Yep. The attack Astor pointed out is a very real concern for vendors, but not at all for customers. In addition to needing the rough geographical location of the target, the attacker also needs to go to quite a bit of trouble to carry the attack out. It is unlikely that they would bother going to so much trouble to bust somebody who is only buying for personal use, but they couldn't even if they wanted to because they don't know the rough geographical location of customers with enough precision that they could even get started. And if they do know where the customer lives to a small enough radius that this attack would be realistic, chances are they already have the customers address anyway. For a big vendor it is a totally different story though. Even more worrying is that they may be able to enumerate Tor clients simply by long term observation of the directory authority servers (ie: without cooperation of ISP's local to the vendors area of operation). This is prevented in cases where vendors use bridged connections, as bridges act as directory guards as well. Bridges also make it less likely that a vendor will be detected as a user of Tor even in cases where the attacker gains the cooperation of the vendors local ISP's.