(David Fifield) Last month we remarked on a decline in the number of users. A likely partial cause of that decline is now known. Contributor Haz Æ 41 discovered a bug where fragments of TLS-encapsulated Tor traffic could be sent to the wrong user, being more likely the more users there are. The Snowflake team has judged the privacy risk of the bug to be small, because there is no plaintext or persistent identifiers at the protocol layer that was affected, but the bug had a strongly negative effect on performance, causing excessive data retransmission and premature termination of sessions. After deploying a fix for the bug on 2023-03-13 (vertical red line in the graph), the number of users began to recover.

The increase in the number of users was gradual; but the increase in bandwidth was immediate. The below graph shows the number of bytes transferred by the snowflake-01 bridge per day. After deploying the bug fix, daily bytes transferred increased from about 12 TB to over 20 TB, and continued to increase from there. All Snowflake users got much better data transfer speeds.

There were a few more incidents of apparent blocking of the default rendezvous method in Iran; however the anomalies are few and scattered and probably did not have much of an effect on the number of users. The days when OONI found any anomalous measurements are shown as pale red bars in the graphs.
The per-country breakdown of Snowflake users is shown below. The largest share of users are geolocated to Iran. The second largest share geolocates to the United States; however we suspect this represents geolocation errors because of how strongly it correlates with the Iran count. The "??" are those without geolocation information. In late March 2023, the team discovered a bug that caused some Snowflake proxies not to report the client's IP address, which is used for geolocation. A future release of the proxy will fix this bug and most of the "??" users should be correctly apportioned to a geolocated country.