At 4:10 PM 01/06/95, Nathaniel Borenstein wrote:

I hate to say it, because I generally tend to take the pro-FV side of most arguments :-), but I think Jonathan's closer to the mark in this case. If mail goes through ten remailers, and they ALL charge via First Virtual, then the last one in the chain won't have to know who you are, but it will have to know your FV billing account. Thus it, together with FV, have enough information to break anonymity.

This is NOT the same as saying that ANY one operator, together with FV, can burst anonymity; it means that the last one + FV can do so. I

Hmm. Maybe I don't completely understand how this is going to work, but won't _every_ remailer in the chain need to know your FV billing account? How would the rest of them charge via FV without knowing your billing account? What Russell was suggesting (I think), was that only the first would bill via FV directly, so only the first would need to know your billing account, and then he'd settle up with the others at the end of the month. (A particular variation of that scheme is what you mentioned later in your message, and I'll get to that). But assuming that every remailer along the chain _was_ charging via FV, I fail to see how only the last one would need your billing account; seems to me they all would, and thus any one could collude with FV to violate your anonimity. [...]

Personally, for my taste this is sufficiently anonymous for any reasonable purpose. HOWEVER, I can imagine how to make it even more anonymous. Imagine that there are ten for-profit anonymous remailer operators who form an "anonymous remailers consortium". Each of them operates TWO remailers, a for-pay one and a free one, but the free one will only take things that have come directly via some consortium member's anonymous remailer, so your message has to be paid for once, at the entry point to the overall system. Now you can build up a chain that STARTS with a payment, but then threads its way through a bunch of less traceable systems. where the operators can't give tracing information even under court order. The consortium members would probably have to agree to some revenue sharing arrangements, but you could make this work.

Yeah, that's a specific instance of the type of thing Russel was proposing in the message you were replying to. An instance which avoids many of the critisisms I made directly after Russell's message, but not all. The remailer operators still have to have an organization and remain in close contact, which I am uncomfortable with because it seems to make collusion more likely. And it's still dificult to intermix for-pay and free remailers within your chain, or even just for-pay remailers from several different consortiums. And there are a variety of problems in that inability. [The consortium, as far as I can tell, would also find it rather dificult to charge more for a longer chain, I can't think of any way for them to charge anything excpet a uniform amount regardless of length of chain, unless you give the first remailer a way to tell the length of your chain, which is undesirable. I'm not sure if this is a problem.]

I think this level of engineering is overkill -- for my personal level of paranoia, I would settle for a single for-pay anonymous remailer located in a country with very different laws than those that governed the payment system. Such a system would probably be "breakable" for

And this level of paranoia would be perfectly well surved by a Julf/penet style remailer, which _would_ work well with an FV-payment system, as I agreed before. The cypherpunks chained remailernet system as a whole is overkill for your paranoia needs, but appearantly not for the needs of those who use it over Julf's. It appears to me, that an FV-style payment scheme can't be added to the cypherpunks chained remailer system without dropping it's security to the level of Julf's. Which might be good enough for you, but not good enough for me, or presumably for anyone else that uses cypherpunks remailers. [Do you understand how cypherpunks remailers work, and the difference between them and a julf/penet style remailer? Do you understand how encryption is used in a cypherpunks-style remailer chain to make it so each individual remailer only knows the next remailer along the chain, and not the entire rest of the chain?]