On Mon, Aug 25, 2003 at 08:27:20PM -0700, Len Sassaman wrote: | However, even when setting aside the issue that our understanding of the | math involved may be flawed, JAP quickly becomes less appealing choice | once the other factors are considered. | | University / government funded research relies on grants for its | existence. This makes the operators beholden to the source of grant funds. | It also eliminates an economic incentive to put users first. | | Private companies offering privacy/anonymity services are faced with a | direct correlation between revenue and delivery of such services. Should a | company like Anonymizer violate its stated privacy policy and misrepresent | its level of security, as JAP did, the results would be devastating to the | viability of the company. The JAP group, on the other hand, is facing | nothing more than a little bad PR and the loss of some users. (Many of | those 30,000 probably are unaware of the silent compromise of JAP | security). Much as we'd like reputational issues to rule, I think your final parenthetical is important. I would be willing to bet that Lance *could* take FBI money to rat out users without it reaching the userbase. I'd also be willing to bet that Lance *wouldn't,* but that bet would obviously be smaller. So, to the question of, is a private company better than a research lab? Probably. But could a privacte company comprimise its users without imploding? Probably. The right system is probably something like Tarzan, running low-latency traffic inside the file trading cloud. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume