Title: ANISOTROPIC NOISE FINGERPRINTS REVEAL CON-CEPT CHOICE IN CONCEPT-AWARE EMBEDDING PRI-VACY FARS PDF: sparse-concept-choice-leakage.pdf Score: 4.0 Verdict: Reject Confidence: 0.60 Elapsed: 46.9s Strengths: 1. The paper identifies a genuine and previously undocumented vulnerability in concept-aware anisotropic noise mechanisms: the per-dimension variance profile acts as a fingerprint that leaks which privacy concept was selected. This is a real concern for deployed systems using SPARSE-style sanitization under multi-release access. (Section 1, Section 3.2, Equation 3) 2. The variance fingerprint attack is elegantly simple — computing element-wise squared differences across releases cancels the original embedding and directly reveals noise covariance structure (Equation 2–4). The 100% vs 18.9% (near 20% chance) comparison between anisotropic and isotropic noise is a striking demonstration that anisotropy is the root cause. (Table 1, Equation 3) 3. The random permutation ablation is a well-designed control experiment: preserving the eigenvalue spectrum but destroying dimension-concept alignment drops accuracy to 3.3% (below chance), confirming the attack exploits learned mask structure rather than generic anisotropy. (Table 2, Section 4.4) Weaknesses: 1. The multi-release threat model requiring N=10 independent sanitized releases of the same document is an extremely strong assumption. In practice, vector databases and RAG systems rarely re-sanitize the same document with fresh noise 10 times. The paper provides no evidence this scenario commonly occurs in real deployments. If re-indexing uses the same noise realization (deterministic caching), the attack collapses entirely. (Section 3.1, Section 4.1) 2. The utility evaluation is critically thin. STS12 Pearson correlation is reported as approximately 0.03 for all noisy conditions vs 0.74 for clean embeddings — this means all sanitization conditions destroy utility almost completely (Pearson ~0.03 is essentially uncorrelated). The paper claims 'utility is invariant to covariance structure,' but this is vacuously true when utility is near zero across the board. No other utility benchmarks (retrieval, classification, clustering) are tested. This makes it impossible to assess whether the privacy-utility tradeoff is even viable in practice. (Table 1, Section 4.2) 3. The paper is extremely narrow in scope: it attacks one specific system (SPARSE), with one embedding model (GTR-T5-Base), one privacy budget (ε=10), and K=5 hand-picked concepts (weekdays, months, countries, gender terms, city names). No analysis of how results scale with different K, different ε values, different embedding dimensions, or different mask-learning procedures. The 100% accuracy with K=5 very distinct categories is unsurprising; with more overlapping or finer-grained concepts, the fingerprint distinguishability would likely degrade significantly. (Section 4.1) 4. The covariance smoothing defense is a straw man. The only mitigation considered is simple linear interpolation with identity covariance. No other defenses are explored: e.g., per-release concept randomization, adding shared isotropic noise across releases, differential privacy accounting for concept choice, or simply not re-sampling noise across releases (which would make the attack infeasible). The paper's conclusion that 'systems should assume concept choice is observable' is premature without testing more sophisticated mitigations. (Section 3.4, Section 5) Must Fix Items: 1. Evaluate utility on a broader set of benchmarks beyond STS12; the near-zero correlations raise questions about whether any of the sanitization conditions are practically usable 2. Discuss the practical feasibility of the multi-release threat model more critically — how often do real systems produce 10+ independently sanitized versions of the same document? 3. Test with more concepts (larger K) and overlapping concept definitions to assess generalizability beyond the easy K=5 setting Runs: - run=1 score=4 verdict=Reject confidence=0.6 error=None