That's true, their argument seems to assume that a local observer is already malicious, which by their own line of reasoning is just as bad whether they operate your entry guard for 10 minutes or 30 days, so what difference does 6 months or a year make? One reason could be that they don't know who to target, but someone taking extra precautions, like keeping their entry guards for 6 months, would be an interesting target. It's a weak argument though. The argument here is the same as the one above, in that you would become a target, but in this case it's more than just using a persistent entry guard. Someone avoiding all relays in his own country could be tagged as suspicious. Of course there are more efficient ways to identify targets than to watch for circuit path selection biases. They could position themselves as a specific hidden service's HSDir and correlate the descriptor fetches with people using their entry guards, or run exit nodes and wait for people to access specific clearnet sites. It's funny because I got into a debate with a vendor about this yesterday and he told me how "unrealistic" the attack is. Yes, this is a widespread practice on SR, although probably also in most online drug communities. They usually only need to look up the address once and after the first successful delivery they can trust it. However, someone who purchases from many vendors could have dozens of searches of his address from Tor, and that would indicate a busy buyer worthy of investigating. What other reasons are there to look up someone's address over Tor dozens of times?