Anonymizer’s methods are surprisingly straightforward. They make available an anonymous proxy server and, when the Chinese government blocks access to its URL, distribute a new URL on a daily e-mail list. Apparently, the mean time to blockage used to be months, and now is down to a couple of days. Lance claims to have already worked out prepared (undisclosed) tricks prepared for when the mean time to blockage drops so low — e.g., less than a day – that current techniques stop working.

I would guess that one of these tricks is to distribute different proxy URLs to different list subscribers, making it hard for the Chinese government to block them all … especially since the subscribers whose URLs did get blocked would quickly be dropped from the list. One bonus to this hypothetical approach is that they could use all sorts of standard spammer techniques to punch the e-mails themselves through any filters. The only truly reliable way to block spam is to identify it via the call-to-action part. But if you’re sending different URLs to different people, that makes call-to-action identification and blocking hard.

Still, there’s a scaling problem. Right now they only reach 10s of 1000s of Chinese citizens. It’s hard to see how they could get through to a really large fraction of the population without leaving themselves open to standard spam-blocking techniques. What’s more, there’s no compelling technical reason China couldn’t block 100s, 1000s or even 10s of 1000s new URLs each day on a quick-response basis.

That said, Anonymizer’s heart and head both seem to be in the right respective places. What Lance told me doesn’t go nearly as far as my Operation Peking Duck proposal, but it’s in the same direction, right down to requiring the Chinese citizens to have a secure piece of client software, and hoping the authorities don’t criminalize the very act of running that software, or defeat it via a spyware blocker. More fundamentally, he seems to understand that he can’t win long-term without being, in his great phrase, a “freedom spammer.” Indeed, right now a significant fraction of the e-mail list subscribers are actually spam recipients, to provide legal cover should anybody get into trouble simply for being on the list.

1. Provide anonymity services to ordinary individuals.
2. Provide anonymity services to enterprises (aka enterprise sneakiness support).
3. Help people get through the national firewalls in Iran and China.

For the record: They’re profitable, only ever took about $2 ½ million in mainly angel funding, get 70% of their revenue from enterprises (an increasing percentage even though the consumer stuff is growing to), and are paid by Voice of America for their Iran work but do China on a pro bono basis.

The consumer service, for an annual fee of $20-40 or so, is designed to reduce the marketing-related hassle of using the internet. If you need to give out an e-mail address, you can use a pseudonymous one, from which Anonymizer will re-route mail to your main address – until such time as you shut it down, because that particular address is attracting spam or other unwanted traffic. They also work to make you untraceable via IP address or cookies, protect you from spyware, and so on.

Is this worth the hassle for an individual to use? Well, I hate getting 100+ spam/day, but given how widely published my main e-mail address is, new sign-ups are the least of my problems. But if you’re an enterprise, it’s a whole other matter. That’s because enterprises have lots of reasons to be sneaky. These reasons fall into two major categories.

First, enterprises have a lot of legitimate reasons for concealing their interest in a subject. If they’re going after a bad guy – hacker, fraudster, whatever – it’s good not to be spotted. If they’re so much as checking out a possible merger target, it’s good not to be spotted. AOL accounts and the like will do the job too – but if you’re a professional snoop, having a professional cloaking device makes sense.

Second, there are cases where web sites are automatically configured to defeat snooping. Lance cited a number of cases – hackers again, trademark infringers, and so on. Most interesting, however, are the enterprises who engage in hardcore automated price-checking. It wouldn’t be unreasonable for an airline or major online retailer to fire off hundreds of thousands of competitive price inquiries daily – and for competitors to detect that and try to feed incorrect information back.

How big is this need? Lance assures me that he has commercial customers – not just government/intelligence – with low thousands of seats each, paying low hundreds per seat per year. But does that go far beyond a few obvious-suspect airlines and the like, plus a few top-tier Fortune-50-type brand owners? I don’t know.

One subject I forgot to ask about – and a hat-tip goes to Linda for raising the question after I got off the phone: Why isn’t this sneakiness-enabling technology a boon to bad guys too? Offhand, I couldn’t think of anything Anonymizer provides to crooks that isn’t simply provided by consumer free e-mail, encryption, and the like – unless they’re mega-spammers, and then they don’t need Anonymizer anyway because they have their botnets to conceal their identities. Still, I’m e-mailing Lance for follow-up, and will ask him to address the point in the comment thread below.

Some interesting aspects of enterprise deployments – they’re subscription-priced, they’re appliance-based, and the appliance is just a Juniper/Netscreen box configured to route traffic through Anonymizer’s servers. (Usually, at least – I get the impression they’ve tried other vendors’ boxes, but are mainly standardized on Netscreen.)

As for their penetration of the Great Firewall of China — that’s too important to bury this far down. I’ll write a separate post for it.