Building new technologies involves making tradeoffs. A programmer can only develop so many features in a day. These tradeoffs are particularly hard in building privacy enhancing technologies. As we work to make them more secure, we often want to show the user more information to help them make better decisions. This impacts usability. The security of network anonymity systems like the Freedom Network or TOR depends on routing traffic through several nodes. Even if processing on the node is close to instantaneous, the transit between them is not. Security of these networks gets better the more latency you’re willing to tolerate. That latency makes it harder to be sure your message is getting through, and it can make it impossible to do things like browse the web.
These usability concerns can keep users away from the system. When the system doesn’t have lots of users, it is less secure. In “Anonymous blogging made simple,” Justin Mason writes:
Now, quinn at
ambiguous.org quotes a review of EFF’s recent ‘anonymous blogging’
guidelines, which largely comes up with one conclusion: it’s a
usability nightmare. The problem is, the EFF
report recommends using
invisiblog.com, which in turns uses the Mixmaster remailers. Those things
are awful, and I doubt anyone but their authors could possibly know how to use them 😉
I am quite sympathetic to these concerns. But I’m forced to question Justin’s claims that Tor is substantially more understandable. Understanding Tor, and why it helps protect you is hard enough. (Actually, Ethan Zuckerman agrees on usability, but disagrees on Tor, but Ethan is a smart, technically savvy guy who uses PGP, not a dissident. My experience trying to explain the difference between no hop, one hop, and three hop systems while at Zero-Knowledge Systems taught me that it’s really, really challenging to bring people up to speed on how networks work well enough that they can understand monitoring. It’s then again challenging to bring them up to speed on Mixes enough that they understand how to distinguish the different systems. Maybe there’s a different route to take, but understanding the problem, and how to address it seems like the right approach.
 Technically, pooling and mixing give you that security, and latency is irrelevant. Because that latency is the price you pay for security, and it is user-visible, I pretend it’s what counts.