<?xmlversion='1.0' encoding='utf-8'?>version="1.0" encoding="utf-8"?> <!DOCTYPE rfc [ <!ENTITY nbsp " "> <!ENTITY zwsp "​"> <!ENTITY nbhy "‑"> <!ENTITY wj "⁠"> ]><?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> <!-- generated by https://github.com/cabo/kramdown-rfc version 1.6.27 (Ruby 3.0.2) --><rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-irtf-pearg-censorship-10" number="9505" submissionType="IRTF" category="info" consensus="true" tocInclude="true" sortRefs="true" symRefs="true" updates="" obsoletes="" xml:lang="en" version="3"><!-- xml2rfc v2v3 conversion 3.17.0 --><front> <titleabbrev="draft-irtf-pearg-censorship">Aabbrev="Survey of Censorship Techniques">A Survey of Worldwide Censorship Techniques</title> <seriesInfoname="Internet-Draft" value="draft-irtf-peargq-censorship-10"/>name="RFC" value="9505"/> <author initials="J. L." surname="Hall" fullname="Joseph Lorenzo Hall"> <organization>Internet Society</organization> <address> <email>hall@isoc.org</email> </address> </author> <author initials="M. D." surname="Aaron" fullname="Michael D. Aaron"> <organization>CU Boulder</organization> <address> <email>michael.drew.aaron@gmail.com</email> </address> </author> <author initials="A." surname="Andersdotter" fullname="Amelia Andersdotter"> <organization/> <address> <email>amelia.ietf@andersdotter.cc</email> </address> </author> <author initials="B." surname="Jones" fullname="Ben Jones"> <organization/> <address> <email>ben.jones.irtf@gmail.com</email> </address> </author> <author initials="N." surname="Feamster" fullname="Nick Feamster"> <organization>U Chicago</organization> <address> <email>feamster@uchicago.edu</email> </address> </author> <author initials="M." surname="Knodel" fullname="Mallory Knodel"> <organization>Center for Democracy & Technology</organization> <address> <email>mknodel@cdt.org</email> </address> </author> <date year="2023"month="March" day="29"/> <area>General</area> <workgroup>pearg</workgroup> <keyword>Internet-Draft</keyword>month="November"/> <workgroup>Privacy Enhancements and Assessments</workgroup> <keyword>network censorship</keyword> <keyword>network blocking</keyword> <keyword>network throttling</keyword> <keyword>traffic impairment</keyword> <keyword>censorship circumvention</keyword> <abstract> <t>This document describes technical mechanisms employed in network censorship that regimes around the world use for blocking or impairing Internet traffic. It aims to make designers, implementers, and users of Internet protocols aware of the properties exploited and mechanisms used for censoring end-user access to information. This document makes no suggestions on individual protocol considerations, and is purely informational, intended as a reference. This document is a product of the Privacy Enhancement and Assessment Research Group (PEARG) in the IRTF.</t> </abstract> </front> <middle> <section anchor="intro"> <name>Introduction</name> <t>Censorship is where an entity in a position of power -- such as a government, organization, or individual -- suppresses communication that it considers objectionable, harmful, sensitive,politically incorrector inconvenient <xref target="WP-Def-2020"/>. Although censors that engage in censorship must do so through legal,military,martial, or other means, this document focuses largely on technical mechanisms used to achieve network censorship.</t> <t>This document describes technical mechanisms that censorship regimes around the world use for blocking or impairing Internet traffic. See <xref target="RFC7754"/> for a discussion of Internet blocking and filtering in terms of implications for Internetarchitecture,architecture rather than end-user access to content and services. There is also a growing field of academic study of censorship circumvention (see the review article of <xref target="Tschantz-2016"/>), results from which we seek to make relevant here for protocol designers and implementers.</t> <t>Censorship circumvention also impacts the cost of implementation of a censorshipmeasuremeasure, and we include mentions oftradeoffstrade-offs in relation to such costs in conjunction with each technical method identified below.</t> <t>This document has seen extensive discussion and review in the IRTF Privacy Enhancement and Assessment Research Group (PEARG) and represents the consensus of that group. It is not an IETF product and is not a standard.</t> </section> <section anchor="terms"> <name>Terminology</name> <t>We describe three elements of Internet censorship: prescription, identification, and interference.TheThis document contains three major sections, each corresponding to one of these elements. Prescription is the process by which censors determine what types of material they should censor, e.g., classifying pornographic websites as undesirable. Identification is the process by which censors classify specific traffic or traffic identifiers to be blocked or impaired, e.g., deciding that webpages containing "sex" in an HTTP(Hypertext Transport Protocol) Headerheader or that accept traffic through the URLwww.sex.example"www.sex.example" are likely to be undesirable. Interference is the process by which censors intercede in communication and prevent access to censored materials by blocking access or impairing the connection, e.g., implementing a technical solution capable of identifying HTTP headers or URLs and ensuring they are rendered wholly or partially inaccessible.</t> </section> <section anchor="tech-prescrip"> <name>Technical Prescription</name> <t>Prescription is the process of figuring out what censors would like to block <xref target="Glanville-2008"/>. Generally, censors aggregate information "to block" in blocklists, databases of image hashes <xref target="ekr-2021"/>, or use real-time heuristic assessment of content <xref target="Ding-1999"/>. Some national networks are designed to more naturally serve as points of control <xref target="Leyba-2019"/>. There are also indications that online censors use probabilistic machine learning techniques <xref target="Tang-2016"/>. Indeed, web crawling and machine learning techniques are an active research area in the effort to identify content deemed as morally or commercially harmful to companies or consumers in some jurisdictions <xreftarget="SIDN2020"/>.</t>target="SIDN-2020"/>.</t> <t>There are typically a few types of blocklist elements:Keyword,keyword, domain name, protocol, orInternet Protocol (IP)IP address. Keyword and domain name blocking take place at the application level, e.g., HTTP; protocol blocking often occurs using deep packet inspection (DPI) to identify a forbidden protocol; IP blocking tends to take place using IP addresses in IPv4/IPv6 headers. Some censors also use the presence of certain keywords to enable more aggressive blocklists <xref target="Rambert-2021"/> or to be more permissive with content <xref target="Knockel-2021"/>.</t> <t>The mechanisms for building up these blocklists vary. Censors can purchase from private industry "content control" software, which lets censors filter traffic from broad categories they would like to block, such as gambling or pornography <xref target="Knight-2005"/>. In these cases, these private services attempt to categorize every semi-questionable website to allow for meta-tag blocking. Similarly, they tune real-time content heuristic systems to map their assessments onto categories of objectionable content.</t> <t>Countries that are more interested in retaining specific political control typically have ministries or organizations that maintain blocklists. Examples include the Ministry of Industry and Information Technology in China, the Ministry of Culture and Islamic Guidance in Iran, and the organizations specific to copyright law in France <xreftarget="HADOPI-2020"/>target="HADOPI"/> andacross the EU forconsumer protection law across the EU <xref target="Reda-2017"/>.</t> <t>Content-layer filtering of images and video requires institutions or organizations to store hashes of images or videos to be blocked in databases, which can then be compared, with some degree of tolerance, to content that is sent,receivedreceived, or stored usingcentralized,centralized content applications and services <xref target="ekr-2021"/>.</t> </section> <section anchor="tech-id"> <name>Technical Identification</name> <section anchor="poc"> <name>Points of Control</name> <t>Internet censorship takes place in all parts of the network topology. It may be implemented in the network itself (e.g., local loop or backhaul), on the services side of communication (e.g., web hosts, cloudprovidersproviders, or content delivery networks), in the ancillary serviceseco-systemecosystem (e.g., domain name system (DNS) or certificateauthorities)authorities (CAs)), or on the end-client side (e.g., in an end-userdevicedevice, such as a smartphone,laptoplaptop, ordesktopdesktop, or software executed on such devices). An important aspect of pervasive technical interception is the necessity to rely on software or hardware to intercept the content the censor is interested in. There are various logical and physicalpoints-of-controlpoints of control that censors may use for interception mechanisms, including, though not limited to, the following:</t><ul spacing="normal"> <li>Internet Backbone: If<dl spacing="normal" newline="true"> <dt>Internet Backbone:</dt> <dd>If a censor controls elements of Internet network infrastructure, such as the international gateways into a region or Internetexchange points,Exchange Points (IXPs), thosechokepointschoke points can be used to filter undesirable traffic that is traveling into and out of the region by packet sniffing and port mirroring. Censorship at gateways is most effective at controlling the flow of information between a region and the rest of the Internet, but is ineffective at identifying content traveling between the users within a region, which would have to be accomplished at exchange points or other network aggregation points. Some national network designs naturally serve as more effectivechokepointschoke points and points of control <xreftarget="Leyba-2019"/>.</li> <li>Internet Service Providers: Internettarget="Leyba-2019"/>.</dd> <dt>Internet Service Providers (ISPs):</dt> <dd>ISPs are frequently exploited points of control. They have the benefit of being easily enumerable by a censor -- often falling under the jurisdictional or operational control of a censor in an indisputable way -- with the additional feature that an ISP can identify the regional and international traffic of all their users. The censor's filtration mechanisms can be placed on an ISP via governmental mandates, ownership, or voluntary/coerciveinfluence.</li> <li>Institutions: Privateinfluence.</dd> <dt>Institutions:</dt> <dd>Private institutions such as corporations, schools, and Internet cafes can use filtration mechanisms. These mechanisms are occasionally at the request of a governmentcensor,censor but can also be implemented to help achieve institutional goals, such as fostering a particular moral outlook on life byschool-children,schoolchildren, independent of broader society or governmentgoals.</li> <li>Contentgoals.</dd> <dt>Content Distribution Network(CDN): CDNs(CDN):</dt> <dd>CDNs seek to collapse network topology in order to better locate content closer to the service's users. This reduces content transmission latency and improvesquality of service.QoS. The CDN service's content servers, located "close" to the user in anetwork-sense,network sense, can be powerful points of control for censors, especially if the location of CDN repositoriesallowallows for easierinterference.</li> <li>Certificate Authorities (CAs)interference.</dd> <dt>CAs forPublic-KeyPublic Key Infrastructures(PKIs): Authorities(PKIs):</dt> <dd>Authorities that issue cryptographically secured resources can be a significant point of control. CAs that issue certificates to domain holders for TLS/HTTPS (the Web PKI) orRegional/LocalRegional or Local Internet Registries(RIRs)(RIRs or LIRs) that issue RouteOriginationOrigin Authorizations (ROAs) to BGP operators can be forced to issue rogue certificates that may allow compromise, i.e., by allowing censorship software to engage in identification and interference where it may not have been possible before. CAs may also be forced to revoke certificates. This may lead to adversarial trafficrouting orrouting, TLS interception being allowed, or an otherwise rightful origin or destination point of traffic flows being unable to communicate in a secureway.</li> <li>Services: Applicationway.</dd> <dt>Services:</dt> <dd>Application service providers can be pressured, coerced, or legally required to censor specific content or data flows. Service providers naturally face incentives to maximize their potential customer base, and potential service shutdowns or legal liability due to censorship efforts may seem much less attractive than potentially excluding content, users, or uses of their service. Services have increasingly become focal points of censorshipdiscussions,discussions as well asthe focus ofdiscussions of moral imperatives to use censorshiptools.</li> <li>Content sites: Ontools.</dd> <dt>Content Sites:</dt> <dd>On the service side of communications lie many platforms that publish user-generated content and require terms of service compliance with all content and user accounts in order to avoid intermediary liability for the web hosts. In aggregate, these policies,actionsactions, and remedies are known as content moderation. Content moderation happens above the services or application layer, but these mechanisms are built to filter,sortsort, and block content andusersusers, thus making them available to censors through direct pressure on the privateentity.</li> <li>Personal Devices: Censorsentity.</dd> <dt>Personal Devices:</dt> <dd>Censors can mandate censorship software be installed on the device level. This has many disadvantages in terms of scalability,ease-of-circumvention,ease of circumvention, and operating system requirements. (Of course, if a personal device is treated with censorship software before sale and this software is difficult to reconfigure, this may work in favor of those seeking to control information,saysay, for children, students, customers, or employees.) The emergence of mobile devices hasexacerbateexacerbated these feasibility problems. This software can also be mandated by institutional actors acting on non-governmentally mandated moralimperatives.</li> </ul>imperatives.</dd> </dl> <t>At all levels of the network hierarchy, the filtration mechanisms used to censor undesirable traffic are essentially the same: a censor either directly identifies undesirable content using the identifiers described below and then uses a blocking or shaping mechanismsuch(such as the ones exemplified below to prevent or impairaccess,access), or requests that an actor ancillary to thecensor, suchcensor (such as a privateentity,entity) perform these functions. Identification of undesirable traffic can occur at the application, transport, or network layer of the IP stack. Censors often focus on web traffic, so the relevant protocols tend to be filtered in predictable ways (see Sections <xreftarget="http-req"/>target="http-req" format="counter"/> and <xreftarget="http-resp"/>).target="http-resp" format="counter"/>). For example, a subversive image might make it past a keyword filter. However, if later the image is deemed undesirable, a censor may then blocklist the provider site's IP address.</t> </section> <section anchor="app-layer"> <name>Application Layer</name> <t>The following subsections describe properties andtradeoffstrade-offs of common ways in which censors filter using application-layer information. Each subsection includes empirical examples describing these common behaviors for further reference.</t> <section anchor="http-req"> <name>HTTP Request Header Identification</name> <t>An HTTP header contains a lot of useful information for traffic identification. Although "host" is the only required field in an HTTP request header (for HTTP/1.1 and later), an HTTP method field is necessary to do anything useful. As such, "method" and "host" are the two fields used most often for ubiquitous censorship. A censor can sniff traffic and identify a specific domain name (host) and usually a page name(GET(for example, GET /page) as well. This identification technique is usually paired with transport header identification (see <xref target="sec_thid"/>) for a more robust method.</t><t>Tradeoffs: Request Identification<t>Trade-offs: HTTP request header identification is a technicallystraight-forwardstraightforward identification method that can be easily implemented at theBackbonebackbone or ISP level. The hardware needed for this sort of identification is cheap andeasy-to-acquire,easy to acquire, making it desirable when budget and scope are a concern. HTTPS(Hyptertext(Hypertext Transport Protocol Secure) will encrypt the relevant request and response fields, so pairing with transport identification (see <xref target="sec_thid"/>) is necessary for HTTPS filtering. However, some countermeasures can trivially defeat simple forms of HTTPRequest Header Identification.request header identification. For example, two cooperating endpoints -- an instrumented web server and client -- could encrypt or otherwise obfuscate the "host" header in a request, potentially thwarting techniques that match against "host" header values.</t> <t>Empirical Examples: Studies exploring censorship mechanisms have found evidence of HTTPheader/header and/or URL filtering in many countries, including Bangladesh, Bahrain, China, India, Iran, Malaysia, Pakistan, Russia, Saudi Arabia, South Korea, Thailand, and Turkey <xref target="Verkamp-2012"/> <xref target="Nabi-2013"/> <xreftarget="Aryan-2012"/>.target="Aryan-2013"/>. Commercial technologies are often purchased by censors <xref target="Dalek-2013"/>. These commercial technologies use a combination of HTTPRequest Identificationrequest header identification andTransport Header Identificationtransport header identification to filter specific URLs. Dalek et al. and Jones et al. identified the use of these products in the wild <xref target="Dalek-2013"/> <xref target="Jones-2014"/>.</t> </section> <section anchor="http-resp"> <name>HTTP Response Header Identification</name> <t>While HTTPRequest Header Identificationrequest header identification relies on the information contained in the HTTP request from client to server, HTTP response header identification uses information sent in response by the server to client to identify undesirable content.</t><t>Tradeoffs:<t>Trade-offs: As with HTTPRequest Header Identification,request header identification, the techniques used to identify HTTP traffic are well-known, cheap, and relatively easy to implement. However, they are made useless by HTTPS because HTTPS encrypts the response and its headers.</t> <t>The response fields are also less helpful for identifying content than request fields, as "Server" could easily be identified using HTTPRequest Headerrequest header identification, and "Via" is rarely relevant. HTTPResponseresponse censorship mechanisms normally let the first n packets through while the mirrored traffic is being processed; this may allow some contentthroughthrough, and the user may be able to detect that the censor is actively interfering with undesirable content.</t> <t>Empirical Examples: In 2009, Jong Park et al. at the University of New Mexico demonstrated that the Great Firewall of China (GFW) has used this technique <xref target="Crandall-2010"/>. However, Jong Park et al. found that the GFW discontinued this practice during the course of the study. Due to the overlap in HTTP response filtering and keyword filtering (see <xref target="kw-filt"/>), it is likely that most censors rely on keyword filtering over TCP streams instead of HTTP response filtering.</t> </section> <section anchor="tls"> <name>Transport Layer Security (TLS)</name> <t>Similar to HTTP, censors have deployed a variety of techniques towards censoringTransport Layer Security (TLS)TLS (and by extension HTTPS). Most of these techniques relate to the Server Name Indication (SNI) field, including censoring SNI, EncryptedSNI,SNI (ESNI), or omitted SNI. Censors can also censor HTTPS content via server certificates. Note that TLS 1.3 acts as a security component of QUIC.</t> <section anchor="sni"> <name>Server Name Indication (SNI)</name> <t>In encrypted connections using TLS, there may be servers that host multiple "virtual servers" at a given network address, and the client will need to specify in theClient HelloClientHello message which domain name it seeks to connect to (so that the server can respond with the appropriate TLS certificate)usingusing, theServer Name Indication (SNI)SNI TLS extension <xref target="RFC6066"/>. TheClient HelloClientHello message is unencrypted for TCP-based TLS. When using QUIC, theClient HelloClientHello message isencryptedencrypted, but its confidentiality is not effectively protected because the initial encryption keys are derived using a value that is visible on the wire. Since SNI is often sent in the clear (as are the cert fields sent in response), censors and filtering software can use it (and response cert fields) as a basis for blocking, filtering, or impairment by dropping connections to domains that match prohibited content (e.g.,bad.foo.example"bad.foo.example" may be censored whilegood.foo.example"good.foo.example" is not) <xref target="Shbair-2015"/>. There are ongoing standardization efforts in the TLS Working Group to encrypt SNI <xreftarget="I-D.ietf-tls-sni-encryption"/>target="RFC8744"/> <xreftarget="I-D.ietf-tls-esni"/>target="I-D.ietf-tls-esni"/>, and recent research shows promising results in the use ofencrypted SNIESNI in the face of SNI-based filtering <xref target="Chai-2019"/> in some countries.