I should also note that since Tor is so popular it is automatically safer from this sort of attack than say I2P. I2P has like 5k users total last time I checked. They are spread through out the entire world. And it isn't that hard to get a list of all I2P nodes, a fairly weak attacker can do it. If you ship drugs and use I2P you are quite probably fucked via this attack, even if you live in a dense urban area. Let's say there are 100 I2P users in New York. I know this vendor ships from New York because I placed an order with them. I now know this vendor is one of 100 people. If I merely talked with the vendor, instead of getting their rough geolocation data via the mail, I would only know that they are one out of the 5000 people who use I2P. See how much damage leaking geolocation did to their anonymity? It isn't quite as bad with Tor though, because if there are 100 I2P users in new york there are probably 5,000 Tor users there (both numbers pulled out of my asshole, but to demonstrate that Tor is much more widely used than I2P). Then again you are still narrowed in as one of the 5k people using Tor in New York, much worse of an anonymity set size than the 100,000+ Tor users in the world that Tor thinks you are blending in with (since it doesn't know you leaked your rough geolocation). And if you live in Nowheresville and ship drugs from a few blocks away, you are going to stick out like a sore thumb as the only Tor user in Nowheresville. The police will probably assume you are the same Tor user sending them drug packages from Nowheresville, even if they can't trace you through the network. They can still observe you are using the network, and they know roughly where the person sending these packs lives.