid:15) = 0 .
1, no privacy-preserving algorithmcan hope to achieve a better than 70% accuracy for morethan 9% of the nodes. This finding throws into serious ques-tion the feasibility of developing social recommendation al-gorithms that are both accurate and privacy-preserving formany real-world settings.Finally, in practice, it is the least connected nodes that
Figure 2:
Accuracy achieved by Exponential mecha-nisms and predicted by theoretical bound on Wikipediavote network using (cid:15) = 0 . , the bottom - for (cid:15) = 0 . . are likely to benefit most from receiving high quality rec-ommendations. However, our experiments suggest that thelow degree nodes are also the most vulnerable to receiv-ing low accuracy recommendations due to needs of privacy-preservation: see Figure 4 for an illustration of how accuracydepends on the degree of the node. This further suggeststhat, in practice, one has to make a choice between preserv-ing accuracy vs preserving privacy. A E and A L good enough for utility func-tion based on common neighbors? As we have experimentally observed in Figure 2, the Ex-ponential mechanism achieves good accuracy compared tothe best achievable accuracy predicted by our theoreticalbound. We can formalize this statement rigorously as fol-lows (proved in the Appendix):
Lemma Let A E denote the accuracy of the Exponentialmechanism, and A O denote the upper bound on the accuracythat can be achieved by any privacy-preserving algorithm.Then, for utility functions based on the number of commonneighbors between two nodes, A E A O ≥ k +1 , where k is thenumber of nodes with non-zero utility. Furthermore,
Lemma For utility vector of the form u = ( u max , . . . , u max , , . . . , , A E A O ≥ kk +1 , where k is thenumber of nodes with non-zero utility, For real-world graphs, we expect the number of nodes withnon-zero utility k to be fairly small, and thus, the Expo- igure 3: Performance of the Exponential mechanismsand predicted by theoretical bound on Wikipedia votenetwork using (cid:15) = 0 . , the bottom - for (cid:15) = 0 . . nential mechanism to achieve a good approximation to thebest possible accuracy achievable by a privacy-preserving so-cial recommendation algorithm. Furthermore, observe thatCorollary 1 merely gives an upper bound on accuracy achiev-able in a privacy-preserving manner, but it might be the casethat tighter lower bounds can be obtained. Hence, in manyways, the Exponential and Laplace mechanisms are repre-sentative of the class of good privacy-preserving mechanismsone can hope for.
8. EXTENSIONS AND FUTURE WORK8.1 Vertex privacy and non-monotone algo-rithms
We considered the setting of graph based social recom-mendations where we wished to maintain private the infor-mation about the presence or absence of an edge in the graphbut our reasoning and results can easily be generalized to asetting where we would like to protect the entire identity ofa node. To achieve that, one would need to strengthen thedefinition of the recommendation algorithm satisfying dif-ferential privacy to consider graphs that differ in one node,rather than one edge, and adjust the value of t , the numberof edge alterations to turn a node from the low utility groupinto a node of maximum utility, respectively.Furthermore, our results can be generalized to social rec-ommendation algorithms that do not satisfy the monotonic-ity property. For clarity of exposition, we omit the exactstatements and proofs of lemmas analogous to Lemmas 1 Figure 4:
Accuracy achieved by Exponential mechanismand predicted by Theoretical Bound as a function of nodedegree, (cid:15) = 0 . and 2 but remark that the statement formulations and ourqualitative conclusions will remain essentially unchanged,with the exception of the meaning of variable t . Withoutthe monotonicity property, t would correspond to the num-ber of edge alterations necessary to exchange the node withthe smallest probability of being recommended and the nodewith the highest utility, rather than to the number of edgealterations necessary to make the node with the smallestprobability of being recommended into the node with thehighest utility, leading to a higher value for t . Both the differentially private algorithms we consideredin Section 6 assume the knowledge of the entire utility vec-tor. This assumption cannot be made in social networks forvarious reasons. Firstly, computing as well as storing theutility of n pairs is prohibitively expensive, when dealingwith graphs of several hundred million nodes. Secondly, evenif one could compute and store them, these graphs changeat staggering rates, therefore, utility vectors are also con-stantly changing. We believe that this is a very importantand interesting problem. In this section, we explore a simplealgorithm that assumes no knowledge of the utility vector;it only assumes that sampling from the utility vector can bedone efficiently. Suppose we are given an algorithm A which is a γ ap-proximation in terms of utility, and not provably private.We show how to modify the algorithm A to guarantee dif-ferential privacy, while still preserving, to some extent, theutility approximation of A . The proof of the following the-orem, and a note, are placed in the appendix. Definition Given algorithm A = ( p , . . . , p i , . . . , p n ) ,algorithm A S ( x ) recommends node i with probability − xn + xp i , where ≤ x ≤ is a parameter. Theorem A S ( x ) guarantees ln(1 + nx − x ) -differentialprivacy and a xγ approximation of utility. Another idea worth exploring is perturbing the input graph(by adding/deleting a fraction of possible edges) and thenampling and recommending from it. What is the rela-tionship between the extent of perturbation and the util-ity/privacy guarantees?
