Here's how I see it:

(1) There needs to be an incentive for early adopters.   They are taking a risk because bitcoins might end up very valuable or they might end up worthless, depending on what the future demand for bitcoins is.  So there should some deflation built into the system.

(2) The deflation can't be too big, or it will discourage later adopters who will think they're being scammed by a pyramid scheme.   Also, according to some economists (hotly disputed by others) too much deflation can cause hoarding meaning fewer transactions being made in the currency.   Is it true?  Hopefully we'll get to find out.

Corollary to (2): if you don't like the deflationary monetary policy of the current bitcoin currency, or some other feature of it,  feel free to start your own and see if you can win over the merchants.

Much easier said than done.    Most routine e-commerce transactions will link the bitcoin address with other identifying information, and determined attackers can overcome the privacy of even extremely careful bitcoin users:

(1) If you don't use Tor, the merchant (or whoever your payment counterparty might be) will have a log or cache entry linking your IP address to your bitcoin address.

(2) If you use Tor, but the end-to-end info is unencrypted, the Tor exit node can (and you should assume will) have a log or cache entry linking your bitcoin address, any identifying info you sent to the merchant, and the merchant.

(3) If you use Tor, but forget to or can't turn off web cookies, your bitcoin address can be linked to a web cookie, which in turn is often linked to your IP address by an advertising aggregator like Google/Doubleclick.

(4) If you order goods shipped to your address, the merchant will have a log or cache entry linking your name, snail-mail address, and any other identifying information you gave, even if you used Tor.

(5) Each bitcoin record links your bitcoin address with those of all the counterparties that address has transacted with.   Depending on the length and variety of the record it can reveal your shopping pattern which is often uniquely distinguishable from other shopping patterns, just as fingerprints or DNA are unique. 

(6) Determined investigators or a software system somebody might write (similar to advertiser's software used to track user preferences across merchants) can gather and integrate information from different bitcoin nodes, vendors, etc. the bitcoin user's software has communicated with.   Even if one log by itself doesn't tell much information, an aggregation of logs from several different merchants and transactions might speak volumes.

(7) etc., there are undoubtedly many other ways to link bitcoin addresses with other identifying information, caused by bitcoin itself, by outside entities the information-gathering and sharing nature of which most users will not be aware, or combinations thereof.

Secure anonymity on the Internet is pretty hard to do.

Blinded cash issuers (using for example this system) and the bitcoin system could make a pretty good combination.  It could be similar to how private banks kept gold reserves and issued bank notes:

* Use bitcoin or a modified bitcoin/RPOW/bitgold like system to create a securely auditable, unforgeable, public, non-anonymous "high power money" analogous to gold.

* Issuers (or "banks") of securely anonymous (blinded) bank notes keep bitcoins as reserves.  By analyzing their public bitcoin chains, any customer can audit the reserves of any of these issuers.

Those who don't care about their privacy or who want to be issuers with trustworthy reserves can use bitcoins directly, while cash customers who like their privacy can use the securely anonymous blinded cash.   That forms a two-tier system, analogous to the old privately issued money system that involved mining and storing gold (bitcoins) and issuing bank notes backed by gold (anonymous cash backed by bitcoin reserves).

The whole system could be far more secure than the old gold-reserve + banknote system, because the "gold" is more difficult to steal but far easier to securely audit, and the "bank notes" far harder to counterfeit and (especially against modern investigation techniques) more difficult to trace/identify users.   The "gold window" for these banks could be far more secure from various threats than in the old private bank note issuers.  And it's all conveniently online.

So my take is to take advantage of the public and basically non-anonymous nature of bitcoin/RPOW type systems to securely audit people who claim to own X of them (such as currency issuers), while using blinded digital cash for transactions where privacy is more important than public audit.

"Anonymity" is a vague phrase and we've got to be careful what kind we're talking about.  It might for example mean:

(1)  Not having your name directly on a transaction, but any competent investigator (the attacker) could talk to a merchant who has a database associating your name with certain Bitcoin address(es) and find out that your name controls those address(es). 
(2) Same as (1) but instead of finding out your name they simply geo-locate your address(es) by linking them to your IP address.
(3) Same except instead of name or geo-location they figure out what kind of business you are up to from the detailed history on the Bitcoin chain of which addresses you've transacted with and when. 
(4) They figure out all of (1)-(3).
(5) You try to avoid any of (1)-(4) by trusting intermediaries not to keep logs.
(6) Secure untraceability, which avoids (1)-(5) without having to trusted anybody in particular.   Tor, for example, can mostly achieve this (every relay in chain would have to collude or be simultaneously monitored) for individual encrypted messages.

I only call (6) _secure_ anonymity.   (1)-(5) I am uncomfortable with people advertising as "anonymous" because, although it might not have your name directly in the log, "anonymity" in the crypto community has traditionally meant something much stronger, i.e. secure untraceability.    Computers have perfect memories and are full of obscure caches, and in the financial world intermediaries are often required to keep logs by law, so you should just assume they will remember everything rather than trusting them not to.