</t> <t>Domain fronting has been one popular way to avoid identification by censors <xref target="Fifield-2015"/>. To avoid identification by censors, applications using domain fronting put a different domain name in the SNI extension than in theHost:"host" header, which is protected by HTTPS. The visible SNI would indicate an unblocked domain, while the blocked domain remains hidden in the encrypted application header. Some encrypted messaging services relied on domain fronting to enable their provision in countries employing SNI-based filtering. These services used the cover provided by domains for which blocking at the domain level would be undesirable to hide their true domain names. However, the companies holding the most popular domains have since reconfigured their software to prevent this practice. It may be possible to achieve similar results using potential future options to encrypt SNI.</t><t>Tradeoffs:<t>Trade-offs: Some clients do not send the SNI extension (e.g., clients that only support versions of SSL and not TLS), rendering this method ineffective (see <xref target="omitsni"/>). In addition, this technique requires deep packet inspection (DPI) techniques that can becomputationallyexpensive in terms of computational complexity andinfrastructurally expensive,infrastructure, especially when applied to QUIC where DPI requires key extraction and decryption of theClient HelloClientHello in order to read the SNI. Improper configuration of an SNI-based block can result in significantoverblocking,over-blocking, e.g., when a second-level domain likepopulardomain.example"populardomain.example" is inadvertently blocked. In the case ofencrypted SNI,ESNI, pressure to censor may transfer to other points of intervention, such as content and application providers.</t> <t>Empirical Examples: There are many examples of security firms that offer SNI-based filtering products <xref target="Trustwave-2015"/> <xreftarget="Sophos-2015"/>target="Sophos-2023"/> <xreftarget="Shbair-2015"/>, and thetarget="Shbair-2015"/>. The governments of China, Egypt, Iran, Qatar, South Korea, Turkey, Turkmenistan, and theUAEUnited Arab Emirates all do widespread SNI filtering or blocking <xref target="OONI-2018"/> <xref target="OONI-2019"/> <xref target="NA-SK-2019"/> <xref target="CitizenLab-2018"/> <xref target="Gatlan-2019"/> <xref target="Chai-2019"/> <xref target="Grover-2019"/> <xref target="Singh-2019"/>. SNI blocking against QUIC traffic was first observed in Russia in March 2022 <xref target="Elmenhorst-2022"/>.</t> </section> <section anchor="esni"> <name>Encrypted SNI (ESNI)</name> <t>With the data leakage present with the SNI field, a natural response is to encrypt it, which is forthcoming in TLS 1.3 with Encrypted Client Hello (ECH). Prior to ECH, theEncrypted SNI (ESNI)ESNI extension is available to prevent the data leakage caused by SNI, which encrypts only the SNI field. Unfortunately, censors can target connections that use the ESNI extension specifically for censorship. This guaranteesoverblockingover-blocking for thecensor,censor but can be worth the cost if ESNI is not yet widely deployed within the country.Encrypted Client Hello (ECH)ECH is the emerging standard for protecting the entire TLSClient Hello,ClientHello, but it is not yet widely deployed.</t><t>Tradeoffs:<t>Trade-offs: The cost to censoringEncrypted SNI (ESNI)ESNI is significantly higher than SNI to a censor, as the censor can no longer target censorship to specific domains and guarantees over-blocking. In these cases, the censor uses the over-blocking to discourage the use of ESNI entirely.</t> <t>Empirical Examples: In 2020, China began censoring all uses ofEncryptedESNI(ESNI)<xref target="Bock-2020b"/>, even for innocuous connections. The censorship mechanism for China's ESNI censorship differs from how China censors SNI-based connections, suggesting that new middleboxes were deployed specifically to target ESNI connections.</t> </section> <section anchor="omitsni"><name>Omitted-SNI</name><name>Omitted SNI</name> <t>Researchers have observed that some clients omit the SNI extension entirely. This omitted-SNI approach limits the information available to a censor. Like with ESNI, censors can choose to block connections that omit the SNI, though this too risks over-blocking.</t><t>Tradeoffs:<t>Trade-offs: The approach of censoring all connections that omit the SNI field is guaranteed to over-block, though connections that omit the SNI field should be relatively rare in the wild.</t> <t>Empirical Examples: In the past, researchers have observed censors in Russia blocking connections that omit the SNI field <xref target="Bock-2020b"/>.</t> </section> <section anchor="server-response-certificate"> <name>Server Response Certificate</name> <t>During the TLS handshake after the TLSClient Hello,ClientHello, the server will respond with the TLS certificate. This certificate also contains the domain the client is trying to access, creating another avenue that censors can use to perform censorship. This technique will not work in TLS 1.3, as the certificate will be encrypted.</t><t>Tradeoffs:<t>Trade-offs: Censoring based on the server certificate requires DPI techniques that can be more computationally expensive compared to other methods. Additionally, the certificate is sent later in the TLSHandshakehandshake compared to the SNI field, forcing the censor to track the connection longer.</t> <t>Empirical Examples: Researchers have observed the Reliance Jio ISP in India using certificate response fields to censor connections <xref target="Satija-2021"/>.</t> </section> </section> <section anchor="kw-filt"> <name>Instrumenting Content Distributors</name> <t>Many governments pressure content providers to censor themselves, or provide the legalframeworkframework, within which content distributors are incentivized to follow the content restriction preferences of agents external to the content distributor <xref target="Boyle-1997"/>. Due to the extensive reach of such censorship, we definecontent distributor"content distributor" as any service that provides utility to users, including everything fromweb siteswebsites to storage to locally installed programs.</t> <t>A commonly used method of instrumenting content distributors consists of keyword identification to detect restricted terms on their platforms. Governments may provide the terms on such keyword lists. Alternatively, the content provider may be expected to come up with their own list.</t> <t>An increasingly common method of instrumenting content distribution consists of hash matching to detect and take actiononagainst images and videos known to be restricted either by governments, institutions, organizations or the distributor themselves <xref target="ekr-2021"/>.</t> <t>A different method of instrumenting content distributors consists of requiring a distributor to disassociate with some categories of users. See also <xref target="notice"/>.</t><t>Tradeoffs:<t>Trade-offs: By instrumenting content distributors to identify restricted content or content providers, the censor can gain new information at the cost of political capital with the companies it forces or encourages to participate in censorship. For example, the censor can gain insight about the content of encrypted traffic by coercingweb siteswebsites to identify restricted content. Coercing content distributors to regulate users, categories of users,contentcontent, and content providers may encourage users and content providers to exhibit self-censorship, an additional advantage for censors (see <xref target="selfcensor"/>). Thetradeoffstrade-offs for instrumenting content distributors are highly dependent on the content provider and the requested assistance. A typical concern is that the targeted keywords or categories of users are too broad, risk being too broadly applied, or are not subjected to a sufficiently robust legal process prior to their mandatory application (seep.page 8 of <xref target="EC-2012"/>).</t> <t>Empirical Examples: Researchers discovered keyword identification by content providers on platforms ranging from instant messaging applications <xref target="Senft-2013"/> to search engines <xreftarget="Rushe-2015"/>target="Rushe-2014"/> <xref target="Cheng-2010"/> <xref target="Whittaker-2013"/> <xref target="BBC-2013"/> <xref target="Condliffe-2013"/>. To demonstrate the prevalence of this type of keyword identification, we look to search engine censorship.</t> <t>Search engine censorship demonstrates keyword identification by content providers and can be regional or worldwide. Implementation is occasionally voluntary, but normally it is based on laws and regulations of the country a search engine is operating in. The keyword blocklists are most likely maintained by the search engine provider. China is known to require search engine providers to "voluntarily" maintain search term blocklists to acquire and keep an Internetcontent providerContent Provider (ICP) license <xref target="Cheng-2010"/>. It is clear these blocklists are maintained by each search engine provider based on the slight variations in the intercepted searches <xref target="Zhu-2011"/> <xref target="Whittaker-2013"/>. The United Kingdom has been pushing search engines to self-censor with the threat of litigation if they do not do it themselves: Google and Microsoft have agreed to block more than 100,000 queries in the U.K. to help combat abuse <xref target="BBC-2013"/> <xref target="Condliffe-2013"/>. European Union law, as well asUSUnited States law, requires modification of search engine results in response to either copyright, trademark, dataprotectionprotection, or defamation concerns <xref target="EC-2012"/>.</t> <t>Depending on the output, search engine keyword identification may be difficult or easy to detect. In some cases, specialized or blank results provide a trivial enumeration mechanism, but more subtle censorship can be difficult to detect. In February 2015, Microsoft's search engine, Bing, was accused of censoring Chinese content outside of China <xreftarget="Rushe-2015"/>target="Rushe-2014"/> because Bing returned different results for censored terms in Chinese and English. However, it is possible that censorship of the largest base of Chinese search users, China, biased Bing's results so that the more popular results in China (the uncensored results) were also more popular for Chinese speakers outside of China.</t> <t>Disassociation by content distributors from certain categories of users has happened for instance in Spain, as a result of the conflict between the Catalan independence movement and the Spanish legal presumption of a unitary state <xref target="Lomas-2019"/>. E-sport event organizers have also disassociated themselves from top players who expressed political opinions in relation to the 2019 Hong Kong protests <xref target="Victor-2019"/>. See also <xref target="discon"/>.</t> </section> <section anchor="dpi"> <name>DPI Identification</name> <t>DPI(deep packet inspection)technically is any kind of packet analysis beyond IP address and port number and has become computationally feasible as a component of censorship mechanisms in recent years <xref target="Wagner-2009"/>. Unlike other techniques, DPI reassembles network flows to examine the application "data" section, as opposed to only headers, and is therefore often used for keyword identification. DPI also differs from other identification technologies because it can leverage additional packet and flow characteristics, e.g., packet sizes and timings, when identifying content. To prevent substantialquality of service (QoS)QoS impacts, DPI normally analyzes a copy of data while the original packets continue to be routed. Typically, the traffic is split using either a mirror switch or fibersplitter,splitter and analyzed on a cluster of machines running Intrusion Detection Systems(IDS)(IDSs) configured for censorship.</t><t>Tradeoffs:<t>Trade-offs: DPI is one of the most expensive identification mechanisms and can have a large QoS impact <xreftarget="Porter-2010"/>.target="Porter-2005"/>. When used as a keyword filter for TCP flows, DPI systems can cause also majoroverblockingover-blocking problems. Like other techniques, DPI is less useful against encrypted data, though DPI can leverage unencrypted elements of an encrypted dataflow, e.g.,flow (e.g., the Server Name Indication (SNI) sent in the clear forTLS,TLS) or metadata about an encryptedflow, e.g.,flow (e.g., packet sizes, which differ across video and textualflows,flows) to identify traffic. See <xref target="sni"/> for more information about SNI-based filtration mechanisms.</t> <t>Other kinds of information can be inferred by comparing certain unencrypted elements exchanged during TLS handshakes to similar data points from known sources. This practice, calledTLS fingerprinting,"TLS fingerprinting", allows a probabilistic identification of a party's operating system, browser, or application, based on a comparison of the specific combinations of TLS version, ciphersuites, compression options,etc.etc., sent in the ClientHello message to similar signatures found in unencrypted traffic <xref target="Husak-2016"/>.</t> <t>Despite these problems, DPI is the most powerful identification method and is widely used in practice. The Great Firewall of China (GFW), the largest censorship system in the world, uses DPI to identify restricted content over HTTP and DNS and to inject TCP RSTs and bad DNS responses, respectively, into connections <xref target="Crandall-2010"/> <xref target="Clayton-2006"/> <xref target="Anonymous-2014"/>.</t> <t>Empirical Examples: Several studies have found evidence of censors using DPI for censoring content and tools. Clayton et al., Crandal et al., Anonymous, and Khattak et al., all explored the GFW <xref target="Crandall-2010"/> <xref target="Clayton-2006"/> <xref target="Anonymous-2014"/>. Khattak et al. even probed the firewall to discover implementation details like how much state it stores <xref target="Khattak-2013"/>. The Tor project claims that China, Iran, Ethiopia, and others must have used DPI to block the obfs2 protocol <xref target="Wilde-2012"/>. Malaysia has been accused of using targeted DPI, paired with DDoS, to identify and subsequently attack pro-opposition material <xref target="Wagstaff-2013"/>. It also seems likely that organizations that are not so worried about blocking content inreal-timereal time could use DPI to sort and categorically search gathered traffic using technologies such as high-speed packet processing <xref target="Hepting-2011"/>.</t> </section> </section> <section anchor="transport"> <name>Transport Layer</name> <section anchor="sec_thid"> <name>Shallow Packet Inspection and Transport Header Identification</name> <t>Of the various shallow packet inspection methods,Transport Header Identificationtransport header identification is the most pervasive, reliable, and predictable type of identification. Transport headers contain a few invaluable pieces of information that must be transparent for traffic to be successfully routed: destination and source IP address and port. Destination andSourcesource IP are doubly useful, as not onlydoes itdo they allow a censor to block undesirable content via IPblocklisting,blocklisting but alsoallowsallow a censor to identify the IP of the user making the request and the IP address of the destination being visited, which in most cases can be used to infer the domain being visited <xref target="Patil-2019"/>. Port is useful for allowlisting certain applications.</t><t>Combining<t>By combining IP address,portport, and protocol information found in the transport header, shallow packet inspection can be used by a censor to identify specific TCP or UDP endpoints. UDP endpoint blocking has been observed in the context of QUIC blocking <xref target="Elmenhorst-2021"/>.</t><t>Trade offs: header<t>Trade-offs: Header identification is popular due to its simplicity, availability, and robustness.</t> <t>Header identification is trivial toimplement,implement in some routers, but is difficult to implement in backbone or ISP routers at scale, and is therefore typically implemented with DPI. Blocklisting an IP is equivalent to installing a specific route on a router (such as a /32 route for IPv4 addresses and a /128 route for IPv6 addresses). However, due to limited flow table space, this cannot scale beyond a few thousand IPs at most. IP blocking is also relatively crude. It often leads tooverblockingover-blocking and cannot deal with some services likecontent distribution networks (CDN)Content Distribution Networks (CDNs) that host content at hundreds or thousands of IP addresses. Despite these limitations, IP blocking is extremely effective because the user needs to proxy their traffic through another destination to circumvent this type of identification. In addition, IP blocking is effective against all protocols above IP, e.g., TCP and QUIC.</t><t>Port-blocking<t>Port blocking is generally not useful because many types of content share the sameportport, and it is possible for censored applications to change their port. For example, most HTTP traffic goes over port 80, so the censor cannot differentiate between restricted and allowed web content solely on the basis of port. HTTPS goes over port 443, with similar consequences for the censor except only partial metadata may now be available to the censor. Port allowlisting is occasionally used, where a censor limits communication to approvedports, suchports (such as 80 for HTTPtraffic,traffic), and is most effective when used in conjunction with other identification mechanisms. For example, a censor could block the default HTTPSport,port443,(port 443), thereby forcing most users to fall back to HTTP. Acounter-examplecounterexample is that port 25 (SMTP) has long been blocked on residential ISP networks to reduce the risk of email spam, but doing this also prohibits residential ISP customers from running their own email servers.</t> </section> <section anchor="prot-id"> <name>Protocol Identification</name> <t>Censors sometimes identify entire protocols to be blocked using a variety of traffic characteristics. For example, Iran impairs the performance of HTTPS traffic, a protocol that prevents further analysis, to encourage users to switch to HTTP, a protocol that they can analyze <xreftarget="Aryan-2012"/>.target="Aryan-2013"/>. A simple protocol identification would be to recognize all TCP traffic over port 443 as HTTPS, but a more sophisticated analysis of the statistical properties of payload data and flowbehavior,behavior would be more effective, even when port 443 is not used <xref target="Hjelmvik-2010"/> <xreftarget="Sandvine-2014"/>.</t>target="Sandvine-2015"/>.</t> <t>If censors can detect circumvention tools, they can blockthem, sothem. Therefore, censors like China are extremely interested in identifying the protocols for censorship circumvention tools. In recent years, this has devolved intoana competition between censors and circumvention tool developers. As part of this competition, China developed an extremely effective protocol identification technique that researchers callactive probing"active probing" oractive scanning.</t>"active scanning".</t> <t>In active probing, the censor determines whether hosts are running a circumvention protocol by trying to initiate communication using the circumvention protocol. If the host and the censor successfully negotiate a connection, then the censor conclusively knows that the host is running a circumvention tool. China has used active scanning to great effect to block Tor <xref target="Winter-2012"/>.</t><t>Trade offs:<t>Trade-offs: Protocol identification only provides insight into the way information is traveling, and not the information itself.</t> <t>Protocol identification is useful for detecting and blocking circumventiontools, like Tor,tools (like Tor) or traffic that is difficult toanalyze, like VoIPanalyze (like Voice over IP (VoIP) orSSL,SSL) because the censor can assume that this traffic should be blocked. However, this can lead to over-blocking problems when used with popular protocols. These methods are expensive, both computationally and financially, due to the use of statisticalanalysis,analysis and can be ineffective due to their imprecise nature.</t> <t>Censors have also used protocol identification in the past in an'allowlist'"allowlist" filtering capacity, such as by only allowing specific, pre-vetted protocols to be used and blocking any unrecognized protocols <xref target="Bock-2020"/>. These protocol filtering approaches can also lead to over-blocking if the allowed lists of protocolsisare too small orincomplete,incomplete but can be cheap to implement, as many standard'allowed'"allowed" protocols are simple to identify (such as HTTP).</t> <t>Empirical Examples: Protocol identification can be easy to detect if it is conducted in real time and only a particular protocol isblocked, butblocked. However, some types of protocol identification, like active scanning, are much more difficult to detect. Protocol identification has been used by Iran to identify and throttleSSHSecure Shell (SSH) protocol traffic to make it unusable <xreftarget="Anonymous-2007"/>target="Van-der-Sar-2007"/> and by China to identify and block Tor relays <xref target="Winter-2012"/>. Protocol identification has also been used for traffic management, such as the 2007 case where Comcast in the United States used RST injection (injection of a TCP RST packet into the stream) to interrupt BitTorrentTraffictraffic <xref target="Winter-2012"/>. In 2020, Iran deployed an allowlist protocol filter, which only allowed three protocols to be used (DNS, TLS, and HTTP) on specificportsports, and censored any connection it could not identify <xref target="Bock-2020"/>. In 2022, Russia seemed to have used protocol identification to block most HTTP/3 connections <xref target="Elmenhorst-2022"/>.</t> </section> </section> <section anchor="residualcensorship"> <name>Residual Censorship</name> <t>Another feature of some modern censorship systems is residual censorship, a punitive form of censorship whereby after a censor disrupts a forbidden connection, the censor continues to target subsequent connections, even if they are innocuous <xref target="Bock-2021"/>. Residual censorship can take many forms and often relies on the methods of technical interference described in the next section.</t> <t>An important facet of residual censorship is precisely what the censor continues to block after censorship is initially triggered. There are three common options available to an adversary: 2-tuple (client IP, server IP), 3-tuple (client IP, serverIP+port),IP, server port), or 4-tuple (clientIP+port,IP, client port, server IP, serverIP+port).port). Future connections that match the tuple of information the censor records will be disrupted <xref target="Bock-2021"/>.