Exactly, if you are careful you are safe. But it takes just one mistake to get caught. For example, if you have javascript activated (without it most of the web is useless), you could get fingerprinted, and then make a match with facebook or gmail, or if you are already a suspect, just get raided and make the match there. I don't know exactly how these guys I mentioned got caught, they probably did something stupid like logging in to a website with a real account. If I remember correctly, the news article only said that the police started running an exit node and sniffing the data that went out.