Group discussion isn't always one-to-any, but public discussion is. There are plenty of private forums with screened memberbases, they might want to encrypt communications to prevent outsiders from being able to see them while allowing members to see them. Some forum have 80 members, others have 600. In the past there have even been groups that encrypted all of their messages with GPG with a group shared key, this would essentially do the same thing but automatically and better. Also, in some instances three or four people might want to talk together, they would consist of a group, but they don't want outsiders to see their communications. Group OTR would be an example of something that would solve this problem, and I think it is a problem worth solving and something that people would need. The only case where the encryption becomes decorative is in the case of public messages that anybody can see, but it still serves a purpose. Freenet message level encryption can be thought of as largely decorative as well, keys to decrypt the content on Freenet are widely available in many cases. In many cases nodes can identify the encrypted content passing through them if they want to, and they can decrypt it as well with the publicly available decryption keys. But the message level encryption still serves the purpose of plausible deniability, because even though a node could decrypt a message it doesn't mean it actually can, just like Freenet nodes could decrypt a lot of the content they host, but it doesn't mean they went out and got the publicly available decryption keys. So in this case public message encryption would serve the function of protecting the PIR servers by providing them some plausible deniability. Let's say the government knows CP has been uploaded to the network and then they seize a PIR node and say they found CP on it. They can say look it was right here in plaintext! You must have known about it! But if it is encrypted and the same thing happens, the person operating the PIR node can say well sure there is CP there but I am not involved with CP so I never looked for the keys to decrypt CP! It might not buy a lot to encrypt publicly viewable messages, but given how trivial it is to do, and the fact that it seems to buy a little, I think it is worth it. Trivially usable read/write storage isn't anonymous or secure. I don't see a way around having to redownload my entire WoT in any scheme, short of me keeping track of who has my WoT and which version of it, and only sending them newly added people. Tons and tons of easy things become hard when you make something that is cryptographically secure. The solution is not to compromise security for ease of use and implementation. Nothing with trivial read/write storage is secure enough. The closest thing you get is hidden services with PHP scripts on them, similar to this forum. But in obtaining that trivial read/write, you lose all of the benefits of mixing and all of the benefits of PIR. It would be great if a trivial system like Tor existed with strong security and anonymity properties, but it is an open research question in academia if it is even possible and most people think it isn't. There is no known system that is as easy to use as Tor Hidden Services that comes anywhere near the level of anonymity that can provided by Mixing and PIR. Tor is a BB gun, Mixing and PIR are assault rifles. To put things into context, the attacks against Tor are almost entirely different from the attacks against mix networks, because mix networks have solved almost all of the attacks against Tor and then some. The only attacks that work against Tor that also work against Mix networks are attacks that are inherent to all anonymity networks and entirely impossible to defend against, such as long term pseudonym/IP intersection attacks carried out by a GPA, which also work against DC-nets.  People you know can point you to messages from people you don't know. PIR is one of the only highly anonymous way to receive data long term. BTW there are updateable PIR schemes: Private Keyword-Based Push and Pull with Applications to Anonymous Communication Another option would be to allow the forum to operate like a normal public forum for public messages. Meaning messages in plaintext uploaded through the mixnet to the PIR server, indexed by things such as the subforum they are in. Then I could make a message and post it to the security forum, and I would do that just by uploading it (through the mix net) to the PIR servers, indexed with a tag like ForumA::Security-Subforum-day. Then someone could obtain all messages in ForumA::Security-Subforum by searching for all messages tagged with ForumA::Security-Subforum-day , where day is the current day (or the last day since they got messages). This makes things easier for public forums, but it also has a few problems. For one it makes spamming easier, because nothing stops anybody from using the tag, and people wont know who a message is from until they download it. In the case of public messaging, the encryption is kind of decorative, but some level of deniability is lost from the PIR servers. The biggest problem I see is that it makes spamming much easier. Also it makes it harder to differentiate messages with the same tag, we don't always want to get every message tagged with ForumA::Security-Subforum-day , we might only want to get NEW messages with that tag, since we already downloaded half of the messages last cycle. Keep in mind that there is a limit to the number of messages a client can download per period of time, and that this is required to protect from a class of intersection attacks. If a client cannot download all ForumA::Security-Subforum-day messages in one go, how are they able to get the remaining messages the next time they try? It seems like they will end up getting the old messages they already got, and will miss all the messages for that time period that they cannot fit into one of their buffers. Solutions like tagging messages ForumA::Security-Subforum-day-a, ForumA::Security-Subforum-day-b, etc would work but they would introduce some anonymity attacks if there are collisions, and since it is high latency there will be (IE: Alice sends the first message of the day ForumA::Security-Subforum-day-a and has it mix for an hour before making it to the PIR server, at the same time Bob notices there are no new messages for the day so he makes the same post ForumA::Security-Subforum-day-a). One solution would be for the PIR servers to add the a variable, but since there are many servers getting messages at different times, what happens when server 1 gets its first message and labels it message A, but then another server gets its first message and labels it message A, when they are different messages? Perhaps something like the push-pull PIR above would make the most sense. Pretty much no matter what it needs to be PIR based though, because nothing else is anonymous enough.