From: IN%"tcmay@got.net" 21-MAY-1996 05:37:17.56

At 4:56 PM 5/20/96, Rev. Mark Grant, ULC wrote:

...

With regard to the problems of remailers being shut down when we want long-lived addresses, wouldn't seperating the input and output be one possibility? That is (like Hal's Alumni remailer) you'd send mail to 'remailer@anon.ai' and it would be forwarded via a disposable account elsewhere. All messages would appear to come from 'disposable@foo.com' and if that account was shut down a new one could be opened to replace it while incoming mail simply backed up at the main remailer account.

This is a very good idea.

Agreed.

Traffic analysis will be quite easy to do, of course, as all mail sent to the persistent address comes out of the "disposable@foo.com" address. Q.E.D.

As has been pointed out since your message, one could logically have multiple remailers all using the same output account for messages. Extensions on this idea would be having them use it only for ones going to other than another remailer, to prevent the traffic from being noticed (if lots of traffic to remailers is coming out of one account, someone's going to notice...). Several people could run such output accounts, sending encrypted data on how to access the latest one(s) to (a subset of) remailer operators. (I say a subset in order to stop the NSA from running a remailer and letting, say, AOL know about each new output account on AOL. If some remailer or group of remailers wasn't told about a new output account, and the output account lasted statistically significantly longer (controlling for level of output), then that'd be cause for suspicion.) Which one was used for any given message through a particular remailer could be randomly chosen from those that remailer knew. Another aspect of this is that it would spread out the cost of operating the output account. One way to deal with this would be to have the postage going to the output account owner instead of to the remailer, or two items of postage (one to the remailer, one to the output account owner), or three items of postage (one to the first remailer in the chain, one to the last, and one to the output account).

(Hal, to use him as the example, could start using his own choice of remailer hops to accomplish much the same result. We've talked about this for a long time, too. If I ran a remailer, I think I'd route *all* traffic leaving my site through at least one other remailer...kind of a "hot potato" effect. Of course, if _everyone_ did this, an infinite loop would result. Lots of interesting twists, though, as messages could be set to "leak out" of the loops.)

Oh? What's this idea? -Allen