</t> <t>Residual censorship can sometimes be difficult to identify and can often complicate censorship measurement.</t><t>Trade offs:<t>Trade-offs: The impact of residual censorship is to provide users with further discouragement from trying to access forbidden content, though it is not clear how successful it is at accomplishing this.</t> <t>Empirical Examples: China has used 3-tuple residual censorship in conjunction with their HTTP censorship foryearsyears, and researchers have reported seeing similar residual censorship for HTTPS. China seems to use a mix of 3-tuple and 4-tuple residual censorship for their censorship of HTTPS with ESNI. Some censors that perform censorship via packet dropping often accidentally implement 4-tuple residual censorship, including Iran and Kazakhstan <xref target="Bock-2021"/>.</t> </section> </section> <section anchor="tech-interference"> <name>Technical Interference</name> <section anchor="application-layer"> <name>Application Layer</name> <section anchor="dns-mangling"> <name>DNS Interference</name> <t>There are a variety of mechanisms that censors can use to block or filter access to content by altering responses from the DNS <xref target="AFNIC-2013"/> <xref target="ICANN-SSAC-2012"/>, including blocking the response, replying with an error message, or responding with an incorrect address. Note that there are now encrypted transports for DNS queries inDNS-over-HTTPSDNS over HTTPS <xref target="RFC8484"/> andDNS-over-TLSDNS over TLS <xref target="RFC7858"/> that can mitigate interference with DNS queries between the stub and the resolver.</t> <t>Responding to a DNS query with an incorrect address can be achieved with on-path interception, off-path cache poisoning,andor lying by thenameserver.</t>name server.</t> <t>"DNS mangling" is a network-level technique of on-path interception where an incorrect IP address is returned in response to a DNS query to a censored destination. Some Chinese networks, for example, dothis (wethis. (We are not aware of any other wide-scale uses ofmangling).mangling.) On those Chinese networks,everyeach DNS request in transit is examined (presumably by network inspection technologies such asDPI) and,DPI), and if it matches a censored domain, a false response is injected. End users can see this technique in action by simply sending DNS requests to any unused IP address in China (see example below). If it is not a censored name, there will be no response. If it is censored, a forged response will be returned. For example, using the command-line dig utility to query an unused IP address in China of 192.0.2.2 for the name "www.uncensored.example" compared with "www.censored.example" (censored at the time of writing), we get a forged IP address "198.51.100.0" as a response:</t><artwork><![CDATA[<sourcecode><![CDATA[ % dig +short +nodnssec @192.0.2.2 A www.uncensored.example ;; connection timed out; no servers could be reached % dig +short +nodnssec @192.0.2.2 A www.censored.example 198.51.100.0]]></artwork>]]></sourcecode> <t>DNS cache poisoning happens off-path and refers to a mechanism where a censor interferes with the response sent by an authoritative DNS name server to a recursive resolver by responding more quickly than the authoritative name server can respond with an alternative IP address <xref target="Halley-2008"/>. Cache poisoning occurs after the requested site's name servers resolve the request and attempt to forward the true IP back to the requestingdevice; ondevice. On the returnrouteroute, the resolved IP is recursively cached by each DNS server that initially forwarded the request. During this caching process if an undesirable keyword is recognized, the resolved IP is"poisoned""poisoned", and an alternative IP (or NXDOMAIN error) is returned more quickly than the upstream resolver can respond, causing a forged IP address to be cached (and potentially recursively so). The alternative IPs usually direct to a nonsense domain or a warning page. Alternatively, Iranian censorship appears to prevent the communicationen-route,en route, preventing a response from ever being sent <xreftarget="Aryan-2012"/>.</t>target="Aryan-2013"/>.</t> <t>There are also cases of what is colloquially called "DNS lying", where a censor mandates that the DNS responses provided -- by an operator of a recursive resolver such as an Internetaccess providerAccess Provider -- be different than what an authoritative name server would provide <xref target="Bortzmeyer-2015"/>.</t><t>Trade offs:<t>Trade-offs: These forms of DNS interference require the censor to force a user to traverse a controlled DNS hierarchy (or intervening network on which the censor serves as anActive Pervasive Attackeractive pervasive attacker <xref target="RFC7624"/> to rewrite DNS responses) for the mechanism to be effective.ItDNS interference can be circumvented by using alternative DNS resolvers (such as any of the public DNS resolvers) that may fall outside of the jurisdictional control of thecensor,censor or Virtual Private Network (VPN) technology. DNS mangling and cache poisoning also imply returning an incorrect IP to those attempting to resolve a domain name, but in some cases the destination may be technicallyaccessible;accessible. For example, over HTTP,for example,the user may have another method of obtaining the IP address of the desired site and may be able to access it if the site is configured to be the default server listening at this IP address. Target blocking has also been a problem, as occasionally users outside of the censor's region will be directed through DNS servers or DNS-rewriting network equipment controlled by a censor, causing the request to fail. The ease ofcircumvention,circumvention paired with the large risk of content blocking and targetblocking,blocking make DNS interference a partial, difficult, andless than idealless-than-ideal censorship mechanism.</t> <t>Additionally, the above mechanisms rely on DNSSEC not being deployed or DNSSEC validation not being active on the client or recursive resolver (neither of whichareis hard to imagine given limited deployment of DNSSEC and limited client support for DNSSEC validation). Note that an adversary seeking to merely block resolution can serve a DNSSEC record that doesn't validate correctly, assuming of course that theclient/recursiveclient or recursive resolver validates.</t> <t>Previously, techniques were used for censorship that relied on DNS requests being passed in cleartext over port 53 <xref target="SSAC-109-2020"/>. With the deployment of encrypted DNS (e.g.,DNS-over-HTTPSDNS over HTTPS <xref target="RFC8484"/>) these requests are now increasingly passed on port 443 with other HTTPS traffic, or in the case ofDNS-over-TLSDNS over TLS <xref target="RFC7858"/> no longer passed in the clear (see also <xref target="sec_thid"/>).</t> <t>Empirical Examples: DNS interference, when properly implemented, is easy to identify based on the shortcomings identified above. Turkey relied on DNS interference for its country-wide block of websites, including Twitter and YouTube, for almost a week in March of 2014. The ease of circumvention resulted in an increase in the popularity of Twitter until Turkish ISPs implemented an IP blocklist to achieve the governmental mandate <xref target="Zmijewski-2014"/>. Ultimately, Turkish ISPs started hijacking all requests to Google and Level 3's international DNS resolvers <xref target="Zmijewski-2014"/>. DNS interference, when incorrectly implemented, has resulted in some of the largest"censorship disasters".censorship disasters. In January 2014, China started directing all requests passing through the Great Fire Wall to a singledomain, dongtaiwang.com,domain "dongtaiwang.com", due to an improperly configured DNS poisoningattempt; thisattempt. This incident is thought to be the largestInternet-serviceInternet service outage in history <xref target="AFP-2014"/> <xref target="Anon-SIGCOMM12"/>. Countries such as China,Iran,Turkey, and the United States have discussed blocking entireTLDsTop-Level Domains (TLDs) aswell, but only Iran has acted by blocking all Israeli (.il) domainswell <xref target="Albert-2011"/>.DNS-blockingDNS blocking is commonly deployed in European countries to deal with undesirable content, suchas childas</t> <ul> <li>child abuse content (Norway, United Kingdom, Belgium, Denmark, Finland, France, Germany, Ireland, Italy, Malta, the Netherlands, Poland,SpainSpain, and Sweden <xref target="Wright-2013"/> <xreftarget="Eneman-2010"/>), onlinetarget="Eneman-2010"/>),</li> <li>online gambling (Belgium, Bulgaria, Czech Republic, Cyprus, Denmark, Estonia, France, Greece, Hungary, Italy, Latvia, Lithuania, Poland, Portugal, Romania, Slovakia, Slovenia, and Spain (see Section 6.3.2of:of <xref target="EC-gambling-2012"/>, <xreftarget="EC-gambling-2019"/>)), copyrighttarget="EC-gambling-2019"/>)),</li> <li>copyright infringement (all European Economic Areacountries), hate-speechcountries),</li> <li>hate speech and extremism (France <xreftarget="Hertel-2015"/>) and terrorismtarget="Hertel-2015"/>), and</li> <li>terrorism content (France <xreftarget="Hertel-2015"/>).</t>target="Hertel-2015"/>).</li> </ul> </section> </section> <section anchor="transport-layer"> <name>Transport Layer</name> <section anchor="performance-degradation"> <name>Performance Degradation</name> <t>While other interference techniques outlined in this section mostly focus on blocking or preventing access to content, it can be an effective censorship strategy in some cases to not entirely block access to a given destination orservice,service but instead to degrade the performance of the relevant network connection. The resulting user experience for a site or service under performance degradation can be so bad that users opt to use a different site, service, or method ofcommunication,communication or may not engage in communication at all if there are no alternatives.Traffic shapingTraffic-shaping techniques that rate-limit the bandwidth available to certain types of traffic is one example of a performance degradation.</t><t>Trade offs:<t>Trade-offs: While implementing a performance degradation will not always eliminate the ability of people to access a desire resource, it may force them to use other means of communication where censorship (or surveillance) is more easily accomplished.</t> <t>Empirical Examples: Iran has been known to shape the bandwidth available to HTTPS traffic to encourage unencrypted HTTP traffic <xreftarget="Aryan-2012"/>.</t>target="Aryan-2013"/>.</t> </section> <section anchor="packet-dropping"> <name>Packet Dropping</name> <t>Packet dropping is a simple mechanism to prevent undesirable traffic. The censor identifies undesirable traffic and chooses to not properly forward any packets it sees associated with the traversing undesirable traffic instead of following a normal routing protocol. This can be paired with any of the previously described mechanisms so long as the censor knows the user must route traffic through a controlled router.</t><t>Trade offs:<t>Trade-offs: PacketDroppingdropping is most successful when every traversing packet has transparent information linked to undesirable content, such as aDestinationdestination IP. One downsidePacket Droppingpacket dropping suffers from is the necessity of blocking all content from otherwise allowable IPs based on a single subversivesub-domain;subdomain; blogging services andgithubGitHub repositories are good examples. China famously dropped allgithubGitHub packets for three days based on a single repository hosting undesirable content <xref target="Anonymous-2013"/>. The need to inspect every traversing packet inclose toalmost real time also makesPacket Droppingpacket dropping somewhat challenging from a QoS perspective.</t> <t>Empirical Examples: PacketDroppingdropping is a very common form of technical interference and lends itself to accurate detection given the unique nature of thetime-outtimeout requests it leaves in its wake. The Great Firewall of China has been observed using packet dropping as one of its primary technical censorship mechanisms <xref target="Ensafi-2013"/>. Iran has also usedPacket Droppingpacket dropping as the mechanism for throttling SSH <xreftarget="Aryan-2012"/>.target="Aryan-2013"/>. These are but two examples of a ubiquitous censorship practice. Notably, packet dropping during the handshake or working connection is the only interference technique observed for QUIC traffic to date (e.g., in India, Iran,RussiaRussia, and Uganda <xreftarget="Elmenhorst-2021"/><xreftarget="Elmenhorst-2021"/> <xref target="Elmenhorst-2022"/>).</t> </section> <section anchor="rst-inject"> <name>RST Packet Injection</name> <t>Packet injection, generally, refers to aman-in-the-middlemachine-in-the-middle (MITM) network interference technique that spoofs packets in an established traffic stream. RST packets are normally used to let one side of a TCP connection know the other side has stopped sendinginformation,information and that the receiver should close the connection. RSTPacket Injectionpacket injection is a specific type of packet injection attack that is used to interrupt an established stream by sending RST packets to both sides of a TCP connection; as each receiver thinks the other has dropped the connection, the session is terminated.</t> <t>QUIC is not vulnerable to these types of injection attacks once the connection has beensetup.set up. While QUIC implements a stateless reset mechanism, such a reset is only accepted by a peer if the packet ends in a previously issued (stateless reset)tokentoken, which is difficult to guess. During the handshake, QUIC only provides effective protection against off-path attackers but is vulnerable to injection attacks by attackers that have parsed prior packets. (See <xreftarget="I-D.ietf-quic-transport"/>target="RFC9000"/> for more details.)</t><t>Trade offs:<t>Trade-offs: Although ineffective against non-TCP protocols (QUIC,IPSec),IPsec), RSTPacket Injectionpacket injection has a few advantages that make it extremely popular as a technique employed for censorship. RSTPacket Injectionpacket injection is an out-of-band interference mechanism, allowing the avoidance of the QoS bottleneck that one can encounter with inline techniques such asPacket Dropping.packet dropping. This out-of-band property allows a censor to inspect a copy of the information, usually mirrored by an optical splitter, making it an ideal pairing for DPI and protocol identification <xreftarget="Weaver-2009"/> (thistarget="Weaver-2009"/>. (This asynchronous version of a MITM is often called aMan-on-the-Side (MOTS)).machine-on-the-side (MOTS).) RSTPacket Injectionpacket injection also has the advantage of only requiring one of the two endpoints to accept the spoofed packet for the connection to be interrupted.</t> <t>The difficult part of RSTPacket Injectionpacket injection is spoofing "enough" correct information to ensure oneend-pointendpoint acceptsana RST packet as legitimate; this generally implies a correct IP, port, and TCP sequence number.SequenceThe sequence number is the hardest to get correct, as <xreftarget="RFC0793"/>target="RFC9293"/> specifiesanthat a RSTPacketpacket should bein-sequencein sequence to be accepted, althoughthethat RFC also recommends allowing in-windowpackets as "good enough".packets. This in-window recommendation is important; if it is implemented, it allows for successful Blind RST Injection attacks <xref target="Netsec-2011"/>. When in-window sequencing is allowed, it is trivial to conduct a Blind RSTInjection: whileInjection. While the term "blind" injection implies the censor doesn't know any sensitive sequencing information about the TCP stream they are injecting into, they can simply enumerate all ~70000 possiblewindows; thiswindows. This is particularly useful for interrupting encrypted/obfuscated protocols such as SSH or Tor <xref target="Gilad"/>. Some censorship evasion systems work by trying to confuse the censor into tracking incorrect information, rendering their RSTPacket Injectionpacket injection useless <xreftarget="Khattak-2013"/>,target="Khattak-2013"/> <xreftarget="Wang-2017"/>,target="Wang-2017"/> <xreftarget="Li-2017"/>,target="Li-2017"/> <xreftarget="Bock-2019"/>,target="Bock-2019"/> <xref target="Wang-2020"/>.</t> <t>RSTPacket Injectionpacket injection relies on a stateful network, making it useless against UDP connections. RSTPacket Injectionpacket injection is among the most popular censorship techniques used today given its versatile nature and effectiveness against all types of TCP traffic. Recent research shows that a TCP RST packet injection attack can even work in the case of an off-path attacker <xref target="Cao-2016"/>.</t> <t>Empirical Examples: RSTPacket Injection,packet injection, as mentioned above, is most often paired with identification techniques that require splitting, such as DPI or protocol identification. In 2007, Comcast was accused of using RSTPacket Injectionpacket injection to interrupt traffic it identified as BitTorrent <xref target="Schoen-2007"/>, subsequently leading to a US Federal Communications Commission ruling against Comcast <xref target="VonLohmann-2008"/>. China has also been known to use RSTPacket Injectionpacket injection for censorship purposes. This interference is especially evident in the interruption of encrypted/obfuscated protocols, such as those used by Tor <xref target="Winter-2012"/>.</t> </section> </section> <section anchor="routing-layer"> <name>Routing Layer</name> <section anchor="discon"> <name>Network Disconnection</name> <t>While it is perhaps the crudest of all techniques employed for censorship, there is no more effective way of making sure undesirable information isn't allowed to propagate on the web than by shutting off the network. The network can be logically cut off in a region when a censoring entity withdraws all of the Border Gateway Protocol (BGP) prefixes routing through the censor's country.</t><t>Trade offs:<t>Trade-offs: The impact of a network disconnection in a region is huge and absolute; the censor pays for absolute control over digital information by losing the benefits aglobally-accessibleglobally accessible Internet brings. Network disconnections are also politically expensive as citizens accustomed to accessing Internet platforms and services see such disconnections as a loss of civil liberty. Network disconnection is rarely a long-term solution for any censor and is normally only used as a last resort in times of substantial civil unrest in a country.</t> <t>Empirical Examples: NetworkDisconnectionsdisconnections tend to only happen in times of substantial unrest, largely due to the huge social, political, and economic impact such a move has. One of the first, highly covered occurrences was when theJuntajunta in Myanmar employedNetwork Disconnectionnetwork disconnection to helpJuntajunta forces quash a rebellion in 2007 <xref target="Dobie-2007"/>. China disconnected the network in the Xinjiang region during unrest in 2009 in an effort to prevent the protests from spreading to other regions <xref target="Heacock-2009"/>. The Arab Spring saw thethemost frequent usage ofNetwork Disconnection,network disconnection, with events in Egypt and Libya in 2011 <xreftarget="Cowie-2011"/>,target="Cowie-2011"/> and Syria in 2012 <xref target="Thomson-2012"/>. Russia indicated that it would attempt to disconnect all Russian networks from the global Internet in April 2019 as part of a test of the nation's network independence. Reports also indicate that, as part of the test disconnect, Russian telecommunications firms must now route all traffic to state-operated monitoring points <xref target="Cimpanu-2019"/>. India saw the largest number of Internet shutdowns per year in 2016 and 2017 <xref target="Dada-2017"/>.</t> </section> <section anchor="advroute"> <name>Adversarial Route Announcement</name> <t>More fine-grained and potentially wide-spread censorship can be achieved with BGP hijacking, which adversarially re-routes BGP IP prefixes incorrectly within a region and beyond. This restricts and effectively censors the correctly known location of information that flows into or out of a jurisdiction and will similarly prevent people from outside your jurisdiction from viewing content generated outsideyourthat jurisdiction as the adversarial route announcement propagates. The first can be achieved by an adversarial BGP announcement of incorrect routes that are not intended to leak beyond a jurisdiction, where the latter attacks traffic by deliberately introducing bogus BGP announcements that reach the globalinternet.</t> <t>Trade offs:Internet.</t> <t>Trade-offs: A global leak of a misrouted website can overwhelm an ISP if the website gets a lot of traffic. It is not a permanent solution because incorrect BGP routes that leak globally can be fixed, but leaks within a jurisdiction can only be corrected by an ISP/IXP for local users.</t> <t>Empiricalexamples:Examples: In 2008, Pakistan Telecom censoredYoutubeYouTube at the request of the Pakistan government by changing its BGP routes for the website. The new routes were announced to the ISP's upstream providers and beyond. The entire Internet began directingYoutubeYouTube routes to Pakistan Telecom and continued doing so for many hours. In20182018, nearly all Google services and GooglecloudCloud customers, like Spotify, all lost more than one hour of service afteritGoogle lost control of several million of its IP addresses. Those IP prefixes were being misdirected to China Telecom, a Chinese government-owned ISP <xreftarget="Google-2018"/>},target="Google-2018"/>, in a manner similar to the BGP hijacking of US government and military websites by China Telecom in 2010. ISPs in both Russia (2022) and Myanmar (2021) have tried to hijack the same Twitter prefix more than once <xreftarget="MANRS"/>.</t>target="Siddiqui-2022"/>.