On Mar 27, 2004, at 23:13, Lance Cottrell wrote:
I hope at this point the retractions by the Register have been well circulated. Just to make it absolutely clear, we have never and never will sell out a customer. This is simply shoddy reporting at its worst.
<snip>
I would have hoped that my years of working on free open source privacy tools (such as Mixmaster) before founding Anonymizer would lend my reputation some weight, or at least give me the benefit of the doubt until the matter was clarified. I am deeply troubled to see death threats against my employees (and I would assume myself) without anyone taking the trouble to even ask us to comment.
It has always been easy to contact me directly, next time I hope someone will do so before assuming the worst.
Alright then, since you're here, maybe you could answer a couple questions: - If given a court order, would you be able to provide the FBI the same kind of information that Surfola did, which could be used to track down the customer in meatspace? (From the article, we can assume it was his paypal email addx and/or the IP addx he was using, either one of which was probably sufficient). - Assuming the answer is yes: from the customer's POV, in the end what does it matter whether you were given a court order or not... the result was the same, they were caught because they trusted your service (the fact that, in this case, the crime was despicable, is beside the point). - Can you explain the contradictions inherent in the following excerpts from your user agreement? "Usage logs are usually kept for forty-eight (48) hours for maintenance purposes, monitoring Spamming and monitoring abuses of netiquette. Any relevant portion(s) of such logs may be kept for as long as needed to stop the abuses." "We maintain no information which would identify which user had sent a given message or visited a given site" "Abusers of the Anonymizer can expect no anonymity. We regret the necessity of this policy, but without it abuse will force the shutdown of the Anonymizer." Even if we leave aside the question of whether one should trust a service which /could/ betray you if it were run by an untrustworthy operator, you state openly in your policy that you're not to be trusted! --bgt