As part of another project, I needed to demonstrate how the various user-interface options for sending anonymous email through Mixmaster appeared to the email sender. This is very difficult to explain in words, so I recorded some screencasts. The tools I used were the Mixmaster command line tool, the Mutt email client with Mixmaster plugin, QuickSilver Lite, and finally a web-based interface.
The project is now over, but in case these screencasts are of wider interest, I’ve put them on YouTube.
Overall, the usability of Mixmaster is not great. All of the secure options are difficult to configure and use (QuickSilver Lite is probably the best), emails take a long time to be sent, recipients of anonymous email can’t send replies, and there is a high chance that the email will be dropped en-route.
In principle Mixmaster can be a secure way to send anonymous emails, but its usability problems mean that there are only a few users and this damages the security it offers. In a number of cases, Tor users have been deanonymised because the user community was too small, and Tor has likely several orders of magnitude more users than Mixmaster.
Mixminion is technically superior to Mixmaster and also has the potential to be more usable (emails are carried over TLS-encrypted connections rather than email, so avoiding the need for a user to configure their Mixminion client with SMTP server details). Unfortunately the experimental Mixminion network has shrunk to such a size that it is no longer possible to send emails through it. The Mixmaster network has shrunk too, but it at least is still able to function.
Currently, webmail-over-Tor is likely the most popular way to send anonymous emails. It is reasonably usable as a result of the efforts of The Tor Project, reliable, and quick. It’s also quite easy to mess up; if you ever log into your anonymous email account without using Tor, all your previous communications can be traced back. Tor is also not secure against powerful adversaries who can spy on a significant proportion of the Internet.
There’s much more that can be done to improve the situation. Better usability for Mixminion would be a start, but it also needs some remailer operators willing to deal with the inevitable abuse that occurs for any messaging service on the Internet. Techniques for managing this abuse would also help, but are unlikely to completely eliminate it.
Other designs show promise too, for example Pond, compared to Mixminion, offers reasonable usability, better security (in some respects), and good abuse prevention by only allowing email to be sent between individuals who already have agreed to communicate. However Pond isn’t ready for widespread use, and it will not be able to handle all use cases (such as a whistleblower leaking information to a journalist who doesn’t use Pond).
The usability of anonymous email could be greatly improved, and there’s plenty of opportunities for research which could have a big impact on freedom of speech online.