</t> </section> </section> <section anchor="multi-layer-and-non-layer"> <name>Multi-layer and Non-layer</name> <section anchor="ddos"> <name>Distributed Denial of Service (DDoS)</name> <t>Distributed Denial of Service attacks are a common attack mechanism used by "hacktivists" and malicious hackers. Censors have also used DDoS in the past for a variety of reasons. There is a wide variety of DDoS attacks <xreftarget="Wikip-DoS"/>, buttarget="Wikip-DoS"/>. However, at a highlevellevel, two possible impacts from the attack tend tooccur;occur: a flood attack results in the service being unusable while resources are being spent to flood the service, and a crash attack aims to crash the service so resources can be reallocated elsewhere without "releasing" the service.</t><t>Trade offs:<t>Trade-offs: DDoS is an appealing mechanism when a censor would like to prevent all access (not just regional access) to undesirablecontent, instead of only preventing access in their regioncontent for a limited period of time.The latterTemporal impermanence is really the only uniquely beneficial featureforof DDoS as a technique employed for censorship. The resources required to carry out a successful DDoS against major targets are computationally expensive, usually requiring rental or ownership of a malicious distributed platform such as a botnet, and they are imprecise. DDoS is an incredibly crude censorshiptechnique,technique and appears to largely be used as a timely, easy-to-access mechanism for blocking undesirable content for a limited period of time.</t> <t>Empirical Examples: In20122012, the U.K.'s signals intelligence organization, the Government Communications Headquarters (GCHQ), used DDoS to temporarily shutdown Internet Relay Chat (IRC) chat rooms frequented by members of Anonymous using the Syn Flood DDoS method; Syn Flood exploits the handshake used by TCP to overload the victim server with so many requests that legitimate traffic becomes slow or impossible <xreftarget="Schone-2014"/>target="NBC-2014"/> <xref target="CERT-2000"/>. Dissenting opinion websites are frequently victims of DDoS around politically sensitive events like the DDoS in Burma <xref target="Villeneuve-2011"/>. Controlling parties in Russia <xref target="Kravtsova-2012"/>, Zimbabwe <xref target="Orion-2013"/>, and Malaysia <xref target="Muncaster-2013"/> have been accused of using DDoS to interrupt opposition support and access during elections. In 2015, China launched a DDoS attack using a true MITM system (dubbed "Great Cannon"), collocated with the Great Firewall,dubbed "Great Cannon",that was able to inject JavaScript code into web visits to a Chinese search engine that commandeered those user agents to send DDoS traffic to various sites <xref target="Marczak-2015"/>.</t> </section> <section anchor="censorship-in-depth"> <name>Censorship in Depth</name> <t>Often, censors implement multiple techniques in tandem, creating "censorship in depth". Censorship in depth can take many forms; some censors block the same content through multiple techniques (such as blocking a domain by DNS, IP blocking, and HTTP simultaneously), some deploy parallel systems to improve censorship reliability (such as deploying multiple different censorship systems to block the same domain), and others can use complimentary systems to limit evasion (such as by blocking unwanted protocols entirely, forcing users to use other filtered protocols).</t><t>Trade offs:<t>Trade-offs: Censorship in depth can be attractive for censors to deploy, as it offers additional guarantees about censorship: even if someone evades one type of censorship, they may still be blocked by another. The main drawback to this approach is the cost to initial deployment, as it requires the system to deploy multiple censorship systems in tandem.</t> <t>Empirical Examples: Censorship in depth is present in many large censoring nation states today. Researchers have observed that China has deployed significant censorship in depth, often censoring the same resource across multiple protocols <xref target="Chai-2019"/> <xreftarget="Bock-2020b"/>,target="Bock-2020b"/> or deploying additional censorship systems to censor the same content and protocol <xref target="Bock-2021b"/>. Iran also has deployed a complimentary protocol filter to limit which protocols can be used on certain ports, forcing users to rely on protocols their censorship system can filter <xref target="Bock-2020"/>.</t> </section> </section> </section> <section anchor="nontechint"><name>Non-Technical<name>Non-technical Interference</name> <section anchor="manualfiltering"> <name>Manual Filtering</name> <t>As the name implies, sometimes manual labor is the easiest way to figure out which content to block. ManualFilteringfiltering differs from the common tactic of building up blocklists in that it doesn't necessarily target a specific IP orDNS,DNS but instead removes or flags content. Given the imprecise nature of automatic filtering, manually sorting through content and flagging dissenting websites, blogs,articlesarticles, and other media for filtration can be an effective technique on itsown,own or combined with other automated techniques of detection that are then followed by an action that would require manual confirmation. This filtration can occur on theBackbone/ISP level --backbone or ISP level. China's army of monitors is a good example <xreftarget="BBC-2013b"/> --target="BBC-2013b"/>, but morecommonlycommonly, manual filtering occurs on an institutional level.Internet Content ProvidersICPs, such as Google or Weibo, require a business license to operate in China. One of the prerequisites for a business license is an agreement to sign a "voluntary pledge" known as the "Public Pledge on Self-discipline for the Chinese Internet Industry". The failure to "energetically uphold" the pledged values can lead to the ICPs being held liable for the offending content by the Chinese government <xref target="BBC-2013b"/>.</t> </section> <section anchor="selfcensor"> <name>Self-Censorship</name> <t>Self-censorship is difficult todocument,document as it manifests primarily through a lack of undesirable content. Toolswhichthat encourage self-censorshipare those whichmay lead a prospective speaker to believe that speaking increases the risk ofunfavourableunfavorable outcomes for the speaker (technical monitoring, identification requirements, etc.). Reporters Without Borders exemplify methods of imposing self-censorship in their annual World Press Freedom Index reports <xreftarget="RWB2020"/>.</t>target="RWB-2020"/>.</t> </section> <section anchor="serverko"> <name>Server Takedown</name> <t>As mentioned in passing by <xreftarget="Murdoch-2011"/>,target="Murdoch-2008"/>, servers must have a physical location somewhere in the world. If undesirable content is hosted in the censoring country, the servers can be physicallyseizedseized, or -- in cases where a server is virtualized in a cloud infrastructure where it may not necessarily have a fixed physical location -- the hosting provider can be required to prevent access.</t> </section> <section anchor="notice"> <name>Notice and Takedown</name> <t>In many countries, legal mechanisms exist where an individual or other content provider can issue a legal request to a content host that requires the host to take down content. Examples include the systems employed by companies like Google to comply with "Right to be Forgotten" policies in the European Union <xref target="Google-RTBF"/>, intermediary liability rules for electronic platform providers <xref target="EC-2012"/>, or the copyright-oriented notice and takedown regime of the United States Digital Millennium Copyright Act (DMCA) Section 512 <xref target="DMLP-512"/>.</t> </section> <section anchor="dns-seizures"><name>Domain-Name<name>Domain Name Seizures</name> <t>Domain names are catalogued inname-serversname servers operated by legal entities called registries. These registries can be made to cede control over a domain name to someone other than the entitywhichthat registered the domain name through a legal procedure grounded in either private contracts or public law. Domain nameseizuresseizure is increasingly used by both public authorities and private entities to deal with undesired content dissemination <xreftarget="ICANN2012"/>target="ICANN-2012"/> <xreftarget="EFF2017"/>.</t>target="EFF-2017"/>.</t> </section> </section> <section anchor="future-work"> <name>Futurework</name>Work</name> <t>In addition to establishing a thorough resource for describing censorship techniques, this document implicates critical areas for future work.</t> <t>Taken as awholewhole, the apparent costs of implementation of censorship techniques indicate a need for better classification of censorship regimes as they evolve andmature,mature andspecifyingbetter specification of censorship circumvention techniques themselves.CensorsCensor maturity refers to the technical maturity required of the censor to perform the specific censorship technique. Future work might classify techniques by essentially how hard a censor must work, including what infrastructure is required, in order to successfully censor content,usersusers, or services.</t> <t>On circumvention, the increase in protocols leveraging encryption is an effectivecounter-measurecountermeasure against some forms of censorship described in this document, but that thorough research on circumvention and encryptionbeis left for another document.MoreoverMoreover, the censorship circumvention community has developed an area of research on "pluggable transports," whichcollects, documentscollect, document, andmakesmake agile methods for obfuscating the on-path traffic of censorship circumvention tools such that it appears indistinguishable from other kinds of traffic <xreftarget="Tor-2020"/>.target="Tor-2019"/>. Those methods would benefit from future work in theinternetInternet standards community, too.</t><t>Lastly<t>Lastly, the empirical examples demonstrate that censorship techniques can evolve quickly, and experience shows that this document can only be a point-in-time statement. Future work might extend this document with updates and new techniques described using a comparable methodology.</t> </section><section anchor="Contributors"> <name>Contributors</name> <t>This document benefited from discussions with and input from David Belson, Stephane Bortzmeyer, Vinicius Fortuna, Gurshabad Grover, Andrew McConachie, Martin Nilsson, Michael Richardson, Patrick Vacek and Chris Wood.</t> </section> </middle> <back> <references> <name>Informative References</name> <reference anchor="RFC0793"> <front> <title>Transmission Control Protocol</title> <author fullname="J. Postel" initials="J." surname="Postel"> <organization/> </author> <date month="September" year="1981"/> </front> <seriesInfo name="RFC" value="793"/> <seriesInfo name="DOI" value="10.17487/RFC0793"/> </reference> <reference anchor="RFC7754"> <front> <title>Technical Considerations for Internet Service Blocking and Filtering</title> <author fullname="R. Barnes" initials="R." surname="Barnes"> <organization/> </author> <author fullname="A. Cooper" initials="A." surname="Cooper"> <organization/> </author> <author fullname="O. Kolkman" initials="O." surname="Kolkman"> <organization/> </author> <author fullname="D. Thaler" initials="D." surname="Thaler"> <organization/> </author> <author fullname="E. Nordmark" initials="E." surname="Nordmark"> <organization/> </author> <date month="March" year="2016"/> <abstract> <t>The Internet is structured to be an open communications medium.<section> <name>IANA Considerations</name> <t> Thisopenness is one of the key underpinnings of Internet innovation, but it can also allow communications that may be viewed as undesirable by certain parties. Thus, as the Internet has grown, so have mechanisms to limit the extent and impact of abusive or objectionable communications. Recently, theredocument hasbeen an increasing emphasis on "blocking" and "filtering", the active prevention of such communications.no IANA actions. </t> </section> <section> <name>Security Considerations</name> <t> This documentexamines several technical approaches to Internet blocking and filtering in terms of their alignment with the overall Internet architecture. When it is possible to do so, the approach to blocking and filtering that is most coherent with the Internet architecture is to inform endpoints about potentially undesirable services, so that the communicants can avoid engaging in abusive or objectionable communications. We observe that certain filtering and blocking approaches can cause unintended consequences to third parties, and we discuss the limits of efficacy of various approaches.</t> </abstract> </front> <seriesInfo name="RFC" value="7754"/> <seriesInfo name="DOI" value="10.17487/RFC7754"/> </reference> <reference anchor="RFC7624"> <front> <title>Confidentiality in the Face of Pervasive Surveillance: A Threat Model and Problem Statement</title> <author fullname="R. Barnes" initials="R." surname="Barnes"> <organization/> </author> <author fullname="B. Schneier" initials="B." surname="Schneier"> <organization/> </author> <author fullname="C. Jennings" initials="C." surname="Jennings"> <organization/> </author> <author fullname="T. Hardie" initials="T." surname="Hardie"> <organization/> </author> <author fullname="B. Trammell" initials="B." surname="Trammell"> <organization/> </author> <author fullname="C. Huitema" initials="C." surname="Huitema"> <organization/> </author> <author fullname="D. Borkmann" initials="D." surname="Borkmann"> <organization/> </author> <date month="August" year="2015"/> <abstract> <t>Since the initial revelations of pervasive surveillance in 2013, several classes of attacks on Internet communications have been discovered. In this document, we develop a threat model that describes these attacks on Internet confidentiality. We assume an attacker that is interested in undetected, indiscriminate eavesdropping. The threat model is based on published, verified attacks.</t> </abstract> </front> <seriesInfo name="RFC" value="7624"/> <seriesInfo name="DOI" value="10.17487/RFC7624"/> </reference> <reference anchor="RFC6066"> <front> <title>Transport Layer Security (TLS) Extensions: Extension Definitions</title> <author fullname="D. Eastlake 3rd" initials="D." surname="Eastlake 3rd"> <organization/> </author> <date month="January" year="2011"/> <abstract> <t>This document provides specifications for existing TLS extensions. Itis acompanion document for RFC 5246, "The Transport Layer Security (TLS) Protocol Version 1.2". The extensions specified are server_name, max_fragment_length, client_certificate_url, trusted_ca_keys, truncated_hmac, and status_request. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="6066"/> <seriesInfo name="DOI" value="10.17487/RFC6066"/> </reference> <reference anchor="RFC8484"> <front> <title>DNS Queries over HTTPS (DoH)</title> <author fullname="P. Hoffman" initials="P." surname="Hoffman"> <organization/> </author> <author fullname="P. McManus" initials="P." surname="McManus"> <organization/> </author> <date month="October" year="2018"/> <abstract> <t>This document defines a protocol for sending DNS queries and getting DNS responses over HTTPS. Each DNS query-response pair is mapped into an HTTP exchange.</t> </abstract> </front> <seriesInfo name="RFC" value="8484"/> <seriesInfo name="DOI" value="10.17487/RFC8484"/> </reference> <reference anchor="RFC7858"> <front> <title>Specification for DNS over Transport Layer Security (TLS)</title> <author fullname="Z. Hu" initials="Z." surname="Hu"> <organization/> </author> <author fullname="L. Zhu" initials="L." surname="Zhu"> <organization/> </author> <author fullname="J. Heidemann" initials="J." surname="Heidemann"> <organization/> </author> <author fullname="A. Mankin" initials="A." surname="Mankin"> <organization/> </author> <author fullname="D. Wessels" initials="D." surname="Wessels"> <organization/> </author> <author fullname="P. Hoffman" initials="P." surname="Hoffman"> <organization/> </author> <date month="May" year="2016"/> <abstract> <t>This document describes the usesurvey ofTransport Layer Security (TLS) to provide privacy for DNS. Encryption provided by TLS eliminates opportunities for eavesdropping and on-path tampering with DNS queries in the network, such as discussed in RFC 7626. In addition, this document specifies two usage profiles for DNS over TLS and provides advice on performance considerations to minimize overhead from using TCP and TLS with DNS.</t> <t>This document focusesexisting literature onsecuring stub-to-recursive traffic, as per the charter of the DPRIVE Working Group. Itnetwork censorship techniques. As such, it does notprevent future applications of the protocol to recursive-to-authoritative traffic.</t> </abstract> </front> <seriesInfo name="RFC" value="7858"/> <seriesInfo name="DOI" value="10.17487/RFC7858"/> </reference> <reference anchor="I-D.ietf-tls-sni-encryption"> <front> <title>Issues and Requirements for Server Name Identification (SNI) Encryption in TLS</title> <author fullname="Christian Huitema" initials="C." surname="Huitema"> <organization>Private Octopus Inc.</organization> </author> <author fullname="Eric Rescorla" initials="E." surname="Rescorla"> <organization>RTFM, Inc.</organization> </author> <date day="28" month="October" year="2019"/> <abstract> <t>This document describes the general problem of encrypting the Server Name Identification (SNI) TLS parameter. The proposed solutions hide a hidden service behind a fronting service, only disclosing the SNI of the fronting serviceintroduce any new security considerations toexternal observers. This document lists known attacks against SNI encryption, discusses the current "HTTP co-tenancy" solution, and presents requirements for future TLS-layer solutions. In practice, it may wellbethat no solution can meet every requirement and that practical solutions will have to make some compromises. </t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-tls-sni-encryption-09"/> </reference> <reference anchor="I-D.ietf-tls-esni"> <front> <title>TLS Encrypted Client Hello</title> <author fullname="Eric Rescorla" initials="E." surname="Rescorla"> <organization>RTFM, Inc.</organization> </author> <author fullname="Kazuho Oku" initials="K." surname="Oku"> <organization>Fastly</organization> </author> <author fullname="Nick Sullivan" initials="N." surname="Sullivan"> <organization>Cloudflare</organization> </author> <author fullname="Christopher A. Wood" initials="C. A." surname="Wood"> <organization>Cloudflare</organization> </author> <date day="3" month="October" year="2022"/> <abstract> <t> This document describes a mechanism in Transport Layer Security (TLS) for encrypting a ClientHello message under a server public key. Discussion Venues This notetaken into account beyond what isto be removed before publishing as an RFC. Source for this draft and an issue tracker can be found at https://github.com/tlswg/draft-ietf-tls-esni (https://github.com/tlswg/draft-ietf-tls-esni). </t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-tls-esni-15"/> </reference> <reference anchor="I-D.ietf-quic-transport"> <front> <title>QUIC: A UDP-Based Multiplexed and Secure Transport</title> <author fullname="Jana Iyengar" initials="J." surname="Iyengar"> <organization>Fastly</organization> </author> <author fullname="Martin Thomson" initials="M." surname="Thomson"> <organization>Mozilla</organization> </author> <date day="14" month="January" year="2021"/> <abstract> <t>This document defines the core of the QUIC transport protocol. QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availabilityalready discussed ina range of deployment circumstances. Accompanying documents describe the integration of TLS for key negotiation, loss detection, and an exemplary congestion control algorithm.each paper surveyed. </t></abstract> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-quic-transport-34"/> </reference></section> </middle> <back> <displayreference target="I-D.ietf-tls-esni" to="TLS-ESNI"/> <references> <name>Informative References</name> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7754.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7624.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6066.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8484.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7858.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8744.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9000.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9293.xml"/> <!