Leonard P. Levine wrote somewhere:
My most serious question about anonymous remailers is this: How can we be sure that the operator of such a remailer is not a federal or other governmental agent? That person is trusted with our privacy and has all the data needed to identify a user.
If I were the Feds I would already have set up such a "sting" operation, the temptation is just too great.
You will be pleased to hear that this problem was anticipated at least 15 years ago (in David Chaum's paper on "digital mixes"). Briefly, the solution is to use multiple layers of encryption to distribute trust among several remailer operators. Before it is remailed, a message is encrypted with public keys belonging to each of a sequence of remailers. As each remailer receives a message, it removes the outer layer of encryption using its private key, revealing another encrypted message and the next address to which it should be sent. Cooperation of all the remailers in the chain is needed to link the originating address to the message that is eventually delivered to a recipient. For a longer exposition on the current state of the art in deployed mail anonymizers, see http://www.obscura.com/~loki/remailer/remailer-essay.html Note that the availability of strong anonymity critically depends upon the availability of strong cryptography. If the Department of the Treasury Automated Systems Division holds all the remailers' private keys, then it can easily determine the originators of all anonymously remailed messages. -Lewis "You're always disappointed, nothing seems to keep you high -- drive your bargains, push your papers, win your medals, fuck your strangers; don't it leave you on the empty side ?" (Joni Mitchell, 1972)