Tasertit tabaḍnit i Snowflake
Snowflake sɣur The Tor Project
We (The Tor Project) collect only the minimum amount of information needed to allow the addon to function as a proxy to the Tor network and monitor the health of the Snowflake network as a whole. This addon does not collect, transmit, or share any user browsing data.
This addon runs a WebRTC peer in the background, which allows Tor users to evade censorship by connecting to the Tor network through your IP address. Your IP address is not stored anywhere by the addon or shared to third parties. The Snowflake broker discussed in the rest of this document refers to the signaling server we use to establish WebRTC connections between Snowflake users and Snowflake proxies. More information on the technical details of how Snowflake works is available here: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home
Once you install the Snowflake addon your browser and IP address becomes a Snowflake proxy. To provide basic functionality, Snowflake proxies (the addon you have installed in your browser) use WebRTC to make direct connections with Snowflake users. As a part of the WebRTC protocol, your proxy will send some metadata to the Snowflake broker about the proxy's networking setup. This metadata is, exhaustively:
    - the IP address of the proxy (your IP address) 
    - your reported NAT type
    - the version of the snowflake protocol you (the proxy) is running
    - the fact that the proxy (the addon you have installed) is a webextension
    - the number of clients already connected to the proxy (to the addon you have installed)
This information is needed to connect a proxy (your addon) with compatible Tor users. None of this data is logged or stored on disk by either the Snowflake user or the broker; it is only kept in memory for the duration of the proxy's connection to the broker and the user. The broker is a server controlled by the Tor Project. For more information on all the data that the proxy (your installed addon) sends to the broker, you can access our public specification: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/blob/main/doc/broker-spec.txt#L171
Aggregated information:
We also safely collect and publicly display aggregated information about all Snowflake proxies (addons installed) such as:
    - Counts of how many proxies (addons installed) originate from each country code
    - The counts of different NAT configurations of proxies
    - The counts of how many webextension proxies there are
    - Aggregate counts of how many total polls we receive from all proxies, and how many total proxies are connected to Tor clients.
No personally identifiable information can be learned from these metrics. You can access these metrics at:
    - https://metrics.torproject.org/collector.html#snowflake-stats
    - https://snowflake-broker.torproject.net/prometheus
Aggregated metrics data is archived indefinitely by The Tor Project. All other information is only stored in memory for 10 seconds or the duration of a proxy poll. It is not persisted or saved to disk. We worked with metrics experts when we first released this data set to make sure the metrics were safe and privacy preserving: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/21315
Remote network connections:
A Snowflake proxy (your addon) makes the following remote connections:
- To the Snowflake broker for WebRTC signaling and paring with Snowflake users
- To the Snowflake user that the proxy (your addon) is paired with
- To a STUN server at stun://stun.google.com as a part of the WebRTC protocol
- To the Snowflake Tor bridge, in order to send the Snowflake user's traffic through the Tor network
All remote connections to our services and to Tor clients that transmit data are encrypted with TLS and DTLS. 
All data collection and network connections are made only when the installed webextension proxies are enabled. At any time, users of the webextension can disable their snowflake proxy by toggling the "Enabled" switch in the addon's popup menu or by disabling or uninstalling the addon in their browser settings. During this time, it will not connect to any remote services, nor collect or transmit any information.
Further updates to this policy will be made in our Snowflake documentation and on the policy page of the addon store.