Several interesting questions remain unexplored in thiswork. While we have considered some specific utility func-tions in this paper, it would be nice to look more. Further,our motivation was to look at the most stringent require-ment in terms of privacy; however, a natural question isto understand utility-privacy trade-offs for certain typicalgraphs that arise in social networks.This paper only considers lower bounds and algorithmsfor making one single recommendation. It would be veryinteresting, and important, to explore how the effect on pri-vacy compounds with multiple recommendations. Further,some edges can be more sensitive than others. Perhaps thesolution should be methodological - enable opt-in/opt-outsettings to specify which nodes/edges are private. A closerlook at such dependences is required.Also, most works on making recommendations deal withstatic databases. Social networks clearly change over time(and rather rapidly). This raises several issues, such asnot being able to assume the utility vector is known, sensi-tivity changing, privacy impacts of dynamic databases etc.Dealing with such temporal graphs and understanding theretrade-offs would be very interesting.Finally, it would certainly be interesting to extend theseresults for weaker notions of privacy than differential pri-vacy. For instance, some privacy notions previously definedinclude k -anonymity, ( (cid:15), δ )-differential privacy, and relaxingthe adversary’s background knowledge to just the generalstatistics of the graph.
9. ACKNOWLEDGMENTS
The authors are grateful to Arpita Ghosh and Tim Rough-garden for thought-provoking discussions.
10. REFERENCES [1] E. A¨ımeur, G. Brassard, J. M. Fernandez, and F. S.Mani Onana. Alambic: a privacy-preservingrecommender system for electronic commerce.
Int. J.Inf. Secur. , 7(5):307–334, 2008.[2] R. Andersen, C. Borgs, J. T. Chayes, U. Feige, A. D.Flaxman, A. Kalai, V. S. Mirrokni, andM. Tennenholtz. Trust-based recommendationsystems: an axiomatic approach. In
WWW , pages199–208, 2008.[3] B. Barak, K. Chaudhuri, C. Dwork, S. Kale,F. McSherry, and K. Talwar. Privacy, accuracy andconsistency too: A holistic solution to contingencytable release. In
PODS , 2007.[4] R. Bhaskar, S. Laxman, A. Smith, and A. Thakurta.Personal communication, 2010.[5] L. Calandrino, A. Narayanan, E. Felten, andV. Shmatikov. Don’t review that book: Privacy risksof collaborative filtering. Manuscript, 2009.[6] C. Dwork. Differential privacy. In
ICALP , 2006.[7] C. Dwork. Differential privacy: A survey of results. In
TAMC , pages 1–19, 2008.[8] C. Dwork, F. McSherry, K. Nissim, and A. Smith.Calibrating noise to sensitivity in private data analysis. In
TCC , pages 265–284, 2006.[9] C. Dwork and A. Smith. Differential privacy forstatistics: What we know and what we want to learn.In
NCHS/CDC Data Confidentiality Workshop , 2008.[10] J. Golbeck. Generating predictive movierecommendations from trust in social networks. In iTrust , pages 93–104, 2006.[11] J. Leskovec, D. Huttenlocher, and J.Kleinberg.Predicting positive and negative links in online socialnetworks. In
WWW , 2010.[12] H. Ma, I. King, and M. R. Lyu. Learning torecommend with social trust ensemble. In
SIGIR ,pages 203–210, 2009.[13] A. Machanavajjhala, D. Kifer, J. Abowd, J. Gehrke,and L. Vihuber. Privacy: From theory to practice onthe map. In
