Excerpts from mail: 6-Jan-95 Re: Remailer Abuse nelson@crynwr.com (779)

From: jrochkin@cs.oberlin.edu (Jonathan Rochkind)

In a First Virtual payment-scheme remailernet, no matter how many remailers I send my message through, any _one_ operator, together with First Virtual, can burst my anon bubble.

Why? Why wouldn't the FV remailers use settlements? At the end of the month, everyone settles accounts in re who gets what fraction of what. No logs are needed other than counters.

I hate to say it, because I generally tend to take the pro-FV side of most arguments :-), but I think Jonathan's closer to the mark in this case. If mail goes through ten remailers, and they ALL charge via First Virtual, then the last one in the chain won't have to know who you are, but it will have to know your FV billing account. Thus it, together with FV, have enough information to break anonymity. This is NOT the same as saying that ANY one operator, together with FV, can burst anonymity; it means that the last one + FV can do so. I think, however, that you'd need to break into the last one to get enough information to allow the next-to-last one to figure out the right FV-id. (This assumes that you're tracing the message from its ultimate destination, not monitoring traffic as it passes through the remailers -- in the latter case, Jonathan is probably right on the mark.) Personally, for my taste this is sufficiently anonymous for any reasonable purpose. HOWEVER, I can imagine how to make it even more anonymous. Imagine that there are ten for-profit anonymous remailer operators who form an "anonymous remailers consortium". Each of them operates TWO remailers, a for-pay one and a free one, but the free one will only take things that have come directly via some consortium member's anonymous remailer, so your message has to be paid for once, at the entry point to the overall system. Now you can build up a chain that STARTS with a payment, but then threads its way through a bunch of less traceable systems. where the operators can't give tracing information even under court order. The consortium members would probably have to agree to some revenue sharing arrangements, but you could make this work. I think this level of engineering is overkill -- for my personal level of paranoia, I would settle for a single for-pay anonymous remailer located in a country with very different laws than those that governed the payment system. Such a system would probably be "breakable" for the legal pursuit of genuine terrorists, but not for government harassment of political dissidents, closet gays from conservative countries, pornographers, etc. I guess my basic assumption is that while any given government can not be trusted with too much power, if you can't distribute your trust for such things across several very different governments, human freedom may be a lost cause in the long run anyway. -- Nathaniel