-- [I-D.ietf-tls-esni] IESG state I-D Exists --> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-tls-esni.xml"/> <referenceanchor="RWB2020"anchor="RWB-2020" target="https://rsf.org/en/2020-world-press-freedom-index-entering-decisive-decade-journalism-exacerbated-coronavirus"> <front> <title>2020 World Press Freedom Index:Entering'Entering a decisive decade for journalism, exacerbated bycoronavirus</title>coronavirus'</title> <author> <organization>Reporters WithoutBorders</organization>Borders (RSF)</organization> </author> <date month="April" year="2020"/> </front> </reference> <referenceanchor="HADOPI-2020" target="https://www.hadopi.fr/en/node/3668">anchor="HADOPI" target="https://www.hadopi.fr/"> <front><title>Présentation</title> <author> <organization>Haute<title>Hadopi | Haute Autorité pour laDiffusiondiffusion des oeuvres et laProtectionprotection desDroitsdroits surInternet</organization>internet</title> <author> <organization>Hadopi</organization> </author><date year="2020"/></front> </reference> <reference anchor="SSAC-109-2020" target="https://www.icann.org/en/system/files/files/sac-109-en.pdf"> <front> <title>SAC109: The Implications of DNS over HTTPS and DNS over TLS</title> <author> <organization>ICANN Security and Stability AdvisoryCommittee</organization>Committee (SSAC)</organization> </author> <date month="March" year="2020"/> </front> </reference> <referenceanchor="ICANN2012"anchor="ICANN-2012" target="https://www.icann.org/en/system/files/files/guidance-domain-seizures-07mar12-en.pdf"> <front> <title>Guidance for Preparing Domain Name Orders, Seizures & Takedowns</title> <author> <organization>ICANN Security and Stability Advisory Committee</organization> </author> <date month="January" year="2012"/> </front> </reference> <referenceanchor="Tor-2020"anchor="Tor-2019" target="https://2019.www.torproject.org/docs/pluggable-transports.html.en"> <front> <title>Tor: Pluggable Transports</title> <author><organization>The Tor Project</organization><organization>Tor</organization> </author> <dateyear="2020"/>year="2019"/> </front> </reference> <reference anchor="WP-Def-2020" target="https://en.wikipedia.org/w/index.php?title=Censorship&oldid=943938595"> <front> <title>Censorship</title> <author><organization>Wikipedia contributors</organization><organization>Wikipedia</organization> </author> <date month="March" year="2020"/> </front> </reference> <reference anchor="EC-gambling-2012" target="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52012SC0345"> <front> <title>Online gambling in the InternalMarket</title>Market Accompanying the document Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions Towards a comprehensive framework for online gambling</title> <author> <organization>European Commission</organization> </author> <date year="2012"/> </front> </reference> <reference anchor="EC-gambling-2019" target="https://ec.europa.eu/growth/content/evaluation-regulatory-tools-enforcing-online-gambling-rules-and-channelling-demand-towards-1_en"> <front> <title>Evaluation of regulatory tools for enforcing online gambling rules andchannelingchannelling demand towards controlled offers</title> <author> <organization>European Commission</organization> </author> <date month="January" year="2019"/> </front> </reference> <reference anchor="EC-2012" target="https://ec.europa.eu/information_society/newsroom/image/document/2017-4/consultation_summary_report_en_2010_42070.pdf"> <front> <title>Summary of the results of the Public Consultation on the future of electronic commerce in the Internal Market and the implementation of the Directive on electronic commerce (2000/31/EC)</title> <author> <organization>European Commission</organization> </author> <date month="January" year="2012"/> </front> </reference> <referenceanchor="Bentham-1791" target="https://www.google.com/books/edition/_/Ec4TAAAAQAAJ?hl=en"> <front> <title>Panopticon Or the Inspection House</title> <author initials="J." surname="Bentham" fullname="Jeremy Bentham"> <organization/> </author> <date year="1791"/> </front> </reference> <reference anchor="Ellul-1973" target="https://www.penguinrandomhouse.com/books/46234/propaganda-by-jacques-ellul/"> <front> <title>Propaganda: The Formation of Men's Attitudes</title> <author initials="J." surname="Ellul" fullname="Jacques Ellul"> <organization/> </author> <date year="1973"/> </front> </reference> <referenceanchor="Reda-2017"target="https://juliareda.eu/2017/11/eu-website-blocking/">target="https://felixreda.eu/2017/11/eu-website-blocking/"> <front> <title>New EU law prescribes website blocking in the name of'consumer protection'</title>"consumer protection"</title> <authorinitials="J."initials="F." surname="Reda"fullname="Juliafullname="Felix Reda"> <organization/> </author> <date month="November" year="2017"/> </front> </reference> <reference anchor="Knight-2005" target="https://www.newscientist.com/article/dn7589-iranian-net-censorship-powered-by-us-technology/"> <front> <title>Iranian net censorship powered by US technology</title> <author initials="W." surname="Knight" fullname="Will Knight"> <organization/> </author> <date month="June" year="2005"/> </front> </reference> <referenceanchor="SIDN2020"anchor="SIDN-2020" target="https://labs.ripe.net/Members/giovane_moura/detecting-and-taking-down-fraudulent-webshops-at-a-cctld"> <front> <title>Detecting and Taking Down Fraudulent Webshops at the .nl ccTLD</title> <author initials="G." surname="Moura" fullname="Giovane Moura"> <organization/> </author> <date month="February" year="2020"/> </front> </reference> <reference anchor="Cimpanu-2019" target="https://www.zdnet.com/article/russia-to-disconnect-from-the-internet-as-part-of-a-planned-test/"> <front> <title>Russia to disconnect from the internet as part of a planned test</title> <author initials="C." surname="Cimpanu" fullname="Catalin Cimpanu"> <organization/> </author> <date month="February" year="2019"/> </front> </reference> <reference anchor="Hertel-2015" quoteTitle="false" target="https://www.sciencesetavenir.fr/high-tech/comment-les-autorites-peuvent-bloquer-un-site-internet_35828"> <front><title>Comment<title>"Comment les autorités peuvent bloquer un siteInternet</title>Internet" [How authorities can block a website]</title> <author initials="O." surname="Hertel" fullname="Olivier Hertel"> <organization/> </author> <date month="March" year="2015"/> </front> </reference> <reference anchor="Eneman-2010"target="https://www.gu.se/forskning/publikation/?publicationId=96592">target="https://www.tandfonline.com/doi/abs/10.1080/13552601003760014"> <front><title>ISPs<title>Internet service provider (ISP) filtering ofchild abusivechild-abusive material: A critical reflection of its effectiveness</title> <author initials="M." surname="Eneman" fullname="Marie Eneman"> <organization/> </author> <date month="June" year="2010"/> </front> <seriesInfo name="DOI" value="10.1080/13552601003760014"/> </reference> <reference anchor="Gatlan-2019" target="https://www.bleepingcomputer.com/news/security/south-korea-is-censoring-the-internet-by-snooping-on-sni-traffic/"> <front> <title>South Korea is Censoring the Internet by Snooping on SNI Traffic</title> <author initials="S." surname="Gatlan" fullname="Sergiu Gatlan"> <organization/> </author> <date month="February" year="2019"/> </front> </reference> <reference anchor="Lomas-2019" target="https://techcrunch.com/2019/10/30/github-removes-tsunami-democratics-apk-after-a-takedown-order-from-spain/"> <front> <title>Github removes TsunamiDemocràtic’sDemocràtic's APK after a takedown order from Spain</title> <author initials="N." surname="Lomas" fullname="Natasha Lomas"> <organization/> </author> <date month="October" year="2019"/> </front> </reference> <reference anchor="Victor-2019" target="https://www.nytimes.com/2019/10/09/world/asia/blizzard-hearthstone-hong-kong.html"> <front> <title>Blizzard Sets Off Backlash for Penalizing Hearthstone Gamer in Hong Kong</title> <author initials="D." surname="Victor" fullname="Daniel Victor"> <organization/> </author> <date month="October" year="2019"/> </front> <refcontent>The New York Times</refcontent> </reference> <reference anchor="Glanville-2008" target="http://www.theguardian.com/commentisfree/2008/nov/17/censorship-internet"> <front> <title>TheBig Businessbig business ofNet Censorship</title>net censorship</title> <author initials="J." surname="Glanville" fullname="Jo Glanville"> <organization/> </author> <date month="November" year="2008"/> </front> <refcontent>The Guardian</refcontent> </reference> <referenceanchor="EFF2017"anchor="EFF-2017" target="https://www.eff.org/files/2017/08/02/domain_registry_whitepaper.pdf"> <front> <title>Which Internet registries offer the best protection for domain owners?</title> <author initials="J." surname="Malcom" fullname="Jeremy Malcolm"> <organization/> </author> <authorinitials="M." surname="Stoltz" fullname="Mitch Stoltz"> <organization/> </author> <authorinitials="G." surname="Rossi" fullname="Gus Rossi"> <organization/> </author> <authorinitials="V." surname="Paxson" fullname="Vern Paxson">initials="M." surname="Stoltz" fullname="Mitch Stoltz"> <organization/> </author> <date month="July" year="2017"/> </front> <refcontent>Electronic Frontier Foundation</refcontent> </reference> <reference anchor="Tschantz-2016" target="https://oaklandsok.github.io/papers/tschantz2016.pdf"> <front> <title>SoK: Towards Grounding Censorship Circumvention in Empiricism</title> <author initials="M." surname="Tschantz" fullname="Michael Carl Tschantz"> <organization/> </author> <author initials="S." surname="Afroz" fullname="Sadia Afroz"> <organization/> </author> <authorinitials="A." surname="Anonymous"fullname="Anonymous"> <organization/> </author> <author initials="V." surname="Paxson" fullname="Vern Paxson"> <organization/> </author> <date month="May" year="2016"/> </front> <seriesInfo name="DOI" value="10.1109/SP.2016.59"/> </reference> <reference anchor="Cao-2016" target="https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_cao.pdf"> <front> <title>Off-Path TCP Exploits: Global Rate Limit Considered Dangerous</title> <author initials="Y." surname="Cao" fullname="Yue Cao"> <organization/> </author> <author initials="Z." surname="Qian" fullname="Zhiyun Qian"> <organization/> </author> <author initials="Z." surname="Wang" fullname="Zhongjie Wang"> <organization/> </author> <author initials="T." surname="Dao" fullname="Tuan Dao"> <organization/> </author> <author initials="S." surname="Krishnamurthy" fullname="Srikanth V. Krishnamurthy"> <organization/> </author> <author initials="L." surname="Marvel" fullname="Lisa M. Marvel"> <organization/> </author> <date month="August" year="2016"/> </front> </reference> <referenceanchor="Leyba-2019" target="https://forrest.biodesign.asu.edu/data/publications/2019-compass-chokepoints.pdf">anchor="Leyba-2019"> <front> <title>Borders andGateways: Measuringgateways: measuring andAnalyzing National AS Chokepoints</title>analyzing national as chokepoints</title> <author initials="K." surname="Leyba" fullname="Kirtus G. Leyba"> <organization/> </author> <author initials="B." surname="Edwards" fullname="Benjamin Edwards"> <organization/> </author> <author initials="C." surname="Freeman" fullname="Cynthia Freeman"> <organization/> </author> <author initials="J." surname="Crandall" fullname="Jedidiah R. Crandall"> <organization/> </author> <author initials="S." surname="Forrest" fullname="Stephanie Forrest"> <organization/> </author> <date month="July" year="2019"/> </front> <seriesInfo name="DOI" value="10.1145/3314344.3332502"/> <refcontent>COMPASS '19: Proceedings of the 2nd ACM SIGCAS Conference on Computing and Sustainable Societies, pages 184-194</refcontent> </reference> <reference anchor="Chai-2019" target="https://www.usenix.org/system/files/foci19-paper_chai_update.pdf"> <front> <title>On the Importance of Encrypted-SNI (ESNI) to Censorship Circumvention</title> <author initials="Z." surname="Chai" fullname="Zimo Chai"> <organization/> </author> <author initials="A." surname="Ghafari" fullname="Amirhossein Ghafari"> <organization/> </author> <author initials="A." surname="Houmansadr" fullname="Amir Houmansadr"> <organization/> </author> <date year="2019"/> </front> </reference> <reference anchor="Patil-2019" target="https://irtf.org/anrw/2019/anrw2019-final44-acmpaginated.pdf"> <front> <title>WhatCan You Learncan you learn from an IP?</title> <author initials="S." surname="Patil" fullname="Simran Patil"> <organization/> </author> <author initials="N." surname="Borisov" fullname="Nikita Borisov"> <organization/> </author> <date month="July" year="2019"/> </front> <seriesInfo name="DOI" value="10.1145/3340301.3341133"/> <refcontent>Proceedings of the Applied Networking Research Workshop, Pages 45-51</refcontent> </reference> <reference anchor="Wright-2013" target="https://policyreview.info/articles/analysis/internet-filtering-trends-liberal-democracies-french-and-german-regulatory-debates"> <front> <title>Internet filtering trends in liberal democracies: French and German regulatory debates</title> <author initials="J." surname="Wright" fullname="Joss Wright"> <organization/> </author> <author initials="Y." surname="Breindl" fullname="Yana Breindl"> <organization/> </author> <date month="April" year="2013"/> </front> <seriesInfo name="DOI" value="10.14763/2013.2.122"/> </reference> <reference anchor="Grover-2019" target="https://cis-india.org/internet-governance/blog/reliance-jio-is-using-sni-inspection-to-block-websites"> <front> <title>Reliance Jio is using SNI inspection to block websites</title> <author initials="G." surname="Grover" fullname="Gurshabad Grover"> <organization/> </author> <author initials="K." surname="Singh" fullname="Kushagra Singh"> <organization/> </author> <author initials="E." surname="Hickok" fullname="ElonnaiHickok">Hickok" role="editor"> <organization/> </author> <date month="November" year="2019"/> </front> </reference> <reference anchor="Singh-2019" target="https://arxiv.org/abs/1912.08590"> <front> <title>How India Censors the Web</title> <author initials="K." surname="Singh" fullname="Kushagra Singh"> <organization/> </author> <author initials="G." surname="Grover" fullname="Gurshabad Grover"> <organization/> </author> <author initials="V." surname="Bansal" fullname="Varun Bansal"> <organization/> </author> <date month="December" year="2019"/> </front> <seriesInfo name="DOI" value="10.48550/arXiv.1912.08590"/> </reference> <reference anchor="NA-SK-2019" target="https://www.newamerica.org/cybersecurity-initiative/c2b/c2b-log/analysis-south-koreas-sni-monitoring/"> <front> <title>Analysis: South Korea's New Tool for Filtering Illegal Internet Content</title> <author initials="R." surname="Morgus" fullname="Robert Morgus"> <organization/> </author> <author initials="J." surname="Sherman" fullname="Justin Sherman"> <organization/> </author> <author initials="S." surname="Nam" fullname="Seonghyun Nam"> <organization/> </author> <date month="March" year="2019"/> </front> </reference> <reference anchor="CitizenLab-2018" target="https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/"> <front> <title>Bad Traffic:Sandvine’sSandvine's PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads?</title> <author initials="B." surname="Marczak" fullname="Bill Marczak"> <organization/> </author> <author initials="J." surname="Dalek" fullname="Jakub Dalek"> <organization/> </author> <author initials="S." surname="McKune" fullname="Sarah McKune"> <organization/> </author> <author initials="A." surname="Senft" fullname="Adam Senft"> <organization/> </author> <author initials="J." surname="Scott-Railton" fullname="John Scott-Railton"> <organization/> </author> <author initials="R." surname="Deibert" fullname="Ron Deibert"> <organization/> </author> <date month="March" year="2018"/> </front> </reference> <reference anchor="OONI-2019" target="https://ooni.org/post/2019-china-wikipedia-blocking/"> <front> <title>China is now blocking all language editions of Wikipedia</title> <author initials="S." surname="Singh" fullname="Sukhbir Singh"> <organization/> </author> <author initials="A." surname="Filastò" fullname="Arturo Filastò"> <organization/> </author> <author initials="M." surname="Xynou" fullname="Maria Xynou"> <organization/> </author> <date month="May" year="2019"/> </front> </reference> <reference anchor="OONI-2018" target="https://ooni.org/post/2018-iran-protests-pt2/"> <front> <title>Iran Protests: DPI blocking of Instagram (Part 2)</title> <author initials="L." surname="Evdokimov" fullname="Leonid Evdokimov"> <organization/> </author> <date month="February" year="2018"/> </front> </reference> <reference anchor="Dada-2017" target="https://www.accessnow.org/keepiton-shutdown-tracker/"> <front> <title>Launching STOP: the #KeepItOn internet shutdown tracker</title> <author initials="T." surname="Dada" fullname="Tinuola Dada"> <organization/> </author> <author initials="P." surname="Micek" fullname="Peter Micek"> <organization/> </author> <date month="September" year="2017"/> </front> </reference> <reference anchor="Verkamp-2012" target="https://www.usenix.org/system/files/conference/foci12/foci12-final1.pdf"> <front> <title>Inferring Mechanics of Web Censorship Around the World</title> <author initials="J. P." surname="Verkamp" fullname="John-Paul Verkamp"> <organization/> </author> <author initials="M." surname="Gupta" fullname="Minaxi Gupta"> <organization/> </author> <date month="August" year="2012"/> </front> </reference> <reference anchor="Nabi-2013" target="http://0b4af6cdc2f0c5998459-c0245c5c937c5dedcca3f1764ecc9b2f.r43.cf2.rackcdn.com/12387-foci13-nabi.pdf"> <front> <title>The Anatomy of Web Censorship in Pakistan</title> <author initials="Z." surname="Nabi" fullname="Zubair Nabi"> <organization/> </author> <date month="August" year="2013"/> </front> </reference> <reference anchor="Tang-2016" target="https://www.cs.tufts.edu/comp/116/archive/fall2016/ctang.pdf"> <front> <title>In-depth analysis of the Great Firewall of China</title> <author initials="C." surname="Tang" fullname="Chao Tang"> <organization/> </author> <date month="December" year="2016"/> </front> </reference> <referenceanchor="Aryan-2012"anchor="Aryan-2013" target="https://jhalderm.com/pub/papers/iran-foci13.pdf"> <front> <title>Internet Censorship in Iran: A First Look</title> <author initials="S." surname="Aryan" fullname="Simurgh Aryan"> <organization/> </author> <author initials="H." surname="Aryan" fullname="Homa Aryan"> <organization/> </author> <author initials="J. A." surname="Halderman" fullname="J. Alex Halderman"> <organization/> </author> <date year="2012"/> </front> </reference> <reference anchor="Husak-2016" target="https://link.springer.com/article/10.1186/s13635-016-0030-7"> <front> <title>HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting</title> <author initials="M."surname="Husak"surname="Husák" fullname="MartinHusak">Husák"> <organization/> </author> <author initials="M."surname="Cermak"surname="Čermák" fullname="MilanCermak">Čermák"> <organization/> </author> <author initials="T."surname="Jirsik" fullname="Tomas Jirsik">surname="Jirsík" fullname="Tomáš Jirsík"> <organization/> </author> <author initials="P."surname="Celeda"surname="Čeleda" fullname="PavelCeleda">Čeleda"> <organization/> </author> <date month="February" year="2016"/> </front> <seriesInfo name="DOI" value="10.1186/s13635-016-0030-7"/> </reference> <reference anchor="Dalek-2013" target="http://conferences.sigcomm.org/imc/2013/papers/imc112s-dalekA.pdf"> <front> <title>A Method for Identifying and Confirming the Use of URL Filtering Products for Censorship</title> <author initials="J." surname="Dalek" fullname="Jakub Dalek"> <organization/> </author> <author initials="B." surname="Haselton" fullname="Benett Haselton"> <organization/> </author> <author initials="H." surname="Noman" fullname="Helmi Noman"> <organization/> </author> <author initials="A." surname="Senft" fullname="Adam Senft"> <organization/> </author> <author initials="M." surname="Crete-Nishihata" fullname="Masashi Crete-Nishihata"> <organization/> </author> <author initials="P." surname="Gill" fullname="Phillipa Gill"> <organization/> </author> <author initials="R. J." surname="Deibert" fullname="Ronald J. Deibert"> <organization/> </author> <date month="October" year="2013"/> </front> <seriesInfo name="DOI" value="10.1145/2504730.2504763"/> <refcontent>IMC '13: Proceedings of the 2013 conference on Internet measurement conference, Pages 23-30</refcontent> </reference> <reference anchor="Jones-2014" target="http://conferences2.sigcomm.org/imc/2014/papers/p299.pdf"> <front> <title>Automated Detection and Fingerprinting of Censorship Block Pages</title> <author initials="B." surname="Jones" fullname="Ben Jones"> <organization/> </author> <author initials="T-W." surname="Lee" fullname="Tzu-Wen Lee"> <organization/> </author> <author initials="N." surname="Feamster" fullname="Nick Feamster"> <organization/> </author> <author initials="P." surname="Gill" fullname="Phillipa Gill"> <organization/> </author> <date month="November" year="2014"/> </front> <seriesInfo name="DOI" value="10.1145/2663716.2663722"/> <refcontent>IMC '14: Proceedings of the 2014 Conference on Internet Measurement Conference, Pages 299-304</refcontent> </reference> <reference anchor="Crandall-2010" target="http://www.cs.unm.edu/~crandall/icdcs2010.pdf"> <front> <title>Empirical Study of a National-Scale Distributed Intrusion Detection System: Backbone-Level Filtering of HTML Responses in China</title> <author initials="J.C." surname="Park" fullname="Jong Chun Park"> <organization/> </author> <author initials="J." surname="Crandall" fullname="Jedediah Crandall"> <organization/> </author> <date month="June" year="2010"/> </front> </reference> <reference anchor="Senft-2013" target="https://citizenlab.org/2013/11/asia-chats-analyzing-information-controls-privacy-asian-messaging-applications/"> <front> <title>Asia Chats: Analyzing Information Controls and Privacy in Asian Messaging Applications</title> <author initials="" surname="" fullname=""> <organization/> </author> <author initials="M." surname="Crete-Nishihata" fullname="Masashi Crete-Nishihata"> <organization/> </author> <author initials="J." surname="Dalek" fullname="Jakub Dalek"> <organization/> </author> <author initials="S." surname="Hardy" fullname="Seth Hardy"> <organization/> </author> <author initials="A." surname="Hilts" fullname="Andrew Hilts"> <organization/> </author> <author initials="K." surname="Kleemola" fullname="Katie Kleemola"> <organization/> </author> <author initials="J." surname="Ng" fullname="Jason Ng"> <organization/> </author> <author initials="I." surname="Poetranto" fullname="Irene Poetranto"> <organization/> </author> <author initials="A." surname="Senft" fullname="Adam Senft"> <organization/> </author> <author initials="A." surname="Sinpeng" fullname="Aim Sinpeng"> <organization/> </author> <author initials="B." surname="Sonne" fullname="Byron Sonne"> <organization/> </author> <author initials="G." surname="Wiseman" fullname="Greg Wiseman"> <organization/> </author> <date month="November" year="2013"/> </front> </reference> <referenceanchor="Rushe-2015"anchor="Rushe-2014" target="http://www.theguardian.com/technology/2014/feb/11/bing-censors-chinese-language-search-results"> <front> <title>Bing censoring Chinese language search results for users in the US</title> <author initials="D." surname="Rushe" fullname="Dominic Rushe"> <organization/> </author> <dateyear="2013"/>month="February" year="2014"/> </front> <refcontent>The Guardian</refcontent> </reference> <reference anchor="Cheng-2010" target="http://arstechnica.com/tech-policy/2010/06/google-tweaks-china-to-hong-kong-redirect-same-results/"> <front> <title>Google stops Hong Kong auto-redirect as China plays hardball</title> <author initials="J." surname="Cheng" fullname="Jacqui Cheng"> <organization/> </author> <date month="June" year="2010"/> </front> </reference> <reference anchor="Boyle-1997" target="https://scholarship.law.duke.edu/faculty_scholarship/619/"> <front> <title>Foucault in Cyberspace: Surveillance, Sovereignty, and Hardwired Censors</title> <author initials="J." surname="Boyle" fullname="James