ICDE , 2008.[14] F. McSherry and I. Mironov. Differentially privaterecommender systems: building privacy into the net.In
KDD , pages 627–636, 2009.[15] F. McSherry and K. Talwar. Mechanism design viadifferential privacy. In
FOCS , pages 94–103, 2007.[16] A. Mislove, K. P. Gummadi, and P. Druschel.Exploiting social networks for internet search. In
Proceedings of the 5th Workshop on Hot Topics inNetworks (HotNets’06) , November 2006.[17] A. Mislove, A. Post, K. P. Gummadi, and P. Druschel.Ostra: Leverging trust to thwart unwantedcommunication. In
Proceedings of the 5th Symposiumon Networked Systems Design and Implementation(NSDI’08) , April 2008.[18] M. Montaner, B. L´opez, and J. L. d. l. Rosa.Opinion-based filtering through trust. In
CIA ’02:Proceedings of the 6th International Workshop onCooperative Information Agents VI , pages 164–178,London, UK, 2002. Springer-Verlag.[19] S. Nadarajah and S. Kotz. On the linear combinationof laplace random variables.
Probab. Eng. Inf. Sci. ,19(4):463–470, 2005.[20] K. Nissim. Private data analysis via outputperturbation. In
Privacy-Preserving Data Mining:Models and Algorithms , pages 383–414. Springer, 2008.[21] D. L. Nowell and J. Kleinberg. The link predictionproblem for social networks. In
CIKM , pages 556–559,2003.[22] J. Peterson, Arthur V. and R. A. Kronmal. Onmixture methods for the computer generation ofrandom variables.
The American Statistician ,36(3):184–191, 1982.[23] G. Swamynathan, C. Wilson, B. Boe, K. Almeroth,and B. Y. Zhao. Do social networks improvee-commerce?: a study on social marketplaces. In
WOSP ’08: Proceedings of the first workshop onOnline social networks , pages 1–6, New York, NY,USA, 2008. ACM.[24] V. Toubiana, A. Narayanan, D. Boneh,H. Nissenbaum, and S. Barocas. Adnostic: Privacypreserving targeted advertising. In
NDSS , 2010.[25] C.-N. Ziegler and G. Lausen. Analyzing correlationbetween trust and user similarity in onlinecommunities. In
Proceedings of Second InternationalConference on Trust Management , pages 251–265.pringer-Verlag, 2004.
APPENDIX
Proof of Lemma 1
Proof.
We initiate the analysis with a simple claim.
Claim In order to achieve (1 − δ ) accuracy, at least c − δc of the probability weight has to go to nodes in the highutility group, so there exists a node x in the low utility groupof G that is recommended with probability of at most δc ( n − k ) ,e.g. p G x ≤ δc ( n − k ) . Proof.
Denote by p + and p − the total probability thatgoes to high/low utility nodes, respectively, and observe that p + u max + (1 − c ) u max p − ≥ (cid:80) i u i p i ≥ (1 − δ ) u max and p + + p − ≤
1, hence, p + > c − δc , p − ≤ δc .We now continue the proof of Lemma 1.Let G be the graph that turns x , found according to theClaim above, into a node of highest utility by addition of t edges.By differential privacy, we have p G x p G x ≤ e (cid:15)t .In order to achieve (1 − δ ) accuracy on G , at least c − δc of the probability weight has to go to nodes in the highutility group, and hence by monotonicity P r [ x | G ] > c − δc ( k +1) .Combining the previous three inequalities, we obtain: ( c − δ )( n − k )( k +1) δ = c − δc ( k +1) δc ( n − k ) < p G x p G x ≤ e (cid:15)t , hence (cid:15) ≥ t (cid:0) ln( c − δδ ) + ln( n − kk + 1 ) (cid:1) This completes the proof.
Proof of Lemma 2
Proof.
We first use the concentration axiom to provethe following claim.
