"Secure against bulk surveillance" is a big push in a lot of areas, it's a button Bruce Schneier and Eben Moglen have been pushing hard for the past year or so. See especially their joint lecture at Columbia Law School in December, 2013, and Schneier's presentation to Stanford Law School in April, 2014 (both are on http://FixYT.com).
Anonymized persistent IDs associated with physical / persistent IP addresses represents a different level of threat, particularly for those who are engaged in activities for which concern from a APT (advanced persistent threat) such as a state actor, with either legal impunity or significant resources, or both, is a concern. In that case, I'd want to see a system with repudiable identifiers and Onion routing such that endpoints aren't clearly determinable.
That said, yours is a crucial question.
Related: what are the threat models against which Tox is a response?
Our threat model is an attacker that wants to read and record the contents of conversations between everyone, they have the ability to modify/add/remove and log any packets. We assume they do not have any access to the actual machines Tox is running on.
The main goal of Tox is to make it hard for a global threat to conduct mass surveillance on everyone at the same time without sacrificing performance.
If the majority of the people using Tox have "nothing to hide" and use it because it works better than skype, the minority that does need the crypto will be able to use it without being discriminated against.
"Secure against bulk surveillance" is a big push in a lot of areas, it's a button Bruce Schneier and Eben Moglen have been pushing hard for the past year or so. See especially their joint lecture at Columbia Law School in December, 2013, and Schneier's presentation to Stanford Law School in April, 2014 (both are on http://FixYT.com).
Anonymized persistent IDs associated with physical / persistent IP addresses represents a different level of threat, particularly for those who are engaged in activities for which concern from a APT (advanced persistent threat) such as a state actor, with either legal impunity or significant resources, or both, is a concern. In that case, I'd want to see a system with repudiable identifiers and Onion routing such that endpoints aren't clearly determinable.
That said, yours is a crucial question.
Related: what are the threat models against which Tox is a response?