Boyle"> <organization/> </author> <date year="1997"/> </front> <refcontent>66 University of Cincinnati Law Review 177-205</refcontent> </reference> <reference anchor="Whittaker-2013" target="http://www.zdnet.com/1168-keywords-skype-uses-to-censor-monitor-its-chinese-users-7000012328/"> <front> <title>1,168 keywords Skype uses to censor, monitor its Chinese users</title> <author initials="Z." surname="Whittaker" fullname="Zach Whittaker"> <organization/> </author> <date month="March" year="2013"/> </front> </reference> <reference anchor="BBC-2013" target="http://www.bbc.com/news/uk-24980765"> <front> <title>Google and Microsoft agree steps to block abuse images</title> <author> <organization>BBC News</organization> </author> <date month="November" year="2013"/> </front> </reference> <reference anchor="Condliffe-2013" target="http://gizmodo.com/google-announces-massive-new-restrictions-on-child-abus-1466539163"> <front> <title>Google Announces Massive New Restrictions on Child Abuse Search Terms</title> <author initials="J." surname="Condliffe" fullname="Jamie Condliffe"> <organization/> </author> <date month="November" year="2013"/> </front> </reference> <reference anchor="Zhu-2011" target="http://arxiv.org/ftp/arxiv/papers/1107/1107.3794.pdf"> <front> <title>An Analysis of Chinese Search Engine Filtering</title> <author initials="T." surname="Zhu" fullname="Tao Zhu"> <organization/> </author> <author initials="C." surname="Bronk" fullname="Christopher Bronk"> <organization/> </author> <author initials="D.S." surname="Wallach" fullname="Dan S. Wallach"> <organization/> </author> <date month="July" year="2011"/> </front> <seriesInfo name="DOI" value="10.48550/arXiv.1107.3794"/> </reference> <reference anchor="Wagner-2009" target="http://advocacy.globalvoicesonline.org/wp-content/uploads/2009/06/deeppacketinspectionandinternet-censorship2.pdf"> <front> <title>Deep Packet Inspection and Internet Censorship: International Convergence on an‘Integrated'Integrated Technology of Control'</title> <author initials="B." surname="Wagner" fullname="Ben Wagner"> <organization/> </author> <date year="2009"/> </front> <refcontent>Global Voices Advocacy</refcontent> </reference> <referenceanchor="Porter-2010"anchor="Porter-2005" target="http://www.symantec.com/connect/articles/perils-deep-packet-inspection"> <front> <title>The Perils of Deep Packet Inspection</title> <author initials="T." surname="Porter" fullname="Thomas Porter"> <organization/> </author> <date year="2010"/> </front> </reference> <reference anchor="Clayton-2006"target="http://link.springer.com/chapter/10.1007/11957454_2">target="https://link.springer.com/chapter/10.1007/11957454_2"> <front> <title>Ignoring the Great Firewall of China</title> <author initials="R." surname="Clayton" fullname="Richard Clayton"> <organization/> </author> <author initials="S.J." surname="Murdoch" fullname="Steven J. Murdoch"> <organization/> </author> <author initials="R.N.M." surname="Watson" fullname="Robert N. M. Watson"> <organization/> </author> <date year="2006"/> </front> <seriesInfo name="DOI" value="10.1007/11957454_2"/> <refcontent>Lecture Notes in Computer Science, Volume 4258</refcontent> </reference> <reference anchor="Anonymous-2014" target="https://www.usenix.org/system/files/conference/foci14/foci14-anonymous.pdf"> <front> <title>Towards a Comprehensive Picture of the Great Firewall's DNS Censorship</title> <author> <organization>Anonymous</organization> </author> <date month="August" year="2014"/> </front> </reference> <reference anchor="Khattak-2013" target="http://0b4af6cdc2f0c5998459-c0245c5c937c5dedcca3f1764ecc9b2f.r43.cf2.rackcdn.com/12389-foci13-khattak.pdf"> <front> <title>Towards Illuminating a Censorship Monitor's Model to Facilitate Evasion</title> <author initials="S." surname="Khattak" fullname="Sheharbano Khattak"> <organization/> </author> <author initials="M." surname="Javed" fullname="Mobin Javed"> <organization/> </author> <author initials="P.D." surname="Anderson" fullname="Philip D. Anderson"> <organization/> </author> <author initials="V." surname="Paxson" fullname="Vern Paxson"> <organization/> </author> <date month="August" year="2013"/> </front> </reference> <reference anchor="Wilde-2012" target="https://blog.torproject.org/blog/knock-knock-knockin-bridges-doors"> <front> <title>Knock Knock Knockin' on Bridges Doors</title> <author initials="T." surname="Wilde" fullname="Tim Wilde"> <organization/> </author> <date month="July" year="2012"/> </front> <refcontent>The Tor Project</refcontent> </reference> <reference anchor="Wagstaff-2013"target="http://www.reuters.com/article/2013/05/04/uk-malaysia-election-online-idUKBRE94309G20130504">target="https://www.nbcnews.com/tech/tech-news/malaysia-online-election-battles-take-nasty-turn-flna6c9783842"> <front> <title>In Malaysia, online election battles take a nasty turn</title> <author initials="J." surname="Wagstaff" fullname="Jeremy Wagstaff"> <organization/> </author> <date month="May" year="2013"/> </front> <refcontent>NBC News</refcontent> </reference> <reference anchor="Hepting-2011"target="https://en.wikipedia.org/wiki/Hepting_v._AT%26T">target="https://en.wikipedia.org/wiki/Hepting_v._AT%26T&oldid=1175143505"> <front> <title>Heptingvs.v. AT&T</title> <author> <organization>Wikipedia</organization> </author> <dateyear="2011"/>month="September" year="2023"/> </front> </reference> <reference anchor="Hjelmvik-2010" target="https://www.iis.se/docs/hjelmvik_breaking.pdf"> <front> <title>Breaking and Improving Protocol Obfuscation</title> <author initials="E." surname="Hjelmvik" fullname="Erik Hjelmvik"> <organization/> </author> <author initials="W." surname="John" fullname="Wolfgang John"> <organization/> </author> <date month="July" year="2010"/> </front> <refcontent>Technical Report No. 2010-05, ISSN 1652-926X</refcontent> </reference> <referenceanchor="Sandvine-2014" target="https://www.sandvine.com/downloads/general/technology/sandvine-technology-showcases/sandvine-technology-showcase-traffic-classification.pdf">anchor="Sandvine-2015" target="https://www.researchgate.net/profile/Nirmala-Svsg/post/Anybody-working-on-Internet-traffic-classification/attachment/59d63a5779197b807799782d/AS%3A405810988503040%401473764287142/download/traffic-classification-identifying-and-measuring-internet-traffic.pdf"> <front><title>Technology Showcase on<title>Internet Traffic Classification:Why Measurements and Freeform Policy Matter</title>A Sandvine Technology Showcase</title> <author> <organization>Sandvine</organization> </author> <dateyear="2014"/>year="2015"/> </front> </reference> <reference anchor="Winter-2012" target="http://arxiv.org/pdf/1204.0447v1.pdf"> <front> <title>How ChinaisIs Blocking Tor</title> <author initials="P." surname="Winter" fullname="Phillip Winter"> <organization/> </author> <author initials="S." surname="Lindskog" fullname="Stefan Lindskog"> <organization/> </author> <date month="April" year="2012"/> </front> </reference> <referenceanchor="Anonymous-2007"anchor="Van-der-Sar-2007" target="https://torrentfreak.com/how-to-bypass-comcast-bittorrent-throttling-071021"> <front> <title>HowtoTo Bypass Comcast'sBittorrentBitTorrent Throttling</title><author> <organization>Anonymous</organization><author initials="E." surname="Van der Sar" fullname="Ernesto Van der Sar"> <organization></organization> </author> <date month="October" year="2012"/> </front> </reference> <reference anchor="Anonymous-2013" target="https://en.greatfire.org/blog/2013/jan/github-blocked-china-how-it-happened-how-get-around-it-and-where-it-will-take-us"> <front> <title>GitHub blocked in China - how it happened, how to get around it, and where it will take us</title> <author> <organization>Anonymous</organization> </author> <date month="January" year="2013"/> </front> </reference> <reference anchor="Ensafi-2013" target="http://arxiv.org/pdf/1312.5739v1.pdf"> <front> <title>Detecting Intentional Packet Drops on the Internet via TCP/IP SideChannels</title>Channels: Extended Version</title> <author initials="R." surname="Ensafi" fullname="Roya Ensafi"> <organization/> </author> <author initials="J." surname="Knockel" fullname="Jeffrey Knockel"> <organization/> </author> <author initials="G." surname="Alexander" fullname="Geoffrey Alexander"> <organization/> </author> <author initials="J.R." surname="Crandall" fullname="Jedidiah R. Crandall"> <organization/> </author> <date month="December" year="2013"/> </front> <seriesInfo name="DOI" value="10.48550/arXiv.1312.5739"/> </reference> <reference anchor="Weaver-2009" target="http://www.icir.org/vern/papers/reset-injection.ndss09.pdf"> <front> <title>Detecting Forged TCP Reset Packets</title> <author initials="N." surname="Weaver" fullname="Nicholas Weaver"> <organization/> </author> <author initials="R." surname="Sommer" fullname="Robin Sommer"> <organization/> </author> <author initials="V." surname="Paxson" fullname="Vern Paxson"> <organization/> </author> <date month="September" year="2009"/> </front> </reference> <reference anchor="Netsec-2011" target="https://nets.ec/TCP-RST_Injection"> <front> <title>TCP-RST Injection</title> <author> <organization>n3t2.3c</organization> </author> <date month="October" year="2011"/> </front> </reference> <reference anchor="Schoen-2007" target="https://www.eff.org/deeplinks/2007/10/eff-tests-agree-ap-comcast-forging-packets-to-interfere"> <front> <title>EFF tests agree with AP: Comcast is forging packets to interfere with user traffic</title> <author initials="S." surname="Schoen" fullname="Seth Schoen"> <organization/> </author> <date month="October" year="2007"/> </front> </reference> <reference anchor="VonLohmann-2008" target="https://www.eff.org/deeplinks/2008/08/fcc-rules-against-comcast-bit-torrent-blocking"> <front> <title>FCC Rules Against Comcast for BitTorrent Blocking</title> <author initials="F." surname="VonLohmann" fullname="Fred VonLohmann"> <organization/> </author> <date month="August" year="2008"/> </front> </reference> <reference anchor="Halley-2008" target="https://www.networkworld.com/article/2277316/tech-primers/tech-primers-how-dns-cache-poisoning-works.html"> <front> <title>How DNS cache poisoning works</title> <author initials="B." surname="Halley" fullname="Bob Halley"> <organization/> </author> <dateyear="2014"/>month="October" year="2008"/> </front> </reference> <reference anchor="Zmijewski-2014"target="https://blogs.oracle.com/internetintelligence/turkish-internet-censorship-takes-a-new-turn">target="http://web.archive.org/web/20200726222723/https://blogs.oracle.com/internetintelligence/turkish-internet-censorship-takes-a-new-turn"> <front> <title>Turkish Internet Censorship Takes a New Turn</title> <author initials="E." surname="Zmijewski" fullname="Earl Zmijewski"> <organization/> </author> <date month="March" year="2014"/> </front> <refcontent>Wayback Machine archive</refcontent> </reference> <reference anchor="AFP-2014" target="http://www.businessinsider.com/chinas-internet-breakdown-reportedly-caused-by-censoring-tools-2014-1"> <front> <title>China Has Massive Internet Breakdown Reportedly Caused By Their Own Censoring Tools</title> <author> <organization>AFP</organization> </author> <date month="January" year="2014"/> </front> </reference> <reference anchor="Anon-SIGCOMM12" target="http://www.sigcomm.org/sites/default/files/ccr/papers/2012/July/2317307-2317311.pdf"> <front> <title>The Collateral Damage of Internet Censorship by DNS Injection</title> <author> <organization>Anonymous</organization> </author> <date month="July" year="2012"/> </front> </reference> <reference anchor="Albert-2011" target="https://opennet.net/blog/2011/06/dns-tampering-and-new-icann-gtld-rules"> <front> <title>DNS Tampering and the new ICANN gTLD Rules</title> <author initials="K." surname="Albert" fullname="Kendra Albert"> <organization/> </author> <date month="June" year="2011"/> </front> </reference> <reference anchor="Wikip-DoS" target="https://en.wikipedia.org/w/index.php?title=Denial-of-service_attack&oldid=710558258"> <front><title>Denial of Service Attacks</title><title>Denial-of-service attack</title> <author> <organization>Wikipedia</organization> </author> <date month="March" year="2016"/> </front> </reference> <referenceanchor="Schone-2014"anchor="NBC-2014" target="http://www.nbcnews.com/feature/edward-snowden-interview/exclusive-snowden-docs-show-uk-spies-attacked-anonymous-hackers-n21361"> <front><title>Snowden<title>Exclusive: Snowden Docs Show UK Spies Attacked Anonymous, Hackers</title><author initials="M." surname="Schone" fullname="Mark Schone"> <organization/> </author> <author initials="R." surname="Esposito" fullname="Richard Esposito"> <organization/> </author> <author initials="M." surname="Cole" fullname="Matthew Cole"> <organization/> </author> <author initials="G." surname="Greenwald" fullname="Glenn Greenwald"> <organization/><author> <organization>NBC News</organization> </author> <date month="February" year="2014"/> </front> </reference> <reference anchor="CERT-2000"target="http://www.cert.org/historical/advisories/CA-1996-21.cfm">target="https://vuls.cert.org/confluence/display/historical/CERT+Advisory+CA-1996-21+TCP+SYN+Flooding+and+IP+Spoofing+Attacks"> <front><title>TCP<title>CERT Advisory CA-1996-21 TCP SYN Flooding and IP Spoofing Attacks</title> <author> <organization>CERT</organization> </author> <date year="2000"/> </front> </reference> <reference anchor="Kravtsova-2012" target="http://www.themoscowtimes.com/news/article/cyberattacks-disrupt-oppositions-election/470119.html"> <front> <title>Cyberattacks Disrupt Opposition's Election</title> <author initials="Y." surname="Kravtsova" fullname="Yekaterina Kravtsova"> <organization/> </author> <date month="October" year="2012"/> </front> <refcontent>The Moscow Times</refcontent> </reference> <reference anchor="Villeneuve-2011" target="http://access.opennet.net/wp-content/uploads/2011/12/accesscontested-chapter-08.pdf"> <front> <title>Open Access: Chapter 8, Control and Resistance, Attacks on Burmese Opposition Media</title> <author initials="N." surname="Villeneuve" fullname="Nart Villeneuve"> <organization/> </author> <author initials="M." surname="Crete-Nishihata" fullname="Masashi Crete-Nishihata"> <organization/> </author> <date month="January" year="2011"/> </front> </reference> <reference anchor="Orion-2013"target="http://www.theinquirer.net/inquirer/news/2287433/zimbabwe-election-hit-by-hacking-and-ddos-attacks">target="https://web.archive.org/web/20130825010947/http://www.theinquirer.net/inquirer/news/2287433/zimbabwe-election-hit-by-hacking-and-ddos-attacks"> <front> <title>Zimbabwe election hit by hacking and DDoS attacks</title> <author initials="E." surname="Orion" fullname="Egan Orion"> <organization/> </author> <date month="August" year="2013"/> </front> <refcontent>Wayback Machine archive</refcontent> </reference> <reference anchor="Muncaster-2013" target="http://www.theregister.co.uk/2013/05/09/malaysia_fraud_elections_ddos_web_blocking/"> <front> <title>Malaysian election sparks web blocking/DDoS claims</title> <author initials="P." surname="Muncaster" fullname="Phil Muncaster"> <organization/> </author> <date month="May" year="2013"/> </front> <refcontent>The Register</refcontent> </reference> <reference anchor="Dobie-2007" target="http://news.bbc.co.uk/2/hi/asia-pacific/7016238.stm"> <front> <title>Junta tightens media screw</title> <author initials="M." surname="Dobie" fullname="Michael Dobie"> <organization/> </author> <date month="September" year="2007"/> </front> <refcontent>BBC News</refcontent> </reference> <reference anchor="Heacock-2009" target="https://opennet.net/blog/2009/07/china-shuts-down-internet-xinjiang-region-after-riots"> <front> <title>ChinaShuts Downshuts down Internet in XinjiangRegion After Riots</title>region after riots</title> <author initials="R." surname="Heacock" fullname="Rebekah Heacock"> <organization/> </author> <date month="July" year="2009"/> </front> <refcontent>OpenNet Initiative</refcontent> </reference> <reference anchor="Cowie-2011" target="https://archive.nanog.org/meetings/nanog51/presentations/Tuesday/LT-Cowie-Egypt%20Leaves%20The%20Internet.pdf"> <front> <title>Egypt LeavestheThe Internet</title> <author initials="J." surname="Cowie" fullname="Jim Cowie"> <organization/> </author> <date month="February" year="2011"/> </front> <refcontent>NANOG 51</refcontent> </reference> <reference anchor="Thomson-2012" target="http://www.theregister.co.uk/2012/11/29/syria_internet_blackout/"> <front> <title>SyriaCutscuts offInternetinternet andMobile Communication</title>mobile communication</title> <author initials="I." surname="Thomson" fullname="Iain Thomson"> <organization/> </author> <date month="November" year="2012"/> </front> <refcontent>The Register</refcontent> </reference> <reference anchor="BBC-2013b"target="http://www.bbc.com/news/world-asia-china-2439695">target="https://www.bbc.com/news/world-asia-china-24396957"> <front> <title>China employs two million microblog monitors state media say</title> <author> <organization>BBC</organization> </author> <date year="2013"/> </front> </reference> <referenceanchor="Calamur-2013" target="http://www.npr.org/blogs/thetwo-way/2013/11/29/247820503/prominent-egyptian-blogger-arrested"> <front> <title>Prominent Egyptian Blogger Arrested</title> <author initials="K." surname="Calamur" fullname="Krishnadev Calamur"> <organization/> </author> <date year="2013"/> </front> </reference> <reference anchor="AP-2012" target="http://www.huffingtonpost.com/2012/12/03/sattar-beheshit-iran_n_2233125.html">anchor="Murdoch-2008" quoteTitle="false"> <front><title>Sattar Beheshit, Iranian Blogger, Was Beaten In Prison According To Prosecutor</title> <author> <organization>Associated Press</organization> </author> <date year="2012"/> </front> </reference> <reference anchor="Hopkins-2011" target="http://readwrite.com/2011/03/03/communications_blocked_in_libya_this_week_in_onlin"> <front> <title>Communications Blocked in Libya, Qatari Blogger Arrested: This Week<title>"Tools and Technology of Internet Filtering" inOnline Tyranny</title> <author initials="C." surname="Hopkins" fullname="Curt Hopkins"> <organization/> </author> <date year="2011"/> </front> </reference> <reference anchor="Guardian-2014" target="http://www.theguardian.com/world/2014/apr/17/chinese-blogger-jailed-crackdown-internet-rumours-qin-zhihui"> <front> <title>Chinese blogger jailed under crackdown on 'internet rumours'</title> <author> <organization>The Gaurdian</organization> </author> <date year="2014"/> </front> </reference> <reference anchor="Bristow-2013" target="http://news.bbc.co.uk/2/hi/asia-pacific/7783640.stm"> <front> <title>China's internet 'spin doctors‘</title> <author initials="M." surname="Bristow" fullname="Michael Bristow"> <organization/> </author> <date year="2013"/> </front> </reference> <reference anchor="Fareed-2008" target="http://www.theguardian.com/media/2008/sep/22/chinathemedia.marketingandpr"> <front> <title>China joins a turf war</title> <author initials="M." surname="Fareed" fullname="Malik Fareed"> <organization/> </author> <date year="2008"/> </front> </reference> <reference anchor="Gao-2014" target="http://www.nytimes.com/2014/06/04/opinion/tiananmen-forgotten.html"> <front> <title>Tiananmen, Forgotten</title> <author initials="H." surname="Gao" fullname="Helen Gao"> <organization/> </author> <date year="2014"/> </front> </reference> <reference anchor="Murdoch-2011" target="http://access.opennet.net/wp-content/uploads/2011/12/accessdenied-chapter-3.pdf"> <front> <title>Access"Access Denied:ToolsThe Practice andTechnologyPolicy of Global InternetFiltering</title>Filtering"</title> <author initials="S. J." surname="Murdoch" fullname="Steven J. Murdoch"> <organization/> </author> <author initials="R." surname="Anderson" fullname="Ross Anderson"> <organization/> </author> <dateyear="2011"/>year="2008"/> </front> <seriesInfo name="DOI" value="10.7551/mitpress/7617.003.0006"/> </reference> <reference anchor="AFNIC-2013" target="http://www.afnic.fr/medias/documents/conseilscientifique/SC-consequences-of-DNS-based-Internet-filtering.pdf"> <front> <title>Report of the AFNIC Scientific Council: Consequences of DNS-based Internet filtering</title> <author> <organization>AFNIC</organization> </author> <date month="January" year="2013"/> </front> </reference> <reference anchor="ICANN-SSAC-2012" target="https://www.icann.org/en/system/files/files/sac-056-en.pdf"> <front> <title>SAC 056: SSAC Advisory on Impacts of Content Blocking via the Domain Name System</title> <author> <organization>ICANN Security and Stability Advisory Committee (SSAC)</organization> </author> <date month="October" year="2012"/> </front> </reference> <reference anchor="Ding-1999" target="http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.132.3302&rep=rep1&type=pdf"> <front> <title>Centralized Content-Based Web Filtering and Blocking: How Far Can It Go?