Claim If c = (cid:16) − n (cid:17) , then k = O ( β log n ) where β is the parameter of the concentration axiom. Proof.
Now consider the case when c = (cid:16) − n (cid:17) .Therefore, k is the number of nodes that have utility atleast u max log n . Let the total utility mass be U = (cid:80) i u i . Sinceby concentration, the β highest utility nodes add up to atotal utility mass of Ω(1) ∗ U , we have u max ≥ Ω( Uβ ). There-fore, k , the number of nodes with utility at least u max log n is atmost U log nu max which is at most O ( β log n ).We now prove the Lemma using Lemma 1 and Claim 2.Substituting these in the expression, if we need 1 − c ( n − k ) n − k +( k +1) e (cid:15)t to be Ω(1), then require ( k + 1) e (cid:15)t to be Ω( n − k ). (Noticethat if ( k + 1) e (cid:15)t = o ( n − k ), then c ( n − k ) n − k +( k +1) e (cid:15)t ≥ c − o (1),which is 1 − o (1).).Therefore, if we want an algorithm to obtain constantapproximation in utility, i.e. (1 − δ ) = Ω(1), then we needthe following (assuming β to be small):( O ( β log n )) e (cid:15)t = Ω(( n − O ( β log n )) Or (for small enough β ) e (cid:15)t = Ω( nβ log n )Simplifying (cid:15) ≥ log n − log β − log log nt(cid:15) ≥ log n − o (log n ) t Proof of Theorem 2
Proof.
Lower Bound for Common Neighbors
Weformalize the intuition in terms of an upper bound on t inthe following claim. Claim For common neighbors based utility functions,when recommendations for r are being made, we have t ≤ d r + 2 , where d r is the degree of node r . Proof.
Observe that if the number of common neighborsis the measure of the utility of recommendation, then onecan make any zero utility node, say x , for source node r intoa max utility node by adding d r edges to all of r ’s neighborsand additionally adding two more edges (one each from r and x ) to some node with small utility. This is because thehighest utility node has at most d r common neighbors with r (one of which could potentially be x ). Further, adding theseedges cannot increase the number of common neighbors forany other node beyond d r .We now use this to get the theorem immediately by re-placing t in the expression stated previously. Proof of Theorem 3
Proof.
Lower Bound for Sum of Weighted Paths
The number of paths of length l between two nodes is atmost d l − . Let x be the highest utility node and let y be thenode we wish to make the highest utility node after addingcertain edges. If we are making recommendations for node r , then the maximum number of common neighbors with r is at most d r .Currently denote the utility of x by u x . We know that u x ≤ γd r (cid:80) inf l =3 γ l − d l − . (In fact one can tighten the secondterm as well.)We rewire the graph as follows. Any ( c − d r nodes (otherthan y and the source node r ) are picked; here c > r and y are connected to these( c − d r nodes. Additionally, y is connected to all of r ’s d r neighbors. Therefore, we now get the following. u y ≥ γcd r Now we wish to bound by above the utility of any othernode in the network in this rewired graph. Notice that everyother node still has at most d r paths of length 2 with thesource. Further, there are only two nodes in the graph thathave degree more than d max + 1, and they have degree atmost ( c +1) d max . Therefore, the number of paths of length l for l ≥ c +1) d max ) · ( d max +1) l − .This can be further tightened to (( c + 1) d max ) · ( d max ) l − .We therefore get the following for any x in the rewired graph, x ≤ γd r + ( c + 1) ∞ (cid:88) l =3 γ l − d l − Now consider the case where γ < d max . We get u x ≤ γd r + ( c + 1) γ d − γd max We now want u y ≥ u x . This reduces to( c − ≥ ( c + 1) γd max − γd max Now if γ = o ( d max ) then it is sufficient to have ( c −
1) =Ω( γd max ) which can be achieved even with c = 1 + o (1).Now notice that we only added d r + 2( c − d r edges to thegraph. This completes the proof of the theorem. Comment on relationship between common neigh-bors and weighted paths:
Since common neighbors isan extreme case of weighted paths (as γ → o (1) terms) when γ is made small (in particular, γ ≈ o ( d max ). Can one ob-tain (perhaps weaker) lower bounds when say γ = Θ( d max )?Notice that the proof only needs ( c − ≥ ( c +1) γd max − γd max . Wethen get a lower bound of (cid:15) ≥ α ( − o (1)2 c − ) where d r = α log n .Setting γd max = s , for some constant s , we can find thesmallest c that satisfies the expression ( c − ≥ ( c +1) s − s .Notice that this does give a nontrivial lower bound (i.e. alower bound tighter than the generic one presented in theprevious section), as long as s is a sufficiently small constant. Proof of Theorem 6
Proof.
