The privacy concept is the very core of anonymous remailers.
About those matters, more than anywhere else, it is mandatory:
    for the admin to precisely delimitate which level of confidentiality he will enforce on himself
            what he will do and what he will *not*
    for the end-user to draw inferences from it, and take appropriate additional actions
Total privacy is the rule, exceptions are listed below exhaustively.
And of course, no exception to basic rule: *NO LOG* inbound Message_ID <> outbound Message_ID
Remailer's stats Mailin and Mailout are built on Date-Time-Size exclusively, and go to separate files.
(program sources and file layouts provided on this WWW).

NB: I do the following proceedings only if I am in an excellent mood, with plenty of time to lose
Default action is 'Del'.

Folder: \Trash\

With 'Reliable', inbound messages are decyphered.
If decryption fails, messages are stored to a specific folder: \Trash.
Each message occupies a file (.ml0) where header (plaintext) and body (encypted) sit together.
Message generally cannot be recovered and must be deleted.
Sometimes, a simple manipulation makes the message decryptable:
    additional line skips
    faulty line wrap (Agent + PGP 6)
Those problems are well_known to me and my eyes focus on the part
     between BEGIN PGP MESSAGE
     and         END PGP MESSAGE
The rest of it is none of my business

Folder: \Mailout\ Error\

The outbound 'Mail' messages split into two parts: Header (.q0) and Body (.q1).
In case of a problem, both files are moved to \Mailout\Error.
Only the .q0 part might need manipulation for correction:
     suppression of commas between the ' ' of the 'From: ' field
     suppression of extraneous non-radix64 at the end of the 'To: ' field

Folder: \NNTP\ Error\

The outbound 'Post' messages split into two parts: Header (.q0) and Body (.q1).
In case of a problem, both files are moved to \NNTP\Error.
Only the .q0 part might need manipulation for correction:
    generally ensure a cross-post to alt.test for unsupported NG
    correct trivial errors like 'privacy.anon-server' instead of 'alt.privacy.anon-server'
    sometimes put a valid 'From: '

Decryption for one message:

Upon ruling by a (French) judge only
     I would accept to decypher a message which was sent to the remailer and provide the 'cleartext'.
       (that is the case of direct tracking: the outbound mail from a suspect has been intercepted)
       well... there is a high chance that 'cleartext' is indeed encrypted and the recipient is a foreign remailer....
     ...which will have to be contacted by his country's judiciary, while his keys might have changed at that moment...

Releasing the secret keys

On the other hand, any request aiming at releasing the remailer's private keys,
and hence allowing to decrypt ALL messages inbound to 'Frog'
would be rejected and submitted to the European Court.

People trying to give remailers a bad name, remailer-haters of any kind,
and which hence belong to the category of 'totally unacceptable usage'
are explicitly barred from the benefit of any privacy clause.
(Cf: Why use Anonymous Remailers ?)
The truth is: in case of illegal acts, I would *gladly* participate in any police action aiming at analyzing their outbound mail..

Remailer's private keys (PGP and Mix) sit on an encrypted BestCrypt disk.
When the machine is not attended, a screen saver with password prohibits acces to keyboard and screen.
Of course, there is a firewall.
Planned key change periodicity is 12 months.