</title> <author initials="C." surname="Ding" fullname="Chen Ding"> <organization/> </author> <author initials="C. H." surname="Chi" fullname="Chi-Hung Chi"> <organization/> </author> <author initials="J." surname="Deng" fullname="Jing Deng"> <organization/> </author> <author initials="C. L." surname="Dong" fullname="Chun-Lei Dong"> <organization/> </author> <date month="October" year="1999"/> </front> <seriesInfo name="DOI" value="10.1109/ICSMC.1999.825218"/> <refcontent>IEEE SMC'99 Conference Proceedings</refcontent> </reference> <reference anchor="Trustwave-2015" target="https://www3.trustwave.com/software/8e6/hlp/r3000/files/1system_filter.html"> <front><title>Filter:<title>Filter : SNI extension feature and HTTPS blocking</title> <author> <organization>Trustwave</organization> </author> <date year="2015"/> </front> </reference> <referenceanchor="Sophos-2015" target="https://www.sophos.com/en-us/support/knowledgebase/115865.aspx">anchor="Sophos-2023" target="https://support.sophos.com/support/s/article/KB-000036518?language=en_US"> <front><title>Understanding Sophos<title>Sophos Firewall: WebFiltering</title>filtering basics</title> <author> <organization>Sophos</organization> </author> <dateyear="2015"/>year="2023"/> </front> </reference> <reference anchor="Shbair-2015" target="https://hal.inria.fr/hal-01202712/document"> <front> <title>Efficiently Bypassing SNI-based HTTPS Filtering</title> <author initials="W. M." surname="Shbair" fullname="Wazen M. Shbair"> <organization/> </author> <author initials="T." surname="Cholez" fullname="Thibault Cholez"> <organization/> </author> <author initials="A." surname="Goichot" fullname="Antoine Goichot"> <organization/> </author> <author initials="I." surname="Chrisment" fullname="Isabelle Chrisment"> <organization/> </author> <date month="May" year="2015"/> </front> </reference> <referenceanchor="RSF-2005" target="http://archives.rsf.org/print-blogs.php3?id_article=15013"> <front> <title>Technical ways to get around censorship</title> <author> <organization>Reporters Sans Frontieres</organization> </author> <date year="2005"/> </front> </reference> <referenceanchor="Marczak-2015" target="https://www.usenix.org/system/files/conference/foci15/foci15-paper-marczak.pdf"> <front> <title>An Analysis ofChina’s “Great Cannon”</title>China's "Great Cannon"</title> <author initials="B." surname="Marczak" fullname="Bill Marczak"> <organization/> </author> <author initials="N." surname="Weaver" fullname="Nicholas Weaver"> <organization/> </author> <author initials="J." surname="Dalek" fullname="Jakub Dalek"> <organization/> </author> <author initials="R." surname="Ensafi" fullname="Roya Ensafi"> <organization/> </author> <author initials="D." surname="Fifield" fullname="David Fifield"> <organization/> </author> <author initials="S." surname="McKune" fullname="Sarah McKune"> <organization/> </author> <author initials="A." surname="Rey" fullname="Arn Rey"> <organization/> </author> <author initials="J." surname="Scott-Railton" fullname="John Scott-Railton"> <organization/> </author> <author initials="R." surname="Deibert" fullname="Ron Deibert"> <organization/> </author> <author initials="V." surname="Paxson" fullname="Vern Paxson"> <organization/> </author> <date month="August" year="2015"/> </front> </reference> <reference anchor="Fifield-2015" target="https://petsymposium.org/2015/papers/03_Fifield.pdf"> <front> <title>Blocking-resistant communication through domain fronting</title> <author initials="D." surname="Fifield" fullname="David Fifield"> <organization/> </author> <author initials="C." surname="Lan" fullname="Chang Lan"> <organization/> </author> <author initials="R." surname="Hynes" fullname="Rod Hynes"> <organization/> </author> <author initials="P." surname="Wegmann" fullname="Percy Wegmann"> <organization/> </author> <author initials="V." surname="Paxson" fullname="Vern Paxson"> <organization/> </author> <date month="May" year="2015"/> </front> <seriesInfo name="DOI" value="10.1515/popets-2015-0009"/> </reference> <reference anchor="Google-RTBF" target="https://support.google.com/legal/contact/lr_eudpa?product=websearch"> <front> <title>Search removal request under data protection law in Europe</title> <author> <organization>Google, Inc.</organization> </author> <date year="2015"/> </front> </reference> <reference anchor="DMLP-512"target="http://www.dmlp.org/legal-guide/protecting-yourself-against-copyright-claims-based-user-content">target="https://www.dmlp.org/legal-guide/protecting-yourself-against-copyright-claims-based-user-content"> <front> <title>Protecting Yourself Against Copyright Claims Based on User Content</title> <author> <organization>Digital Media Law Project</organization> </author> <date month ="May" year="2012"/> </front> </reference> <referenceanchor="Kopel-2013" target="http://dx.doi.org/doi:10.15779/Z384Q3M"> <front> <title>Operation Seizing Our Sites: How the Federal Government is Taking Domain Names Without Prior Notice</title> <author initials="K." surname="Kopel" fullname="Karen Kopel"> <organization/> </author> <date year="2013"/> </front> </reference> <referenceanchor="Bortzmeyer-2015" target="https://labs.ripe.net/Members/stephane_bortzmeyer/dns-censorship-dns-lies-seen-by-atlas-probes"> <front> <title>DNS Censorship (DNS Lies) As Seen By RIPE Atlas</title> <author initials="S." surname="Bortzmeyer"fullname="Stephanefullname="Stéphane Bortzmeyer"> <organization/> </author> <date month="December" year="2015"/> </front> </reference> <reference anchor="Wang-2017" target="https://www.cs.ucr.edu/~zhiyunq/pub/imc17_censorship_tcp.pdf"> <front> <title>Your State is Not Mine: A Closer Look at Evading Stateful Internet Censorship</title> <author initials="Z." surname="Wang" fullname="Zhongjie Wang"> <organization/> </author> <author initials="Y." surname="Cao" fullname="Yue Cao"> <organization/> </author> <author initials="Z." surname="Qian" fullname="Zhiyun Qian"> <organization/> </author> <author initials="C." surname="Song" fullname="Chengyu Song"> <organization/> </author> <authorinitials="S."initials="S.V." surname="Krishnamurthy" fullname="Srikanth V. Krishnamurthy"> <organization/> </author> <date month="November" year="2017"/> </front> <seriesInfo name="DOI" value="10.1145/3131365.3131374"/> </reference> <reference anchor="Wang-2020" target="https://www.cs.ucr.edu/~zhiyunq/pub/ndss20_symtcp.pdf"> <front> <title>SYMTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery</title> <author initials="Z." surname="Wang" fullname="Zhongjie Wang"> <organization/> </author> <author initials="S." surname="Zhu" fullname="Shitong Zhu"> <organization/> </author> <author initials="Y." surname="Cao" fullname="Yue Cao"> <organization/> </author> <author initials="Z." surname="Qian" fullname="Zhiyun Qian"> <organization/> </author> <author initials="C." surname="Song" fullname="Chengyu Song"> <organization/> </author> <authorinitials="S."initials="S.V." surname="Krishnamurthy" fullname="Srikanth V. Krishnamurthy"> <organization/> </author> <authorinitials="K."initials="K.S." surname="Chan" fullname="Kevin S. Chan"> <organization/> </author> <authorinitials="T."initials="T.D." surname="Braun" fullname="Tracy D. Braun"> <organization/> </author> <date month="February" year="2020"/> </front> <seriesInfo name="DOI" value="10.14722/ndss.2020.24083"/> </reference> <reference anchor="Li-2017" target="https://david.choffnes.com/pubs/liberate-imc17.pdf"> <front> <title>lib•erate,(n) : A(n): a library for exposing (traffic-classification) rules and avoiding them efficiently</title> <author initials="F." surname="Li" fullname="Fangfan Li"> <organization/> </author> <author initials="A." surname="Razaghpanah" fullname="Abbas Razaghpanah"> <organization/> </author> <author initials="A."surname="Kakhki"surname="Molavi Kakhki" fullname="Arash Molavi Kakhki"> <organization/> </author> <author initials="A."surname="Niaki"surname="Akhavan Niaki" fullname="Arian Akhavan Niaki"> <organization/> </author> <author initials="D." surname="Choffnes" fullname="David Choffnes"> <organization/> </author> <author initials="P." surname="Gill" fullname="Phillipa Gill"> <organization/> </author> <author initials="A." surname="Mislove" fullname="Alan Mislove"> <organization/> </author> <date month="November" year="2017"/> </front> <seriesInfo name="DOI" value="10.1145/3131365.3131376"/> </reference> <reference anchor="Bock-2019" target="https://geneva.cs.umd.edu/papers/geneva_ccs19.pdf"> <front> <title>Geneva: Evolving Censorship Evasion Strategies</title> <author initials="K." surname="Bock" fullname="Kevin Bock"> <organization/> </author> <author initials="G." surname="Hughey" fullname="George Hughey"> <organization/> </author> <author initials="X." surname="Qiang" fullname="Xiao Qiang"> <organization/> </author> <author initials="D." surname="Levin" fullname="Dave Levin"> <organization/> </author> <date month="November" year="2019"/> </front> <seriesInfo name="DOI" value="10.1145/3319535.3363189"/> </reference> <reference anchor="Bock-2020" target="https://geneva.cs.umd.edu/papers/evading-censorship-in-depth.pdf"> <front> <title>Detecting and Evading Censorship-in-Depth: A Case Study ofIran’sIran's Protocol Filter</title> <author initials="K." surname="Bock" fullname="Kevin Bock"> <organization/> </author> <author initials="Y." surname="Fax" fullname="Yair Fax"> <organization/> </author> <author initials="K." surname="Reese" fullname="Kyle Reese"> <organization/> </author> <author initials="J." surname="Singh" fullname="Jasraj Singh"> <organization/> </author> <author initials="D." surname="Levin" fullname="Dave Levin"> <organization/> </author> <date month="January" year="2020"/> </front> </reference> <reference anchor="Bock-2020b" target="https://geneva.cs.umd.edu/posts/china-censors-esni/esni/"> <front> <title>Exposing and Circumventing China's Censorship of ESNI</title> <author initials="K." surname="Bock" fullname="Kevin Bock"> <organization/> </author><author initials="" surname="iyouport" fullname="iyouport"> <organization/><author> <organization>iyouport</organization> </author><author initials="" surname="Anonymous" fullname="Anonymous"> <organization/><author> <organization>Anonymous</organization> </author> <authorinitials="L."initials="L-H." surname="Merino" fullname="Louis-Henri Merino"> <organization/> </author> <author initials="D." surname="Fifield" fullname="David Fifield"> <organization/> </author> <author initials="A." surname="Houmansadr" fullname="Amir Houmansadr"> <organization/> </author> <author initials="D." surname="Levin" fullname="Dave Levin"> <organization/> </author> <date month="August" year="2020"/> </front> </reference> <reference anchor="Rambert-2021" target="https://www.andrew.cmu.edu/user/nicolasc/publications/Rambert-WWW21.pdf"> <front> <title>Chinese Wall or Swiss Cheese? Keyword filtering in the Great Firewall of China</title> <author initials="R." surname="Rampert" fullname="Raymond Rampert"> <organization/> </author> <author initials="Z." surname="Weinberg" fullname="Zachary Weinberg"> <organization/> </author> <author initials="D." surname="Barradas" fullname="Diogo Barradas"> <organization/> </author> <author initials="N." surname="Christin" fullname="Nicolas Christin"> <organization/> </author> <date month="April" year="2021"/> </front> <seriesInfo name="DOI" value="10.1145/3442381.3450076"/> </reference> <reference anchor="Knockel-2021" target="https://dl.acm.org/doi/10.1145/3473604.3474560"> <front> <title>Measuring QQMail's automated email censorship in China</title> <author initials="J." surname="Knockel" fullname="Jeffery Knockel"> <organization/> </author> <author initials="L." surname="Ruan" fullname="Lotus Ruan"> <organization/> </author> <date month="April" year="2021"/> </front> <refcontent>FOCI '21: Proceedings of the ACM SIGCOMM 2021 Workshop on Free and Open Communications on the Internet, Pages 8-15</refcontent> <seriesInfo name="DOI" value="10.1145/3473604.3474560"/> </reference> <reference anchor="Bock-2021" target="https://geneva.cs.umd.edu/papers/woot21-weaponizing-availability.pdf"> <front> <title>Your Censor is My Censor: Weaponizing Censorship Infrastructure for Availability Attacks</title> <author initials="K." surname="Bock" fullname="Kevin Bock"> <organization/> </author> <author initials="P." surname="Bharadwaj" fullname="Pranav Bharadwaj"> <organization/> </author> <author initials="J." surname="Singh" fullname="Jasraj Singh"> <organization/> </author> <author initials="D." surname="Levin" fullname="Dave Levin"> <organization/> </author> <date month="May" year="2021"/> </front> <seriesInfo name="DOI" value="10.1109/SPW53761.2021.00059"/> </reference> <reference anchor="Bock-2021b" target="https://geneva.cs.umd.edu/papers/foci21.pdf"> <front> <title>Even Censors Have a Backup: ExaminingChina’sChina's Double HTTPS Censorship Middleboxes</title> <author initials="K." surname="Bock" fullname="Kevin Bock"> <organization/> </author> <author initials="G." surname="Naval" fullname="Gabriel Naval"> <organization/> </author> <author initials="K." surname="Reese" fullname="Kyle Reese"> <organization/> </author> <author initials="D." surname="Levin" fullname="Dave Levin"> <organization/> </author> <date month="August" year="2021"/> </front> <seriesInfo name="DOI" value="10.1145/3473604.3474559"/> <refcontent>FOCI '21: Proceedings of the ACM SIGCOMM 2021 Workshop on Free and Open Communications on the Internet, Pages 1-7</refcontent> </reference> <reference anchor="Satija-2021" target="https://sambhav.info/files/blindtls-foci21.pdf"> <front> <title>BlindTLS: Circumventing TLS-based HTTPS censorship</title> <author initials="S." surname="Satija" fullname="Sambhav Satija"> <organization/> </author> <author initials="R." surname="Chatterjee" fullname="Rahul Chatterjee"> <organization/> </author> <date month="August" year="2021"/> </front> <seriesInfo name="DOI" value="10.1145/3473604.3474564"/> <refcontent>FOCI '21: Proceedings of the ACM SIGCOMM 2021 Workshop on Free and Open Communications on the Internet, Pages 43-49</refcontent> </reference> <reference anchor="Elmenhorst-2021" target="https://dl.acm.org/doi/pdf/10.1145/3487552.3487836"> <front> <title>Web Censorship Measurements of HTTP/3 over QUIC</title> <author initials="K." surname="Elmenhorst" fullname="Kathrin Elmenhorst"> <organization/> </author> <author initials="B." surname="Schuetz" fullname="Bertram Schuetz"> <organization/> </author> <authorinitials="S." surname="Basso" fullname="Simone Basso"> <organization/> </author> <authorinitials="N." surname="Aschenbruck" fullname="Nils Aschenbruck"> <organization/> </author> <author initials="S." surname="Basso" fullname="Simone Basso"> <organization/> </author> <date month="November" year="2021"/> </front> <seriesInfo name="DOI" value="10.1145/3487552.3487836"/> <refcontent>IMC '21: Proceedings of the 21st ACM Internet Measurement Conference, Pages 276-282</refcontent> </reference> <reference anchor="Elmenhorst-2022" target="https://www.opentech.fund/news/a-quick-look-at-quic/"> <front> <title>A Quick Look at QUIC Censorship</title> <author initials="K." surname="Elmenhorst" fullname="Kathrin Elmenhorst"> <organization/> </author> <date month="April" year="2022"/> </front> </reference> <reference anchor="Gilad" target="https://doi.org/10.1145/2597173"> <front> <title>Off-Path TCP Injection Attacks</title> <author initials="Y." surname="Gilad" fullname="Yossi Gilad"> <organization/> </author> <author initials="A." surname="Herzberg" fullname="Amir Herzberg"> <organization/> </author> <date month="April" year="2014"/> </front> <seriesInfo name="DOI" value="10.1145/2597173"/> <refcontent>ACM Transactions on Information and System Security, Volume 16, Issue 4, Article No.: 13, pp. 1-32</refcontent> </reference> <referenceanchor="MANRS"anchor="Siddiqui-2022" target="https://www.manrs.org/2022/03/lesson-learned-twitter-shored-up-its-routing-security/"> <front> <title>Lesson Learned: Twitter Shored Up Its Routing Security</title> <author initials="A." surname="Siddiqui" fullname="Aftab Siddiqui"> <organization/> </author> <date month="March" year="2022"/> </front> </reference> <reference anchor="Google-2018" target="https://status.cloud.google.com/incident/cloud-networking/18018"> <front> <title>Google Cloud Networking Incident #18018</title> <author> <organization/> </author> <date month="November" year="2018"/> </front> </reference> <reference anchor="ekr-2021" target="https://educatedguesswork.org/posts/apple-csam-intro/"> <front> <title>Overview of Apple's Client-side CSAM Scanning</title> <author initials="E." surname="Rescorla" fullname="Eric Rescorla"> <organization/> </author> <date month="August" year="2021"/> </front> </reference> </references> <section anchor="acks" numbered="false"> <name>Acknowledgments</name> <t>This document benefited from discussions with and input from <contact fullname="David Belson"/>, <contact fullname="Stéphane Bortzmeyer"/>, <contact fullname="Vinicius Fortuna"/>, <contact fullname="Gurshabad Grover"/>, <contact fullname="Andrew McConachie"/>, <contact fullname="Martin Nilsson"/>, <contact fullname="Michael Richardson"/>, <contact fullname="Patrick Vacek"/>, and <contact fullname="Chris Wood"/>.</t> <t>Coauthor Hall performed work on this document before employment at the Internet Society, and his affiliation listed in this document is for identification purposes only.</t> </section> </back><!-- ##markdown-source: H4sIAAAAAAAAA9y96Y4bWZYm+N+ewqBAVUhdXHyV5CoEsnyT5CGX5Cl6pDKz 0RCMxkvS5EYzpi3uooQY5GP0AN3AYP7133mFepN8kjnfOXc1ku6KzGwMMNld EeGXZtfucva13+9HTdbk6kV8HI/a6lat4nIafyyrfHKXTVR8qoq6rOp5toyv VTovsr+0qo6S8bhSty/iSZVMm35WNdP+UiXVrJ/ax6NJmRbJQt37UH/neZQm jZqV1epFnBXTMoqyZfUibqq2bvZ2do529qKkUsmL+JUqVJXk0V1Z3cyqsl2+ iHm26EataGzyIr4oGlUVqumf4YNRVDdJMfmU5GVBi1jRqpfZi/i/NmXai+nz TaWmNf3XaoH/+G9RlLTNvKxeRHE/iul/WVG/iH8eXA7i10me85Bs5+eyVst5 fFlWqvhaul/LapYU2dekycrCLSYelWmmmhU/ohZJlr+I5/TKf2R1mQ7oneB7 bwdng/g4qcrC++DbLJ0nKo+Dn8Kvnf4Sn5RtPlGV/52FvDiYVOpukODV/5jh l0FaLoLPHtPMBb1cT8qm0XPIt48XKs+S9V+Dz/vfTPiFAW15+h+J99YgTYNP ngzoIAu6FPetE1V4Y+EG/U+MVTH4jOcGgKktW3o3iF+qZFGH23mXpTfhePiZ X+LTeZYms9L/3lQ//x9tKj8O1KTtXFv8pignygeTt3TJBNX+D507UwCReFpW 8ZlalGmVpKv4XwXLyrycBSCzuOFp/iOdNAw0UVSU1YJmulUvCGUIcdxf8YeX pzvPjvZf8H89e3Z4oP/r6Z7+r6c7T5/Kfz0/eG5+fX74nP7ron/Gl9dv8rpf F1lfFWm1Wup7Dn5V9LM/9pc2S/tNlRT1ktCLF/LxZG9nb0cApCFkVQ1Bf9Ms 6xfDYVVPsZWhKoZ4qH8HmtNfVqqu+9NKqUm56GcEQV/6fFBZMetPVJrVtEn8 RzJR/c9lWxVJntWLvvqSpKoaEy2Z9NOSQD25zYiGyJeFwD3CZ4S0xVf4TPxS PkPISp95EZ/r78RJbL4Uy5f4ltzXerH3uXi8ir0vPuJPWmIS64t/EX9QOBZC iPhjRj+2DaFsBQThhyY01YsYK6Rze3189v7qor/97O7u7gbzZFIus8G0wgkC Oob7T58+DzZ8Vf3n/6rp9Bjiti7sNY2p+Lhtyipr/vN/xUvaZ5wn8Vk2nbY1 vUmHUMelam/p0GIiafTbVVU2Km3Mj2dVmTV1XNOLhvCt72o0Oj7t7+4cPbAv QrGiMJBRrwjzFsNplqta/7NOUp6FqMByMg32Sx+gX17E13MVXyyWOU2FJdZg aWfvRnF5Swj3+vr6ahQTbXJD15ejradzcXr87l08UmlLp7Pi90ZNMs5y/HU8 uSU6Tlh+Wi4WGdE5tb5tnmBvZ3fv79/yrM0mSZES3JdEDop+rbKvLV1Gf+fZ Iql29zadxSv9DoMugfsyYdA+4xnid0Sj4vcMfj3anEwH6pPcEEbcFdvB+B85 j909Oo/rsroHAuihowHOhKBxWZWfCcj4YEiaqIfLvJ3NknGuHJmpB/NmkQ9U EWyevvEivjJPx9f26a3bAshc80nxN9ev8eNV/0xN71k53cFddpMt1YT4H5Z8 N2TyNVjOl7/jhf3khKl/LfNJNvnp6GD/aP/54dFhsHr32NblfjRfItJTNFU2 BvZuoCTnp/1ZshjnoJ7bYVC1VT+nldK/y2VC/xrmapbkfcxN5GN4/m54/cfr 4e/oyn86Pb88/+OLQ0w2Ot3ZPwiX/r6gT6nYfJPYY9wAGZkoJDlxxepGNVu3 dY4FqKQQ+KlBfNYBqLOnoy17Sr3tkMB418yHZj/qNslbJg39Ss3aPKHDW/Wb sgRXAy9NMXfJe3HfqlrCxT4BfJ/EqqJQeS48aYGhprxLqknd3/3UAcVz+y1Q Ife5mD/H2Gk/GZed4+NPMo7pT2JQvhjrLwoAlHlOnKicTgmh//7TPZLTvQdQ /EO1UkdZfKpFyh0W6q6uynIxzBbJTAFr2wVOnKZ81j/ABdRt3uh32gVRr9Wn ihkjndsnemrn08HezrOdddIuD+MMAVBErWie2vx51dJ5pbQvNz2dJf80bRui bXhQ5YTYxKfpQZIWF6oi4rgZPvnEMZ4RE1ELw0HN186yCryPpAMa2zTrY9Jc dob7u8Pz0yf/GKyTTNzMk0V/99nR7nb+MSvLWa4gAw/HZXlTD4kyYMHDT8Pz 9OD6mP73++Pjn383z3/qQOdVUpQk3NG9EDfQR1EvNWd/Xba12rR+rQipSi1W Zon6J602BaOyI2wB8JXnbd7fPXq2v30/S1UQyyuIahPDm2MV3t4Onu7tHwyX gEISpydJf7zqf05S6KV9hcmHHRnIPChE/qWBWdzmW1X8WMfHDT3ckhxzz17l A7L6zlbdmN4o7Q3Cr6K1Ae437/NzS3pSRc8AlfDYcHeXCHH/To3rrFH9cV6m N4Tu4W7eqbv4/BeSwO5iSMopUX5alX4nNu8YsMbasc0fGe8INuklI7f9eM9m sTRef2endsjC6DPa6Jsim80b2urO4fYrBWEgElE0Wd3wZSYVgV1OJKJ4dvj8 qJ/RZWdJ0Yf+7tkHluUdQdkEd9zW/cbqRuGpXMjLMfRt93KsX4aA/ssodi9v 3/nHLM/1fvytfxz4g2bzO4cQai/O3m2XCfJkXA8q4tS0/2b4Vi3GRJ+Hs6y8 TQr1aUGCdjKcKL4RYiXMR5Ib5iokg5EWlLQT4gBFw1AxL5fEfpp+0k/TJp8E J3BmJmHSdc2TkKx3V5COYyaJP+pJ4qRh8BgUeZym15dn2w/klSw1foul+kfy auCNBSLHKRHNpGjvYc2Ah68TOpEAEEh3qrOEGGl/ktUEsAVtiI6AtEBaK2mC 2riT1H0SZZt+OaWDWObginRqqm5CkPjAsxGTjN1sMWYTum6sM0kdYzYgSRLr 2WLMtv1ITpOGlMDC7NM/lNNBMBrw1deKlL8cp3IPljCKpKpWTXKriqyCdjcn wGPIHzJ/IWBgMUTUNfqvJSlmGCXkJxJV9VvSD0BAzB4/7R8+3wv1wlOZKGbh wuh9dBIyU6xnitsiZrJiVLrtZ/I+z24z6Fa8Sf9I3g/8QXsiQJ3zAoIMTuQe bXDWDmo1JEGjvilADZfg9DdMwIe/4z9Ex7sgYfrp4dFeSBdGVyRhZblW6+mS 03lG2n8yblm5J0ZAvyQ5jJ9ESgkOSQSo1DTXDJBegFqrSKxifl+o+h4eQbJD pvSu/CN4O/AH7REAV14lTS5HcA+qkAajlrR+uv5ly6Y0whrQ02GttbBhXdJ6 +jdlpZJ+VmsCCjoSoA4R0booy6UIt2zdIT1qOs3SEHdGmC1+g9nirNYmYByg E5UIdYiqjvRskING7y6gZ2G27Uc0UtUsa/W2/TMaDfzBAHEuSWOt7zkioEZa tUU654PBg8Ndkr52iM4283ZMIv6CtHziHnVLq8ggscPaRrdNaLS86SdT2hER k0brvn02ywjpqZekLYen84pnjfWs8bXMqm14//l/0bR/++v/SULF1ZuYZybC YmaOeWYhQyPMvP2k3hGVqeeJ7N4/qXcDbyw4qD9kacO69X3AVKyabKHq4Kh2 joZsfBsmRDKHhFJfv5Jm0Z8roozzuilJCZqXBDM39A9Wt4PzONHP0+USrryf TuOTJL3JafVielCwmX0FlLx2E9JtQxzJIGTSL2/oH9vP4oy4u8r1/vyzOBv4 g8FhvCJYuiVuriCXPF8/D30cBNGzlhZP0gMfiSaxWQ0L5BCvDovydkjSmSeU ZL6JSx8DRMuTbBafEGUBmQDteEdY4nT57eJW6VbbEbjCcSt4PAf1fPlyu3CJ rRHVYjOEmJBYwqTd7OwNxYhEateMZDHSv+7mROSXyZIoS1fr+jjP0rlDef1K BnMgVE0mCCSANp5cyZcun4gJ5Ene+d36zfY3KRJvkzwt864iwaOLDW+9zRpa 26gp8+Zrh9x6g+E7r9o6/lCSZNARZdxY+PwfaN/xVfKlLgNq9YeBPxgIw9c1 NPXmK9Dw6ebLKRPCjmJSlzcDoVCDrBzy+dfDRr+Ot9d14PINAZpW+19VZVtM gFaei+40q0jhBhPHTdANnC+WWZWlWb146BKMl+k0qXK7i865BsPh66MExqhj Im3BS0TX3Vj4xnFRFisSgQPqxp4of/wfuY+nkEaT8p6rAJ6QdllkXxhVAtMr CY0E4hDHhvKI4ba7T8F4d59+4jv7lCbl2k0RFexfJcREr0+v4vMvyxzmcYK0 vByThPGBFhhfZousYYtFNmEthajcTNGlbpAwwkP4U6uwLf8A/jSwI+Gzf55n KxLjfp+F7PbPAzfUfYFI8WeSYz7Scjqv2KHwleuWVK+zcEHXAzvSgZOKpLeC Tobu7E2V1XMabokrrDpQs/5bOM9lVicASRK6bkOJM74MRgNouFSrcXIPhyTa RVp1Mxhn5UTV2awYJHULd9+QpkmGnrzJFPWoD5ksqUnimpc3alkSZ6jXgEG7 eVgzIyFH3SUroJOiqSujsR0Tk1wxk3zH0xOUHI/iUzfrQ0DxJqsaIm5Ey3iP /oG88cfCt05U8ZmEF6ITE6Yq/msng2A0fPF0RXdICA8PWkfcJSXIH+2S+klG hGIefyCIhX3HeM8dwQ+GO8BDfGoOYQBWHFxUB2j80UAaOJ0n2QOC0TYyMC3T jC5a4zrN86ldYu51nNemxAWsmex5IRHgXLynpKJCPn58Tv98AqV0G81+6Jr/ nC1K3k0HNe1Qh8YusmpOvE3RFb+aJ1PSUDrU1h9dfxcmQLrIOplUnfc6PwSn TZQvy+85brjt+aCToroTKRT/xQg1zQj2Dw76SUqINaM/6Ow2iCUJkU6iOn8q W4LthJgCy9Q0cnH1oLgxyhYEYrLKDgC5sfCVd9lN1iRw2GZ1edsRx/3R4Bw+ VtowtrvF1rksiZysKkW6890A5nRjDKnpQIgg1Fk9tNqb1WNJaVMkPvTzbIyI GKPPpCSWwXFOihBbkoiZQL32HBwTBYd16BO3sp1Tk2V6SA/6C7H3hRdAbvqE UDP+hO/U0J94UOIjmNTH08F+b7DD9ehE4pOKIHkS3BqxPn/UXgBMsCQj3ar7 NCISjBBjoB129qhneK0ADpM2VM6GFWJa4H/9nJXQryHjz1h/zqy1HIYrtr8a C254zh/0FPHPWQmlmqdgpdlNAcLAUxiD7oPn+KolGpKMk4neakes9QY73KKl 12ZVQrhQzOYdZuHGwpfO87Iokix+naU35Y3/0vnAHwxwgCe75waS6kt2K8Rg XA93j3b3BjvPD492gsN7Xd4hRoP4jaabTGk/qvGDXPHv2effe6h/SCoStU5A FQMIJUnHGwxO591xf/TmIY2dBAbSlUnu4GNKV7Aha1GU4C9rMg78GaZ7Y/xf HwBrqEffMwxJOM+ipDfYmhNaNY71G0QGnfXnxzqGw+G6LHNW615aGnGRs4fY qYan4lp96EI+lLT6Jn5LOwkF/w8Df7BDLdq6IWo0mjO56RAMf7RD5xWJsnOI v+9C9xQR+neBa8pICXSWX1VxmYxxJRuMBkIy+KE8GQ/SBMyLdOr9IUGLsaX1 ayKNtzACkNCQ3qiGLoRGJ0TlUxqbKNIGVprEsDm3Xq5IzFL9pq1u1Kpfr6os CS/nhGBR29agacn0bGW64i9c4gvxmXwh/qWGDbukv/Gl+JX9UjySL4G0X/PH mIp/IJkMDs34fIZALyLoNANwrCTdjdhCBnXlePKwHn8C7wmJ3unXJCAPJ4Ng tHO5yU07JmUhVzedm3VjXVWzIgHybfqmLVTnWr3BjjAzSRYEEMU04Dckx7ix LoeaE8SlZdP0PyQE9uUa3K391oV0UooUGGjTgXN/1MIfTDrv37+7uIcYlIS6 TAKWZd1o9WNOElLfhp1scRqe4ikwnYLoqPURkogd56TRtclMxdphzGYrG1vy oCDV3szHJCSuEdfRduJ6TGpKVYKSJHXzn/9P5zaC4Y59gqTUJP7jqigDlwup gG4swGZzmlvweO00n7MPss+WrLoh5G321r2MEvhWQ5k/u7pwh0nHdlHUDXjN In58BZfS3kbXv9ZeiTRlk/j8dlLekEQfSJSkvobjAYycJfd6lcEwkpSoQE13 zdu7gfOggbl/3jZs3iY6RUSjCjd3mcCCzjLJ9furF8xgf3hD71407wvnLzOT xHqSh0DkOivaErGESehMZvvAZJNKeqVgM39LlCygB1cDbyywuP1BVTfJYnlP 