Utility of Laplace for n = 2 : Suppose wehave two elements, with utility t and t , respectively, where t ≥ t wlog.Let φ X ( t ) denote the characteristic function of the Laplacedistribution, it is known that φ X ( t ) = b t . Moreover, itis known that if X and X are independently distributedrandom variables, then φ X + X ( t ) = φ X ( t ) φ X ( t ) = b t ) .Using the inversion formula, we can compute the pdf of X = X + X as follows: f X ( x ) = F (cid:48) X ( x ) = 12 π (cid:90) ∞−∞ e − itx φ X ( t ) dt For x > , the pdf of X + X is f X ( x ) = b (1 + xb ) e − xb andthe cdf is F X ( x ) = 1 − (cid:15)e − (cid:15)x ( (cid:15) + x ).What is the probability that element 1 is recommended?It’s the P r [ t + X > t + X ] = P r [ X − X < t − t ] =1 − (cid:15)e − (cid:15) ( t − t ) ( (cid:15) + ( t − t )) = 1 − e − (cid:15) ( t − t ) − (cid:15) ( t − t )4 e (cid:15) ( t − t Hence, the Laplace mechanism recommends node 1 withprobability 1 − e − (cid:15) ( t − t ) − (cid:15) ( t − t )4 e (cid:15) ( t − t ) , from which the desired statement about A L ’s utility fol-lows. Proof of Theorem 7
Proof.
Sampling and Linear Smoothing
Let p (cid:48)(cid:48) i = − xn + xp i . We have1 − xn ≤ p (cid:48)(cid:48) i ≤ − xn + x, since 0 ≤ p i ≤ A S is U ( A S ) = n (cid:88) k =1 u k p (cid:48)(cid:48) k = n (cid:88) k =1 ( 1 − xn ) u k + n (cid:88) k =1 xp k u k = 1 − xn + xγ ≥ xγ, where we use (cid:80) k u k = 1 and (cid:80) p k u k = γ .For the privacy guarantee, note again that the upper andlower bounds on p (cid:48) i hold for any graph and utility function.Therefore, the change in the probability of recommending i for any two graphs G and G (cid:48) that differ in exactly one edgeis at most p i ( G ) p i ( G (cid:48) ) ≤ x + − xn − xn = 1 + nx − x . Therefore, A S is ln(1+ nx − x )-differentially private. This com-plete the proof.Further, note, to guarantee 2 (cid:15) - differentially privacy for A S ( x ), we need to set the parameter x so that ln(1+ nx − x ) =2 c ln n (rewriting (cid:15) = c ln n ), namely x = n c − n c − n . The algorithm A S guarantees a utility of at least xγ . Proof of Lemma 3
Proof.
Suppose the variations on the common neighborfunctions permitted are u i = d i /z , where d i is the number ofcommon neighbors node i has with the target node, and z isa scaling constant. Pick c = 1, meaning that all nodes except k have zero utility. Then U O ≤ u max (1 − δ ) ≤ u max (1 − n − kn − k +( k +1) e (cid:15)u max ) = u max ( k +1) e (cid:15)u max n − k +( k +1) e (cid:15)u max .Under our restricted privacy definition, the sensitivity ofthe scaled number of common neighbors utility function is z . U E ≥ u max e (cid:15)zu max n − k + ke (cid:15)zu max = u max e (cid:15)u max n − k + ke (cid:15)u max ≥ u max e (cid:15)u max n − k +( k +1) e (cid:15)u max .Hence U E U O ≥ k +1 and exponential algorithm gives a ( k + 1)approximation of utility, which could be a fairly good ap-proximation, if k is small compared to nn