It strikes me that while Mr. Hettinga and other e$ seers may have spent the past decade considering how to allow transactional exchanges to escape a human linkage, most professional sysops and network managers have been concerned with how to strengthen the linkage between on-line accounts, actions, and audit trails -- and the humans to which a user's account has been assigned.
Leaving aside the rest of this discussion, Vin touches on a point that I think has been ignored by some: operations demand log files. That is -- and I'm doffing my security hat here and donning the hat of someone who has been running computer systems and networks for 30+ years -- when I'm trying to manage a system and/or troubleshoot a problem, I *want* log files, as many as I can get and cross-referenced 17 different ways. This isn't a security issue -- most system administrator headaches are due to the "benign indifference of the universe", or maybe to Murphy's Law -- but simply a question of having enough information to trace the the perturbations caused to the system by any given stimulus. The more anonymity, and the more privacy cut-outs, the harder this is. I claim, therefore, that the true cost of running such a system is inherently *higher*. There may be, as some have claimed, offesetting operational advantages. But the savings from those advantages need to be balanced against losses due to hard-to-find bugs, or even bugs that one isn't aware of because there's insufficient logging. Remember that double-entry bookkeeping catches all sorts of errors, not just (or even primarily) embezzlement. To be sure, one can assert that the philosophical gains -- privacy, libertarianism, what have you -- are sufficiently important that this price is worth paying. With all due respect, I will assert that that debate is off-topic for this list, and is best discussed over large quantities of ethanol.