Circumvention and Anonymity
We've always argued that safe circumvention requires anonymity, even from the circumvention service itself. There are many people wanting to record your Internet traffic and browsing patterns; from governments to commercial advertising networks. There are many ways to defeat the threat of traffic analysis; from simple proxy providers, virtual private networks, and distributed peer to peer solutions. Only some of these offer anonymity along with circumvention. Tor's open design and anonymity properties provide protections for the user from those watching the traffic and from us as an organization.
Our architecture and design don't force the user to assume trust in us. Our code is accessible and licensed under an open license. Our specifications are clearly detailed and published. Our packages follow a defined build process so the user can create the same binaries we do. Independent researchers can and do test the properties Tor provides [and help us to improve]. Moreover, The Tor software runs on a distributed network, where a single operator cannot capture or be forced to capture all users' traffic information, even under legal or coercive threat.
All of these should allow the user to trust The Tor Project as a not-for-profit company and to trust that Tor isn't surreptitiously watching the very information you're trying to protect and isn't gathering information we could be forced to disclose.
We're always willing to work with other organizations who understand that anonymity provides stronger circumvention protections than the alternatives.