On Thu, 21 Aug 2003, Tim May wrote:

It would be easy for me to say that all of the operators connected with JAP should be killed, either necklaced and left to burn in their driveways, with perhaps their families (children, siblings, parents) also tortured to death, or at least that the offices of JAP should be firebombed, but I will not do this.

For what it is worth, there has been a lot of good theory research in the field of strong anonymity to come out of Dresden. Operators of anonymity services, of course, are free to do what they wish with their services: log, not log, restrict users, etc., as long as their policies are clearly presented to their users. To lie to their users and to misrepresent the level of anonymity provided by the system is reprehensible.

But of course those who placed any faith in "trust us, we won't narc you out!" software are the real fools.

It's this point of Tim's I have been meaning to address, since it isn't quite as simple as this. First of all, JAP was presented as something other than the above. It was not a "trust us" system -- it used mixes, with independent operators. JAP was intended to be a "trust the laws of mathematics" system, and was undermined by the software authors. I won't go into a lot of detail about why low-latency mixes are more likely to be breakable, even when deployed correctly, as this is covered pretty well in the literature. But I would like to suggest that, in some cases, a "trust us not to narc you out" system may, in fact, be superior to the alternatives. The Cypherpunk adage "trust in the laws of mathematics, not of men" excludes a third evaluation classification: the laws of reputation and economics. Let's look at JAP vs. Anonymizer, prior to the JAP backdoor issue: o JAP was a low-latency mix cascade system with independent operators. o JAP had ~ 30K users. o JAP was run primarily by educational/research institutions with government influence. o Anonymizer is a low-latency single-hop proxy system with one operator. o Anonymizer has ~ 100K paid users, and an undetermined amount of free users. (Estimates are as high as 2 mil, though that may be a stretch). o Anonymizer is a for-profit company that makes its money by not narc'ing out its users.

From the laws of math vs. men standpoint, JAP looks like it was the better choice.

However, even when setting aside the issue that our understanding of the math involved may be flawed, JAP quickly becomes less appealing choice once the other factors are considered. University / government funded research relies on grants for its existence. This makes the operators beholden to the source of grant funds. It also eliminates an economic incentive to put users first. Private companies offering privacy/anonymity services are faced with a direct correlation between revenue and delivery of such services. Should a company like Anonymizer violate its stated privacy policy and misrepresent its level of security, as JAP did, the results would be devastating to the viability of the company. The JAP group, on the other hand, is facing nothing more than a little bad PR and the loss of some users. (Many of those 30,000 probably are unaware of the silent compromise of JAP security). Then there is the anonymity-set issue. With almost 4 times the number of users as JAP, Anonymizer is much stronger against many adversaries who lack sophisticated attack capabilities. Anonymity is difficult to achieve. If the number of users of a system is too small to provide sufficient cover traffic for the individual users, it does not matter how "secure" the system is -- it can be treated as a black box, and its users' actions analyzed. Honestly, as much as it pains me to say this as maintainer of Mixmaster, one is probably a lot safer using Anonymizer and Hotmail to send anonymous email than Mixmaster (against most realistic adversaries at this point) simply based on the respective size of the user bases. Hopefully that will improve greatly as the Mixmaster network continues to mature, and remailer software gets easier to use. [Yes, as a "trust-us" system, Anonymizer isn't appropriate for some uses that a correctly implemented and deployed verifiably strong anonymity system would be. However, those uses aren't likely to be common. But one must evaluate his own threat models and take whatever precautions are necessary.] --Len.