I've been thinking about random remailing paths for a while now, and I must admit that I don't know if it's on the balance a positive or negative thing. My view is: give the user the option. The positive points: Traffic analysis *MAY* be more difficult. If you are receiving a large quantity of traffic, it won't all follow the same path, so it won't show up as a big spike in traffic between any two hosts. On the other hand, it will all need to converge on you anyway. You just need to hide the incoming traffic with bogus outgoing traffic. If you intend to receive a large amount of anonymous mail, it would be wise to run a popular remailer. New remailers get up to speed faster. With the remailer network handling the addition of new remailers automatically, an announcement of a new remailer could result in sufficient cover traffic quickly. If you have to wait for PEOPLE to decide to use the new remailer, it will ramp up much more slowly. On the other hand, cover traffic could be handled randomly, even with real messages always being staticly routed by people. Negative points: Your messages travel through more hosts, increasing the likelihood of having them encounter a compromised host. This is more pronounced since it is difficult to evaluate the reputations of hosts when you have only indirect control of their selection. On the other hand, we would like our systems to be immune to the compromise of even a moderately large portion of the remailers. A difficult question to be sure. That's why I advocate giving the choice to the user. -eric messick