I don't know how to make secure anonymity work directly with Bitcoin, since having the transactions be public and related (by chains, by addresses, and by signatures) is part of Bitcoin's security protocol while secure anonymity is about making each transaction unlinkable to the others.   It can be made to work indirectly by having an intermediary issue a different kind of coin, blinded digital cash, and then mixing much as suggested above.    Then if you want to be anonymous you exchange your bitcoins for anonymous cash and if you don't you just use bitcoins directly.     The issuers of anonymous cash can be required by customers to use bitcoins to keep securely auditable reserves so bitcoins would still be adding tremendous value in making the currency more trustworthy even if everybody else is using the anonymous cash instead of bitcoins directly.   This dual setup is very analogous to a bank holding gold reserves and issuing bank notes, except the "gold" in this case, bitcoins, can be made much more securely auditable and much harder to steal.   Since the anonymous cash is blinded each transaction is securely unrelated to the others and one does not have to worry about either the intermediary or the merchants keeping logs or linking your name to a particular transaction.   Because the logs can't be pieced together to link transactions to each other.   Google "blind signature"+"cash", there is a good technical literature out there about how to do securely anonymous digital cash.   I particularly recommend "double blinded" cash as it allows the payee as well as the payer to remain securely anonymous.

Bitcoin by not relying on a trusted third party makes it quite secure in some ways from governments.  There's no gold warehouse that anybody can confiscate.   And assuming it doesn't have major security flaw (a big if, it needs a security audit by professional cryptographers)  it won't need to rely on government legal systems for its security.   But it's not securely anonymous, so governments can trace down and raid the exchanges (under current money transfer regulations, as with e-gold and others) and end users (if totally outlawed) and force them to reveal their keys and thus cough over their bitcoins.

BTW, the short legal answer is that we're screwed both ways -- it's "money transfer" for the purposes of financial regulation but not "money" under the UCC .  So you can't, for example, write a check for "10,000 BTCs" and have it legally be treated like a check in the U.S.    You can make BTCs a term in your contract but it will probably be treated like a good or service rather than like money.   But money laundering regulations and the like apply.  As usual, consult a real lawyer.

(1) How am I supposed to know who "knows" me and who doesn't?   Strangers to me often have all sorts of information about me in their databases, even if I have never heard of them before.

(2) A sufficiently unique and detailed set of transactions can be sufficient to uniquely identify you, like a fingerprint.

Any anonymity in this system is very weak and won't withstand any vigorous investigation effort by competent technical investigators.  It bears no resemblance to the strong anonymity available with, for example, David Chaum's digital cash and various relatives of that blind-signature scheme.     It is in no sense secure in the same kind of way the hash chain or other cryptographic properties of the system are secure.   Of course the Chaumian ecash systems don't have the decentralized trust in terms of transaction clearing that this system has.   So there's you're tradeoff, better currency security but no strong anonymity.   It's probably reasonable to give up anonymity for better currency security if one has to make that tradeoff, but let's not throw around the description "anonymous" as if Bitcoin securely has that property, it does not.

Now somebody could develop a system to issue securely anonymous digital bank notes, and use bitcoins as the reserve currency for the issuing bank(s), thus achieving both strong anonymity and currency security greater than fiat or government-currency-backed anonymous cash.   One could audit the bank reserves by looking at its publicly signed bitcoin chains (taking advantage of the *lack* of anonymity in Bitcoin).   This strikes me as a pretty nice combination, but it would require some additional software and services currently lacking.

I don't know whether you can for commercial purposes call these "checks" in the U.S., because they are probably not negotiable instruments under the UCC in the U.S.   Not because they are electronic, but because bitcoins are not government-issued currencies and thus not "money" under the UCC.    Unfortunately it's still "money transfer" under money laundering laws.    Caveat: IANAL, you should consult a lawyer.

Well, it could have been called "network resource allocation units", "secure stamps", "reusable proofs of work" (like its competitor, RPOW), or any number of other such techno-jargon and flown under the regulatory radar for a while.   Of course, it would be rather difficult to market it is a payment system using such euphemisms.   Who's using RPOW, for example?

But ya wanted to market it as, you know, _money_, so the cat's out of the bag.   It's  called "Bitcoin" and people are using it to "pay" for things.  So it's obviously a financial system (for purposes of e.g. money laundering regulations and similar restrictions).   But because it's not a government currency it's not "money" for the UCC.  So for example in the U.S. you can't write a check for "10,000 BTCs", it won't be considered a legal negotiable instrument.   So you get almost all the financial regulation, which will regulate it as money transfer, but not the respect of the UCC, which will just treat it as an ordinary good (or possibly even a service, putting you outside the UCC and into common law)  if you write it into a contract.  (Caveat: I am not a lawyer, folks who are seriously using this stuff should consult real lawyers).

According to my current understanding of how Bitcoin works (admittedly sketchy), if SHA-256 is broken in such a way as to decrease the difficulty of computation by (say) 5 orders of magnitude, then the difficulty factor could be adjusted by 5 orders of magnitude.   Same way it responds if a bunch of fast machines start generating blocks all of a sudden, only measured in orders of magnitude instead of just a factor of two or five or so. 

I guess the "breaking" part comes in because the Byzantine agreement part would fail since a guy who is secretly breaking Bitcoin's SHA-256 would be dominating the "computing power" and thus have more than the 50% of the resources needed to forge transactions?