It's unlikely that Tor users are being flagged in Western countries. You come to this forum and see thousands of drug users on Tor, but you have a biased view. Millions of people use Tor for dozens of reasons. Picking out the drug users would be difficult without other evidence, in which case it's only the other evidence that matters. Using Tor isn't evidence of committing any specific crime. Some regimes detect and block access to Tor. They are mainly in the Middle East and China, although there are others, like Burma. Some people in Russia want to ban access to Tor, but that's another shithouse country under Putin. That isn't happening in any Western countries. All the being said, your ability to hide your Tor use depends on the sophistication of your adversary. In some countries, using bridges is sufficient to bypass restrictions on accessing the Tor network. The Chinese government actively probes for and blocks bridges, including those that use the obfsproxy version 2 protocol. That's why the Tor developers have created a more sophisticated version 3 protocol. As far as I know, it is working. The Chinese government hasn't found a way to detect those bridges yet. So even if you think your adversary is as sophisticated as the Chinese government, and actually cares about watching you, an obfs3 bridge *should* be enough to protect you, for now. They can "work out" what's happening if they can watch both ends of the circuits you build through the Tor network. For example, if they ran your entry guard and exit node, they could see who you are (your IP address) and what you are doing (the site you're visiting). That applies to clearnet sites. For hidden services, they would have to be positioned as either the hidden service's entry guard, an introduction point, or the hidden service directory. Given the size of the network and the long rotation period of entry guards, it's difficult to target a specific person to watch both ends of their circuits. An adversary can spin up relays and observe a few random people, though. Same with hidden services. They could spin up a bunch of relays and brute force a key to become a hidden service's directory, and then wait for people to randomly select their entry guards. Bridges are a solution to this problem as well. Once you configure the browser bundle to use a few bridge IP addresses, it will always use them. So as long as those bridges are not malicious and stay that way, you won't rotate entry points and select malicious guards. I can cheers to that!