1Mp3WnlY09vT/xJFZLerelzgaeaAbxVsYVkqKKPGvkp3zLY5EVJgWH9QGp4X /aukzc1eQlJDW/fHu2a7IvmSkcyybJIOXrixIKTkXTLOtugkdFY744Nk+jSd pHvTnfTw6Oj5wSGRmZ29g8P0MD3af5YeTtQkTZP96e6zpwcqTY/Ge9NBdbA/ SKd7AwBFOhFT+u7e/vNnfT7N/X5BH+2eJUzmJHY05WK14QwzaGg3GYL4t6LR n9txQvQHO/L3/ueBGwr0getEQsbusQam9aBpp03NRh9Yd4a7u09JSiXcIBlr SkQT7w9TWtZsHTjA3RvoRiJMmYChVyRLNUTcKhLliOrSKJPkrfsibb7kxfq7 Oh24ocCodVytxIe4Bfw/zxNkBiz4Vpbt2NiamdzJ/axp2E6uC24EJBDOUtpK 3cSXZXnzHcp2W83mssgOj3Bj4Tuvy0Wy/sLr7S8QOz7O1RfkYkw2yIjHg84v AT68buvk5h6oyLPiZlAvgfTa92oiFnZ3Bru7z58O6939p/uHfZqhv7Ozv9N/ 5h+lhBtr2dBBBsf05QiIibMJbD9TbVjUmiGsinBRj0aXw+vLEann+DxWgSiP Bw79LVZYyM46RMGNdelIjlA0nFH3FW+wQ9zhhySFtqqz4B0i7t5gh7wnt3Ay qLwTXXQ18AcD+GY5cDvFchS8HtQZvOQL0eYXKdj6vgX3Rbq7u0cCOKY77kL8 MRF0Os4J6zkXciMrY50l5WaaVQvjAifxGDj8y4dLTyMiwWDSpo1EdH6P1+87 5N6AeHFqDI7h4KFj2Nt0DgfmHJZ7R0dru2+JCnMygw4kIjjExl8GUMeEy9GD EzZVXJH4WG/dZZjTsyn3x+7xABqYtv1uCQpxNLotFkyh/49UvzHMiGfVeG2N lmkfGGmro6adrCTWx5jZ+yP6ASGdtURR0xEQ7ask78Edxohlhhfs2h7DIX6p AMcv/diS19dvL0mZqpckRyu2nzGVvy+AcqLYGP49lvAgboS1lnsMi56SChBg NNjdZf8+gpcbhDFrh0PfC+Pt61hiEn6r7DZJV328UfQXJE/CGDvrJ0uXVdEx ICDc6hRzv/C8GRducjYRYHKGrCv5AE4JbxaEfvob8bH3je2H9x0aXYA+H9p6 rraEX20JBvDCDRmBpmqMUxzjIHQ4AGtgqlZ9o0n1awVhoa8DlP0jOsHmbGgO Awe96XQwedOGNoOOtKyI62jOX0ZbD+OsJOJE7IU36Z/H2cAbC87jdK5EGNqM ZwkxeM73TBN7Fn2xV+MwdoY7T4cSdtxv7lRyU2tdtCldrAgdglgW+jWt0hxJ ADaveIq4bhCWaENBOCjNvo0gPVFhl3myquM5XdHYoMXWYN1MdthFKTsW4NNJ uaKN7B4dbVGr6nROWgyTvUGe3A0m7Y1i+jNNUtrT6pP3wPDp7lGIGi/LNiXp vmGSwOa7ZZKy/lzdqizPYRfuxSPYaVQ2K5pVj1HkNe3zLoNrWBPd+8KTCUVl F50NuzETnHwEpenjPGsQlVRt56thlCZJwc/7OtW27tc3q6XqE3TWuHCBaWNa 7GeNQwsG4P6zHfof6QN7z4OD2e3RpLGZNB5hUoA8m55k0l6sZ+VAPIMyPOt2 rSAhLLIb7CgG4XiAEScnp/efxnicuti7lkSSg6PnO8+eHm4AaNwf6atVWZdT AuBZpQDkalk7Gz+CEJFhsIV/co4ALQkW2HoD+pbFJM+mU7V9ybPs66KclLxk japJUZBmCjPkQuTLPu0FiEnMjxldjcBADpLsY3393YOnTw/3j3af7m/Y5LGZ jQROkVZhLf7gzYbAwFMOuTzm3Y6ExF2TRLn9/giYM+U22MXgYDw4kz/POep4 Q6JE4GiYNkv5y0hEu7s7z/gfg/1nRwdrslERH3v6nIFBvZXzYoaMHSsIbN3V Nal0tMCOnGxG7D6QIvExmRWMmTsbLIHYyuS2TIl5DmYcT3JbwuwrqUOSeLa0 mVvtMi+TCYIVdo5AsidKLcUq7dxOCcKItOfLRbntrclRZ/SuNjj7WSIA9Q3q okmBN+EMdG9E32aKHeN4K/7bX/87HplVLHi6vGc+ZZEV7klSgGQpB9URLb1B GzDHXmnOvr1fsqxXpCISq9OxgBw17nyyBCxZDgu+WmrTvuf/61o2rvhhzjzd eG7bAWXOapUstwMu3mDAv06JMcLGR1vdoMVuVGJJDFzSXKzE7jD8Hx0+Ozg8 +BSEUF/MChf6+1vNGB8QUlZNzOr8vSD8wxu1F8X2DBMAtkXZ+a0mvQP9L6J+ euI1S5SOqUuQi7WsFAkJTM6uiIzp5LH1/f9YcwLxvaoeE/EwoC3Qd96QvNwk 9yi3/1xz3JExx93Id7edw0WetwvEXkgyvKfzvRVuTHt/i3oE4GYvkxTJv3AS nd8m9X2gPZorAogx3YPZecci5I8GpP0j8RB1j40LbvpuyjC77m8KuOS9f2ZF f1xlkxlccaXJmdX7f4MH/H9mxY8gVifyAonZ5T1yx3W2kHV2kNaNBXYnolN1 k0yn98sclULIfx3YnVid2zkc7hxAClkkkIpJsVM6bcEkrmaTX96cfDg/Otjf OXqFd3YOdw4C5C4QXcsv90zqqZkkHtNNID8EwhLBQJHUzSombNh+uzqM1+yr w7eD4eBuX6tlo3N5t+Q4rqdW019D/d6n28Gn4+t/2Xt6HZjd5Mf4th7Ex9f/ er0NOa2za50Nv/6s8sVtdvNAhkqW1UhR4QT1uX7l05hIBRxDXQw70ePCNYnW lLfaeNSUaZnH78fTthbdd+s5n1fZjV2cf8oIw/CHQ5OBdhs/QFSN85oBDp4e kR9mUn3HV4nNk15WXr+el3dpUnOVhu2/Wk95mkNuNJbPNYHDEwlG+lVgo/aE g4F4b9NVzlc6qpJTdsXOgFBEmCCIdUJ3JYBHNZqtSbnmlNZJ9UeWkbaQoEC+ pG0Qtd05GOwcHDy7XXMhIZjFemRPjAPxWicxbLrwK5KgcyK+soSO1dQbDMiL z0V3tqi1DeIli2YKoOQLp1PmOKaVBLWWCzrzpj8mlUme7DdzgtSGE993nu3u 7O12d0YM4YTfBivF28QqTuz7JNyY938jt+xuaZvli0jFDGx6SlzacQGmmJ+T wqQEsQaGSjFss8Cus6ZPAtFSIZsQf8+QashuPPyEeLq7OdE3/HFHt8HJQv2w vsyrrHndjmM9t7X/xf2YJiT9NTYf6PEAndQMGYjiK8waUfr5K3gYXxHi225V D7ec1T4n19XJ9B4/Xwdc93f3BofP9o/WwdVlll6wSiHSvBZnzyrYbcoizAy7 zRIEvg8vruIR1xCT2gXbOeeHcpXoFXeERG8wlAdUcnufiiRVVbKKd4j4F6Pr VUiuJLH9s7C5QTGp6501e7jb9EuaANrJ6ZXe8/ouuqGibAqq9RL9/bwb+INr gVEIceIKAp0z8Ab/gWwI1oHe0fpVeg+npeurByod0n77H0bXny7MQQViovwY hz9ugM9iv9kb7KfrrHVEZ6SKeyiTn8AEfQv6C2uxz5CwRr/0JUiDLSv9ZGlp FdF6NlSLfsbmKSaQ0AgC5nL+8iUn+tbaOnNHlCE+vnph6Baos54s1pMBZe1k 8gIsUca5d1/aIz0qe+4IvN6gvSgOaiiLy3JOymixJX/t3kN6jkyvaZqakiWz hL7X+PS8bwi6iWDxz+bl6Wn8gSuPHMub9kxgkyZqfq2p+Yn/8qaNv4T10u3F 3/zLQfeHIL0NZfXU6oHNE7SiHCAnL4YS8t6zZ/u7T7XVusoWnFvl/cE0flIQ j0vSueovy4zwBXCD+eq1JEdwNih7/HRsn4756e0minKs99ExUXiDgYzx50X2 Wd3VN9k9Qhr4WU1XnqS64oex3eDfJCawhWWIWMKsnvc3GHaYdRFQsOnPCvQG teW9TQYdrg0FHZlDQu9TBM6RQmb30pFQw/Fg+8cvr7b7N9kAq5MrM0ma0nYM 4rG1l+QMYYbjnKSujJrkK7plQlSuIuGlRnO5H3yvH0gxwrRfJ86qaQ/jxMxt irnR3PEpz01SD8w+WRW/vyu8lGnEzm7n3y+vNpwCMfX+6OLV6fu3b7fImiyo ey5ejhUnEjCFl8FYQdLK8DyIT8Of23w13Nvffba/86zP/95d4/WwW52WeY60 eGLyZwmM0xLbtg4O4xWjxINM4D6BLkcg5D3sqCR5CR4IVM8wgtwu2zEJdZtk sZSECIhngGauo9afNflEKF/A0mmt1+YNW+CH3tIVzWbXl2dC9bbC9RtVTKpE r9oH6zcDfzC05UK/7J+Vo+/VbNeKhp2pIkty1LsgXoMI30+wkaQ3/0qb+Xcp I0aS+OHh873DoMqDvIfbG8l7qHND722Fxi2q8FPNr7eqjoYYj1M4RhgppySB kxo2VJxAhqoDdxPi94ykSHYZqi9pzjUY7G/Qn1lD7Lc3/XqJZBbZJ+GtNdyR jI6ow7pf7O3uPw3QdiTzxGc0D6uL8S9v4hHm0ftWEweKPcJvnugBYQ7loPTm /ft+O/AHO4KcNnqe18uS8DLIioRA6w93P9YQSN4BA7tfs0OdTIWc0ANmSVXc JTrM0E9U8MfDOIvzD9fgrffEWBA0M0DOsxr5Aikp/4lU96MjHZ4ew1v6tL+3 O0ini45wGI/+9C5+mZflxFo6aGxZllN2798PhVhaKA7AevGmSm6burxNtivg 2oO/KOu0vHNFDthZZ+QCTp4QsKpRZqZql02/XPKVsPfLmL+GB88If4/WBIFT bwIEjWCC+L2d4EdUiHrAvv8ndcNlR4jJ2F35N/enQWc8IJl/QDWAAoVa7nF1 cQDwwCeeG11CREqJMcjT/GvN1VPFMdDfeb6e4kgzxsf8PAcp4rn4ec94a3Q2 Qc1Bm3Bp66tmE2pbLeA2c2cVv90cY+4qYFSNt92OItX5IaC576uMfSH3mFUJ ULLiL21WkRSB8zF/CLjs7T1/drC/P/yaLcbJ+E450+o84zIqIEOG8UwmpSFV AcP5s37ZmVTpZXBN/bKUICXOECdbMULLU7OkkE11ZCk3FijHb9sC0vpDzv0G pgYUdGBJatDeOMPy0dBYlT9xEapPZg/1J2z3050af9qYa2DsyYXbdb0kIso1 ymy4/JC3neZJdo8bGFYvt5WO1SscD3Z/Rpq02qJasoZLPEo8+bxlInASF0VK HoyJQ0L8p3v7zwd1E9C1n9uiSeiP2ZywqI4XXHyzTit1t3UHtnA3VtSh6G4s 0PteqySFq2KzYWOLSATX7jMRhDnKv5byYVYk/pIVn7OE43FmAGIpeEOwE8Yn ieA7wgRSOsxKfVkR/1HPQfiNOeJjLm3zwc6x0ayjxkTr5mZTHU7ojwZGitPy LttG3SRlkIOxBwWJBTPmUQsF9WdWD3nocHeI2nimamM9vG5VPUlWw8vrvszN iU7/srdzCWtMTf9Bgi/90+y3S/f48VgeDixdW3f+c7aQbfh75uCFu2wDwYLL ty63xXDfh657CEjbOxpy0tgnW/JrnBNBKduwJtoIz8SnLZfN9GR6jlUhcMwV l6Jsi+wBB8QFarvoNfsbvBgEo2EhSx1cM/6+6BopBq7jFQHXewf7R0/DOrkC r2qBLDe6l7syXsBOTsC5QOQNkMNED9VxzQ5KjbXJapv0QctcpyinRNQW7QPU tFhW1t5cD+myaEH9u2Rlgy/plvYOnj3f2znc2Uf5ygWpskXTVzrpDpaY2QyF qLiGgQrq+12Zx12O3ok8Hh/7j2/UWqSSxkTdmo10VBd/NNj38dX9EDlvp5Do mrJADpUpKbUHoYK2WIOtVf2xmqsabBPpBp+KT3t7+/u7e4drktWIH49P9OO9 2BR11BvtxR9JJT8hxUKBMiGAtC5ZGimriWjaOCZkxjYbfSmijNaoVMsBJ1wC fh1QX5dLYlH1dumqUsnkDqX3zIZ3sVv6/6mPPPUn7QcgpPyUZ+NV8qkhUZo4 p7rBELtbA+EqwD3tGRI3wiVe78W/T2gl2drFQ23PYG5WN3hYV2C+XtHxFfeU ujxtSbzSm/UB4nQQjAZ06pWOjr1fEeyG0UptMY6gTZYV19LS0YEG5D8nRHxI 8kS8Qsi6qhZFMuv+X7Ki/3WezdusSwEgVOp5YpknbtF3IrazQfz80Waw6Rl/ 3AYhsIG8Slpe/rridFJBHbrbTgoeFi+ePd9/erDTFS+YmP1Yu0y7H0kHLmLS ikG+/vbX//6glKGX1pEz/NEAuV8maH7w26qjMfkUA3OtliQmi9ABrYsNGAuu nkzISCxlWa3T6s8lLQv18NpqGt8l2z2eJEZmN3qJnQ15g4HB+JUUerrHPhFW vjuAGWnnYIgChlD4QFQTpEmzCwE9S4o1GnVtnumxX4gf2rqH1yQBF1iWv4HX AzsSwNVbArgynf9zdbqJKjJPoVvP8hJVji1FTEdKE50fBuNZScFGOT6Y9dWo W2R+DMzG/DMYDTrjXU8YLUkazqzFjAXDAWk6fvnu4oHw3WRK1BUVVRlYa1uc nCPGapXlukDxFD2OhqPTPg/Tf3PAbDntn70b9ccJDMm21ZCtmrJ2tmIhNqFj vLx4ZD6AUuWkwaCzy6n3Ed2nQj7ijn26/ditIZmmX8dxtmz2ue/G/dmx39Nz Y+fw6ZaeGzH99ILbe7gGEERzLxZE86RGu64O4cId4CLmUupeOwrJsflnNZ6I H2NBT9YZ/BkU992jo82O4xSmdKWqLwMUql7q6l+wWRK42ICY303K7CdETuL/ 7e8N9vd39tgeW6nlT/R/u/xHs1qqn7rnhbY/FSpiqok5lv4J3zcSYF1CEfZn jkscUET5uOjRRRO/Kh8sxoBMB95rh7nboe7jWf91K2kp4RuvB3ask3XJNabX cyzsUPcLbdG/VBndeXdRlwM3aNMUoApeow3YXXK7LXFHw+/+oDEPMnlH0D0K XQyfq6fDeb4cVvsoyC+wvCvw/Umwar2eqVzBC67No75A2eeqlmLRlsQMTuk0 xoztLUXMmkIY5Krh5XJe1g8Vg+aHeEPElVrCwnYJmoKYxjuSc2YKdIJUi8Pn Tw8HSb384u/jFyaVTSI1IuWDIYhtW7c8u2HRc2Rb37PoeZIPsoKUTC5bneR9 QridvWe7e5bUBlo1fOagh/lKhwzpikia/Mkpb19tCF0fk68E7zDM8yp9+Po4 CIc7SazzbMzJOafzMldf/RevB/5gt3plU0LOflUi3qObg+aPhu9d1MlY5VC1 5ySZ2TNxGnQ4HlzAh9HLLVX2nVWkHpi+Wpy12Rd38XK+3P9dNvmk7eA/7R6C QXiXca1zvfIY1Qk7sUnpgyHOrrfVKCnQV4sIW6aqToonF8zXlWAegP3vje0+ 1P+S+nz9hUz+HSkcCZfP+dtf/4cEdZ8iM6b421//5wNg9neVuPk7Q4J+e2Wc 74qjCl85S24z5PlOMxU6kM4Gweg/oQRPBbd5EApxPLAj/59U3/lHissClvUB 3QPLS9XUqwVcHu3CpOIeGr/8zv4nPcNamLDmLUjNYm9KEwfWhRhxmO1sbgot TxnhHiSSf99lI3xvFl+uVfm83FiL4UNJpHvVyfiGudeOdeu9VOmKkGDWDRBC bKs3+o/eleSs9T9cn7zckuMp3NVvpsM1zrhrFAmyw7z6pNrJMvndUlL9f0KV Ps4C869uZLJ4F+UtdxNA35hG2yRQRdavlY0+Lqi+yq2AthFXWXmP9IF0sL6v s7eXV/3De6x0k0W+ZNCTnl7oJaeGZg0EYiuYQ1Q+9cLEliupXCkeGq3zINTN KJz+hq/sVCjHyVN5cWN6KgRr01SxSLqllBgz8u+2jZ9ls6xBUya22l7SWW3q zsZC/Rs6v3y7+jf5MiCJXTeSy15Acj989uxo+Of95we/338byH/vl/DwctK/ krr171vUuGpQ/JJDnNFFSE04RMYrrka8xfZdsUqNa/Z4VWVlFb8riQHf01Pp DUmthezGh+s3A28sTFolkP26UCt1n2C2uQ1NLdV01aexnYPjarxQMfyZIxSD VKICjk/0aEB1gHLcqW8ZpkLFj/H3Jb35JD4moYDeRoDUh4ur8/gYU9wTK6lX 5e2sw2E6PwTY8FFX+LknrBTVI9JKqkd85fLYf+GqOKgP8uyT2/ynJl2uabuA cKidjcJ9022iABOYGwF4CZBGTRz01zm/TUTwxrPTNt8UQvVgsd/vqsUdB+/8 s4uDh7Nz+vyqJRVhTa+0Q51X/v6C30GVL32x9zUO3XaxCPHe2/lEfHjTjY7+ 9Pb69ArVTdvwwraku0qcsKuXksEHvEwKYmL4b9CDDVb3f/xiR3NUcZt1c4hH Lof4/7+Q0JnojbpFrDxXvQ7W+8Yb6rxzze2Vz2AQT9rgpWt/LOhkdZndQ0om kKUGJNhPp4W2KhOw1UOpmYz+S6Ana+BGP//tr/83P9GLHxdPYtAOGqzQ3JCb QX6BtEgX/XhzltQTrylkcltmE52du0CbIqNQPwSALwnIpgk8S/5JvByYgc7h HY9JBIg/JF+T2ZxAPQnMuRDiO790BX/0gnlLGtBtRgzuZn7TLULuDXa/XMEF eHwzT27p3+8yYrBx52Ue3PSuSLun+oY64m4w3HlR51sl8assrMlDIqkd6i4U 5bPeZnVehqFKx4NgNKBpJxLpsa3eJ3LubhMma4sJkzWtN8gPn9K03l3LXHn0 in8kenZb5red9iA6P5doHOBvlj1cYFpQ7aQTvfFm4IY65/BKIWEmfk3KSajr vRr4g523/pglJZOagJb8ceCNrV+uii+xus7FurGgGqg+6238Y+tZK+Hj/aD9 j5T521AgwW/CZySA0+DNM7zJ8gKyGW1BKji7paCvyQQVw9c//X7+hIKJL5Mv HbZgRjqzr3JFGrqqVWd2N9aZ/uekrpLP6xVhfw4qwv7dV0lkOfbuckMwyZbL LGu4eTiSxFRuQvv6If8juMRzQ3+58JvrzaArNsFH62EUWjyM3l38068pI60M 2qj/eDD2Pb10wkY64Qcuyzar+69VUWWkX1VZEQgKaKHiBjfS1e+wInQo5G/p J7Fmt/gNEBIRP1roxIK9e7rm0gVXisTGhfh4oN8OiyyFpS4NW72Y+T5+/Li3 ljTxyEQhfOSiGKQe3GVIf50DR35HV8/ljbz+Crqc15ZqGg9WUE/oThFny7kM XeuWP9o5f5RFgpDxUWUF7WZN7vSHO8eflbOSVPeqSiZJl5EGw51PvpPTFJt2 E97eu0E4bC9wl1vKIvglv+cCJ/kgSRdGo5dSnAeHw/2DZ/tPdw4G9O+Dw6dh FwHXcef3v3+bZCjgkVg5XpHKnvvNY7eX7+t2tEEntJVZcofo+aNrGIiGPR/a UIS9HLih4EgM0dtyHlsZ2F1ZNnu7/TuVLMuC7Rl9kqWyXHtON2u4QuGg4r5d 6T9ewFBtpvBJ4EUxJQGvqVqplQIZ9tj7gAkC/6eTyCtimcltfEJAnUzuks8d QS0c71rW//dyqeC+vp9JyYXBobGBypwjoMK0v3iNxSRcjbJdkqz3BU2cLIti QeKsJAqmtBfNr+CSTSa5Gpdf/ncIf8m4QqfGdwRhASa8Gnhj/6iM8VtvYkRU /HNyD+7URN5JwZAOPOJnIuJfTJq87m+5jRP8fn05etEREWgocF+m323sGcki 9Gr9nSFN2A12DuNDMm9zrrtJ3OWzCg7xw6D7Q3Au5/lCFbSa+j5G2aGzXCzA 0trnzw4P9wb49/P9p8H5dIp5B2U5uFTq9dVwP4axJP79LxenD0Ji0hCvKLwl d4Cl80PnkE6IJaIw/yidtyrsangyCEa7JotsgWalJ6SAl50rcWNdZ19ex8d1 OlfFmGhigDrE87q/3HMj98TrIAwM6cyDaVtMdIpT/y9tRiQnL8sbdAnHX50K rfHv8YQ1UeLgf4M18rfegd0Z7POkNieTLRCmDfMGrPYOj57tPgu802E/RZtx +r2s5U/o7ilL8Jf8p4E3tqn3maq+dgWl40E4HAbxHb/7sCXPE5dG8m1Vayfg HodIE6VB2H+ODmboYn6HyKUKWZDoed8uuZRmVbbsp7HNnoOTueQppAkax/DJ HMiARO79L8SfG/Q85Tls9NRDJ3Y8bZIxindMsr+0XWtNMBzesvjY9rY23UAU flsP0rxsJ76jLStSroI+5F/6Oq8fmUK7z9H3wt+xLj55iidR0EI/CfcYzxH/ wO88sEVvT+FFyseiWN1UHllcT9ydtCkEx1lLF4Al2F4ihIrLJZ1CSmwFgcxV OdRTyAbe30oOLOggSh0raJRcCb5fc7WU0fFboklJUdjgrcBPYrbhqkGlSLpL yyo3bMMmiIXjPq3p9/txMq7RxqOJIo4gN0E68YTeqrIxkl1sWMhC2l3Ui1pn XEhour4pX3Bu0JwPmSrwfkkESQR9h8PAUTCDRUTXOYXEzMUyySpTYoadJNr2 OUCwG2eJNWW8QDEcactJclIPr+XMUvgvqOtSLtmPWF1qcwqtBAFhkQ7HXMLf WjVIDlbSnZW2gxm8bXJWP5ZqSwZEqhA3aCzxtVIPxBa4HsRxeI4LLphQlHHd zmaqNhVRI3ScIxW6pWM164tT3QhWNE7ZDs21JK6Zr/yvJHkvQpB4McGSEU1d KR0SM+h8H20GYu2sNoGopu72eTFHjiY/xw1I65p2xH8S0IgPGy2Gl/Hjq/Pj D6+eGLX14sP1y4HAz4JFySiKUDGdvwKi/O0HBvpfo5+8/0WR30ii1mWOkCZI clPDZcBpqSYzlNa6LO/onOkjdYtmg7STyLXM6sE/TNf0lU+kxzDkzpRfWiIF DKWEg7iJiIEza+xx032MNTdJxnCyk9awmLZ5L64R+IfGar0YZa8bYEG+oqNP UfwEB4qPpqhqWnAbh2/fPl71z9SULVO//oqSAPD8zuYGOQQzVDFDUQXasBdW tWhrQjsClNJGdrC3voeUpoxozwqbjErkgBGMJoCQJrhrklO5cnIOOpVz/K1F 3qgL1QS3STrP1K3agMCD30gOeFce/mvUjxLXBOfvQ324jaNv3z68PH327PDg 11/55SSeZDVttdZwYl9zfa2K0NgSNag2jGdBMGx+Dfd5sClwCJ6D8ZbQrRdX CZ8zbQzwKSgfOZTXMRD8IV2SoQbqceEuAtScbjGJZ1V5hwWwPYy+ThMkE7Ug Yl0bo693aGnQuPtxrRQfnLQGjXXYHmb59i3oMP7rr096rmI8eqDeccv2O5ST VzexIZtERUjbpEVjlRH2bimPpahCczyiOgiwNlwi7zLTEd5YakqszxwyT5AY VE78jS5EE5BaZ0CDNG8nSMwrbP8xAoCJKqdTLnxPC09Mb0wmBfgO/0LX8Lkt PKesQt1vH0S5n4fprkJgP1Z5ebcG3nMiLghvMMG+hBQeiGGd+hY8AvgPkFGZ UCeomqMrQG1a3S+I0GmGV5j5cde2hjvbntN3DTXX7IF/ijnKN6kmEh0Uobp2 prM3vv3A0B8Q4yj6qCxSg94ozlG3ypnFCndtL2IsmF5YMsGNwpY1mluZylia Eyl3xBxBhdQf+dgi+UzErNYZ5T25OCar6J0hDs0yhuIlTKt26xtw2p5ZCB1B pNk5I+d4pcHfUNwJmokhc5LG6VgRkM9bXHAFBgKSBg4pkrfbfGIrzqvBbNCL tdeVe8Asy6ooZ1WypMltb1YwJUR11VkF1jGILsI+Plkd37s284EYoQV4LTJN gkpbUsxBr/RjHCtbXtAST9QT5CVHE5pHu4Nps7TOJWrLm9PHD49q9eURM9uC dfD48esVBCECfXjIi5pzVowP6glytBG2VjIxbJgGLi2FtqyKm1N8uIw5aF19 GagvCYhAjFaTeXYDdsRrj/zjigXONMA8eFoMXamaqIhR34+FBPAReN4yDjoq zS/SQZm75kltuTP9YMCCNC4WApgGECxBk2LIjqvWZd7yAtJkiS0x9fM6B/EB z/kE+UN0REJjgevmg6sIp4SOywqLvZuXObg30WcQfYgctHVZbMZQRuTLkrgA F4DqXOBMxkL5y0P+DgIFx047mGYzWRyC1u483k5cHFiCC6XzjaSJwbdvr/Kk uEUxDk4lhNzzSmrF5iSzmFeT2YzEAo6a8hrCPDLTMEjyf+UZUfcex0nCjKbZ NgQmItNECeiDRjH79VcW/CBVVCrJ+8juo+Nu2aeQEnZaSgxWqyMNv32z6T9Y 6qikd2yJei0L1Qy4mi2ysLQgQMJjLW8rAtNXQP9lmWmaqRvn0PIu1WrMVWr4 AyIVYD5hmETdtAAioqiuumzOCZtBcB3bznkbi4STZWO2ETDM8O0jqBSygGlo h29dEAyBGKDSRlold7mRhu6bIxExnNg4GF9leBYNJ4bhqekUVAHKjoZuKwLR BxdqEtFR0BElGnJTrleZCvBqeVrkJsK0AjoXP0RIsNDdbWq6hugzbm5iGkd8 +za6OHunRWmwbHOORMNFFCdcnBJXtjTdwo9lFi+M862n46QjqMw9K/ow/Fhu Zz3vjy+uiE1PJlAgBtZ/h4PU0daYJbLyJtdoXeYJETGwGDowr0kSnfmtyg0p AUX4dyd5WWJUTpHUXqZpW5nO4KjnqOtOQpv3OoTbS0ggw45JB6N3zZz/Hl1c OVG44Ubu9I63RpmentI7lE5VF1e3B0P6x1NDsAYR44ZFYEAvoFOoBYSXVIkM W4G5uC4u9DXFuhRjTcSYL2X0HILT7fouWhLtwWGYvTGqLcG05SVIdpEBt2/f fMcgYJ4hw9dGWMFos5z5YLvU4oP36VtSpgbWkZIS7JOOTa/XJBZDfubOV0yo JqSUVav4kfm6xvFHsUkv60XCo3LUBjUnJaqH5ZE857gqE5IvEHPD5bOY8G+i pz2r7s7ofHKtJDnxY8VHwLHZSKcRrNd75LrbvUj+MLsw+glqDKnFkrHYrOMr oTaiFemhRdbnMHWtBkdaxmFFMSehmY+VBOqk3yQzC18wBZJ+mlQg9bylpi08 amzvzVFlSeapRS/h28kqj1TDPOKtkBE7CjR0Q3qgm5B+2ejjTBomDgw9LCpw aQRRIIzwY+Qsp8+bK40cUZnDuQRnWi1Tl1Vga9DfAhlgsHeANWAv3BL1A41S A1x5K1PpPGoNUtIyxTFCL93auJ17/pvRKel3Rmu6qPMEauSrNpskLDpJX06R wu0mmeCa6Ht65GXFD3/79vr47P3VhbZSRBxGiD5FIgic/yImL02du7kKhLdK 9x9msmwSWPNkRQ9P/W540tiI13RLJKvkTAiSVkFuCBSaVut7a+dbohtYZRm+ m4oe5Zm6kjDKJBh5oWfExoTRosBzzHdYTGY1EcyGyCsX/YV+UeaqknJlnm4v diIohrA2VSpVRIxY6ObFTTQZTV0yb8/ZBbz+dYGRIBBeQkmuoztoWS6bbJHi WJCLrqz4YQqwffthWaa/wjgX/o9NdF2ljrlCrdkCdII8Z6nTtq3V8lDUlEsG TlZIF8kKh+rsBBMjJxhTUtZwDshj4Xl0SbS/vCyXEUgzcbR50uZPeqZquD0c Nn6zKOUL93oWyDRzaP69iF0EMXdOMJK1E0fyjCmakeToM3pxCbLtiVSJ9MYf VGnZF3pkvuLxd02peHZYivlqiJ2xJT5rOLMBsKtFpGLS191ceRt6PlG0rNV4 ovDhyFo043pBx71EIUk6p2RJ54w5SfK80f9pOE2svqCujaTO4P1I5qqfkB51 XOA2SESDfSdhUYEtqLTPhHmos4loLSpQnkndAYNuWEmrtO3QfpgWgXKW/N+m /LUogXNLi3ma1IaMBPTXF4GJ9WZlWxMwzHg1rLjNVzVrUyJLo8yCkaUNRwXE GdthsAHH9nua5hJOghOxVgrbSE78qWEZnhkUTQFuhoz6KPovXl1f3dXzRXzh zFWGOdSbjSMGOeBs8QNgHAvHB7OgBxY0IM6vzcDlkljqscVcrshOrL5gVzOl tQveD9j7vLxRWuEAdRsra8sVuktzePq1p6QLJaO/SRIVkyg+TmcPDU+jul7J GNG5Wuqsi4zLO8k1QQNYZFXFjhACOs8wCHuV3Rg0AXYAIyxKlIrEik650bKn kClA2T0mOKYDhRnOHAvNYar0AprMSs059UjMawTcgk95GjjNYOm53b35DOYS fxG4Qua+a1gIi2c0BUsEwnFIDy9hQybGNMG3OlfFBIFNxw44jOaLHcpTW7RO rXDWTs+MjZ5J07Bg4/bpA4NczwOKaADuph7wlaGhL+75DZhLC5hyIiMn6zuP 2dpnGdtX9tDoiMeKrifj2xsrnL8imoRJCsgXDKnjlcO5fj9mZQhfTAReJHMS c/kaYsKhlqXJ1XOynG9xZuQECYbeXS/bhr9HgIrvsDDArGEyyfQcpsqDCJQk V41QoBvoZrUuhy2agoUortGO3sI68lyLuAxpYhWVpf0omoLONPQUGI3bzJUB ftIrjxbCNVOcDwwWbph9Gwg95R0M+ISMrNLeljmKVVarYVpCEb9ls0vONWY0 JDgJ7IXYslnj8eQyQ8TSsiLc115JWg4anRJN7IVt/9JkqmTpTKg3bQzG6WvW TbzNModJU85KEJ2+0QcsWbM4Q3rP7doaaYH8+B4rph15hJB1rvKl8XExFNit gQyXCXZgtjgta1NzRaxuaUuCglg0QCMRURMzPcqzKYOrHIL0yaxQDQo1u5ew 4Ym1ifU9BfadZqpZCYH3NsEL4JswhXFs/2kcmg5qiB+fnr178iKmf9bWm5Oi PPuyVh6JMeIZYJ1UcKVVaQ4DgfTVWEYdp5KkCIuAE71+BIGxAEoUtUJwgzYc a+JZ1KyQsxpAY+nKOIuITNCTf2kTxHoK1OtpBdpp8e47VmCIhbbBby8rnJCa jbU9MmtjgYmpst5oHy4S4q6CH2BT8BDDtLRO/JzXHt4FVonEkioshD8pHAay M60QrQJQlZtVPqfxglapKvRs8K05iRCpgEYipAs7JrEQb15x+Hj/DenEYXws PXT15qJ+gmAO/1XNpuuWLqtakSio3Q2aEaQtlA56vWyrVFkqAeQA1+DF0E3x UQT0mFYUzO1WzmqUtosRwS5zpvZY/PXlaCjhi49xXIjlozWzvPtBU77hJYv1 XiHUD1yblA/w8YeLD3QO3mcRf6RQrniWCaU0ezda3+MP7+noGJjjk1dXmrAb C82Yhb9UUFtmrMrZ2nZEMwcUyhWCWaNwJsAmGygSyMFqtAToK0JW2mXjlfbP g2yEWlnXy+WaNUFEhbzJbG8M8WJZisGe/qKlK7kIszghWW5Llbolfh7sRqMi Js5VIi77CTAmgS8DB6XlOx0eFsu9hQKycFzeMRRUuM8LkVDuMo6tZesAcKjk q9HaR2MuyYKTtWbRTLWethVTUaxNu1pnE01SQyxYLSOMlioQP+bZRjVd8HQ5 w/xgMgTE91iEY8cPL5+DIgghtC1h4hw9zvBhqFapyy3wmsF9Rmufc6LWVHRg 6PPZrdL2qS+kPXxVwsGZ4HD/K4gabd2UMI/A5tDTEpj50ewKlZhRL6y2C2cO YsLiJ61yq2coFDu73DmR+0W8aNm4WLP1rhITPc4bcQn2eyyQad3H7L0n5Nz4 R4xCz7uw1NnciQAt7b0CuStmOfT7FCLqlHHcklfchVut85FDGEB9bxJ2tNbD wSj4qPcQu13BUoFXC5Hb9ElDZvDNEhAwcGEef6yl/ML7wGaw2WRA+mUGH3Ox ghDVQMEQ2oArBFmupW1TX3oagvf4ER0atGIbNWI+JqI/G9FYdIRw5/iZCT9j HaEtJETBcmNO1BXc5OKD1cqDhGkp4q21cQxYHXROs5628MJuSQIFzjt11qWK i28qEaZQGqwQuU22tChNUBlmPV0b1U3p6O1xqUV2ayABvfBdGTDyseTFQLhB lIPhvXEaKYlYUBuxSPEW+udserg38xYgf2PTmHV2Su6jh6t3k3HslSEQxv5i zN0STcYk54oLRaKLjdKkx7f5a9F5IxMYG4kRXZom5hNicBF/jibOiBxhOCMw J+JMDJjtlLA46QbnAB/CIX3TiHSoFZs4/FgaISBalYGdmi1PoM4Cijrw4fF7 ADoKrPQgyCQw8MgO9dJYyVcM0Ow1ibfsDvworhPdpZ7DyOyvCIyB2p+2fJG8 CNTcglNY6Zgz0Ccx9BVEN2+hhk21kQJSqg7fMKb12Ffye6i9LeKZlZ0RDqXY 0GHIqhAuHWZKrPCJqA40YhuIg5ZwxXJtB+O7UF+Iildj3KuA5xQUTc4eyI+a 4GphWKvds69GaLiYQFIIlYaEC/EC0yXFl8ACjZp8hYwop31ftAeP0BFQHjdM NBiEukbWmFSVCq7XlbZUbVQOYfGJHM/bZO9ha2FdW+bAGM2RwlYrVhkbKQSX IBabIJMgoMViq5i62ZrlolEiE0Ckw6qMraYQhpMEUX41ERn8p92J0b3YclgW HIaL+/bitABDJqrDRmno+A6GD60jake6+LBZwtGGXqNJGI3RmV1DatGL6I64 RawGGh1UViNEJRQA6co2HTkBUMTO2w0O4J5oT7Cf8arNdYvHxNi0rqIamQzO LykeYc1HC2YN+ms9CRL1QvpsjHMEf682VQkFFuM8HSOsJsb4UUt84bdviGXv 0zH++ituL7ID9fLXX58MUOI41qE8PYh07RjyJ1sTOCJjwa4lDi8kEXiJ/oBJ dBOkuyKv9w5ORiZZ3FdMAIknALHhAAL/VOlTkQZvEBpx4ljXvg5WYfmNhQJS Kp0vGz4VX8C85EP+9gPdh7ioNrpGrn3DMLZpItNckJwXL85wbiMUtfBBuqS2 63bClrQ3WFDIAwvtMQuix8+TdB65z5vYSA64z7gDk7kOuzKNmLUyqxgrkuay UityU5RQUZUXIR5FP/zwg0QmfdA2Fh3jteaBstBBZ1r4wUwunC8hVZr1A8J5 aBG+OXfqotg64YJeZPQjyDuPTBRSWfiivQTOuli1yBiF9Coe4wucSLY72OVr Yfh60rPBbToCVE9Ua08HfECs+dJzK1h+Z5EsH8lZTCV68SN59RFPqxfJ+iGt Eo0meEpNjhcS+Cr4Slc9Rm5MAz+HF1MdH1uvAq2OTeuOYhPueUEdVpHxvVGP sYYnWnBqdfgLwvv0z6/Or6Mh/n5iZHHN5ToqrI38wXmYmSSKUIQGS63MMXcm 0KSDYBT9DCZEKHRYNluoicMSD4/k9BC2YxDlhQW39ShJL6YOtg5aAQc40LRo HtcBHnOpEnUu6qI2KfsmQE2IjWMHrkeYUK30ppxXq1BqojM9tCwkZbuz7kKj lI5kKRF8Sb1Ca9kkZWDtGQE242h5zR7umHS1k5nusVKnKPLHAVdAIRJVCBW0 neX1CiXat8RhStoWXS33hCY8hoEo5AEGN0QhQBgt4lkYSplhmBBHMXrbLzx8 ubRtizaxwbiRc/V7FJ4d66z8QMvhMG8WtgmmslsRRiYKFnYi3BwfKqqZTge9 nx4NooAbAQfT0onMxPe0moq0poJFt6rVsADmKeZGjnbQflp6MOUAHHOexnkD 00hcjqdtnWpJ0lAAgxFFlJgD7wWKeDO/g/04iLAzZqkG0ocuixjOd5vkLcuH 55bOm1CSF1whxqYpVR27lScZshI/5WQrBe6opWSPbA85RjcoQ8HKS2rCaHqx daJGJ0kxy+mtmojhSTInlCRJRgemXBSkwfZ0zIlp+NWLrwgFEIneiz9A5U96 0SihyVD+aYzfR2VLsPeGyAT9cT2HkldMRPdB11m1IgHkD6q6oZ1ztXqSSr59 e0fvcllH/uu4WknzkT1EPp3aOEM5bhjBjR4s9NhEdkGcjwxL/vaNy+fqWQfG K5FumQ3GCZJIysXYWMW6AHuxbiV0OCzQ3I0Ntyqyo/aIDtaVfWMQDCJTmOln kY6bCANeLoO2kbsIeZ0ZUJuAB6IVEOn8vdLWeTrukyERKJ40IERjizjg5AES DqPo4zzTtQUeECOIQHEUVaG94VY+iLQQ4cJHeDZDxzhsTmMqIoIYfXuOtHUI VythjE76qDn/rbAvQJ8ztg02yURucst7Nyg/IQ87Fmfxd2xclDgvztb46u3H eA5faQPT7rP9hjRhcJqepuY5K5D5KgLX4TkMo/OIL4ffcQgcrQbnkeswel2s XnEL5Ej+0iSvNs51OSI2b9OgjQBlydj+rGUeG8vMH4CfDZIfx2Z4se9eHFVh BTfDj0hCeTTii3hkaLBw8LHyQVyEZhb9Ome9Kf3k0R+yhCVJ0qIVy5HCGgnB 9RR6H5vpZwHQAQ3PVaMV8Io+WJje75GxQN0x6OMJCYdQE5esYUzjOpxeTf7d WUzYCh9pHmkOR6Y0YQ5sP9TxVcYANuGaYsJE6JnIhdmIPZjzA8QlYfn7Zjje xF0uCm661wOZmREFrxztkVP4pchY6Ws4gPGduoveqi9ZinWRulE3Yj81q9tW 04jk05cfn7CNRvBgjtgjK4p++3ZawW6ScwVfzp20cL22sKnOKtTnQROzlZnr X7d6broAnA6xwEnrZXbAdmZUbk7CI3rLVngxQ9D38oQL/2hSZAHf78lxs1bP CVJT9F//2+Mfbu64H8wTRJ1xaIpJfmEJAGqC4UEmzEpPFnmRkyBPqHJQw5a3 kGhJOIAM11lflqHjjumI3mtbpTy+vhw9QUxhXhPt1jG7AC5M6JI0WISYKJ3c nXC4lpKL98WZElJ5Hdms6Ie++5jtvyuvlwYToSeD+K1oTjpk2fsG0zxlDDhC KqRHzIVNoIgfj95dPBGa4oV/uWxttJLoxedC6mhD/CeEPO4Pw3+HceCgaga/ dPUWjaiIvNCcI/TRRe/KRkeLwPm2O9iPOSFSovvMOcBzUBY6NgBVN/SN/XD/ 1r79QHrirwjdNARbXBWFMU8IgaQPM/mvVKRph/aty7ogasaLNm8yiNyPbrOq abWXip55BERP4lmG6kImpEBbU3qWMGleyeoH1CVmySy4rDT3jqSCAZpe5SXR VdIXZkrbQnw9lvACNmKTR1swbSsJhUpx0Xg8GleiMwK9WJ0lTDEVOvjxiXvX 8cQZKqN7zxXvOWDkBOOnO085hYY53satQF0u3DWwm/z0Stf6oRnp3Y9i/eQC Y3TJIgJsm8xNxWFsBDMR29knokxwTrzkd9qoL2jqEo7NNlJm6FqsytjzqOfE rmCHM3lMFYcuaxOUaBs2KvA2Ey91aYRGuKpHcIRy/xsi0yJJG3lKoEER+Xic 1NYkglsw8kFX8nrSs5J3mJkd2N+xFYKNx77+6k/7JGKUouPO6iCJvOdm7Dk7 MUfZEM2ZELDA8hz5aGPDHgLdjI52no0z3x0oUbzROJkMpmVp0xo1ltkEQ5EI ZmUZPibX94RkcK9xTpgTRryt5KPQCbw6HMJ6gjVuAWA/6ionkkzMcQqituKa vn276J8NiFhP+6hZRWSj72Dh11+jzu8oeik2X45sZ/OBzvuq53DwS9QEPmdS y5FG7zQO5RNVAxbsQqcfXQcfezO0gFNS+HQwosn4cpon0cOzsJEFywocSIE0 4GW55JAsRO45b2qoAgQant+Yg49860s2TigKwvZ1ElZnUcu24QIEUzanNiFl k7sKu0axq97oN0SIX2jh2sSYsqhiUXol4rnYpwxmYkLJFNLJg5yv1xYm+0HW 0HNyaRT+Av8ww/pcMsVMUp+9Qt/FK6vTuV/uEaFbDKnGN8yKHTtHu4dkE8Ai CX1kc30tBm135dq9lwUtnzyrEivlLlZfi42AmVtVGRcAyxUGl0EV5FRdKQiR EfUK2finzxLR074np8Tx6FAPkudb5WcM1qGe5SUyImrKyJcs4BlINYuCTBXV TE89R+pEf8iPOzK+rkB+hQvKpFxENqTIK99Ra2HO4KnArQtGmbYcz1ouDemL PLoRKreS78fsCtURmPfUSksAIVg/Niny/LDNZF3FuodKzDqDDvoYjS6Z1GA+ CIQ9ne0s5wbtiC26kR/HrQ2RENWYVj3hPDcTqKv90E6BsKlFXtZk5GVNPj67 Ir7ftclp6zFus210/G6+EnO8H7OnY2yWUhwiCChkEy8jkAhFXFJNosLok25d xI1xfJXEbUguqbLMWqskgajgR49UHAAmtzBAW0X2RsUGnFyhjcLhks7P1kIU vPmgul6oIPDIMVGdZcPbQWUGErr6gi8GeZCmqKFbhnxGRzoegtMaDhA3BMjk JnJm4hrb6LkgDufQRoAcW6ensnOJpncBnqzq2rAJF6Pswkp8amYDvbZov44R syHUOtc46EfL7tPMhg+VIPubqJWzvX37FnYsZJub1+yPeXEgDjgh20USuCZl Pen3bYyt3AG6F4WWVLadyr/pZW2CNZP+cnzOMQeEz3d0FPWSYYn24KucXkme b9/ev393wRXceO3mryOxxh73R2/0n+DphI1fVXGZjN0Lr9AhpnCv+HyffkW4 cOVm4GqrNlkeRMbRbm0rZ5QyFpY7hGuzYaYcs5rA1kOxN+O/3rIQg2p09LFO NUVr8PwhVArjx+da3VKib300ygaHD5KwewOZXVdscaoIXhXtE0HKEknoZNeM 5UxLbdHQ3LJ8CHfzFB3d2QpvNEee2S3NJwfR4/PT18j1ki5CNDP9Lcxo414c qYahyAuoihyb6eyP1QlmqIycslhrKGTqHux6EP0Ce2vT0taVX+uBUy+5Wl6g rDLJNRrLecBPImMEl1BMF7zNnlN2Y6INNVEtBez0CJeNndNBHpFJCxhz0Sl9 U1yaKJNK7UarWqmGMYKdUtrkoROB2MzGcsqKTnzzhcR8IcZxzYFJviAfmwpL 0g8gEomrQVwhbtufSecxNfcsjNPcHaO+NluydBOf3ggHcGc6mk+keZ7NbGkr PMdpaCZCRkdveo7qooxzUlLwBt9o5BlPrQ3AuqpFw+tcVd9li5tU9UhS1f2P sQHfWOH6roBBKcY9wq2Z8nwekQAQn2i+us+4ubej/VYEErOk8A4MZNEEx9rD k4kNRfjmOg2AUnNPa8lCLMq0ZRe/g3CWWaNN1mV+xzQP4A8EcbRgK7p4F2lf kazWYJNjN96neraioCn2U6g7XY6PKztHd6rybHkBfnE5CEZPWYq/A0Mg34uN rM/K5Q9GDIsiU9NKGXOhJcO8itoXIfHWuuwY2UsTxC69L7FxB7WgOG3TJFA6 p44lZJEHtuhZc6NDcs+ZdPmECIk6taTvmQjUgCJF/ipt6qiIlyVJXll9swbG a8ho121ruhn4WiOAwaFIqwSfurEQ6T5nF/Q98+gqVmPluYzYGeJ7BLH6LbjC oVVJzenu227ZVWPSTNeVQfmOJXYQqmsFtR4aL70mis6cBR+kkzBqUs8Rc5ZM TTTZOkn1zIhstNR2xMgy747tUAOjNyI+Lq9wmdUIPYMoR9yuNKEyoYmIo9dN YER8pRMsjMlNH2BkbF5Q/HT04RrPc/qNGF6JOZiwWy0yWJId+Svnp8ee/h7q eacWQsemGaNvdfUmsuoLdJkt2hOH/XRUqMgqS7b2ghPmRdsjWnNs0y51+ZDg 21kdsbglMYMagrHt1xYA/Lk7AhlSawzf1RwGD5H+daMlAgOsmr9tYSH30TtU rdf5AD9nZYTwIlTiQHCErQ7hn2XoRnU6j4c4kIhdsXrnob+w4SyYdi1nkG1e xvtEVPottBlfnbCaltGUXAqMWwftaFGr/JbzSatIP8Ib5ewV4lDJQjEEakFJ hzqa4gv+cpA0bNJpuNU9Ih44xtKcf6PtjvROqrU1E6XILJkYPmwLYBwVJ9aW wZve15isrHKFql4oS6KdeizHuZqOldIUWqpIWmRDbQnEJXEZLp3O4U8Ou3Ox slkgDPv6bOq4bSSFQ5JYqiCEhmvrcHyhLsyJMKRM592higiLNKUUyMhXXsYB TT+js+aQcR3YSUjF4rmOfmNV2IeJjZfARW5rUSeNp7EbD2g9zOYqcFeS+lJo K5XNohl47U5rdjb5QGLf4gM2blJdG+c410nSt8piuz5sG86r7eogHqlO4+U0 pHZplS5aDfJbMOmAw1KDtCU5qu8/IxyAf0aoOCPeACN7ytGwMs0sRyAValWn uk2tM28k+No7Sx1rPw4QshfkWofVjOtYqzQ+EDrc7NaQOXbm6OjvBg4h9Myz AtgX8RuNDtJMOIupnxNUaDLJwyMlbJPIWMF9bqV0m2M9J6vvWZkXJRN5J+nl 9a2RsUCXAGeasV1e3UWB/GiqlkhmuVcGKllyo2ErHjgLb9ZEnKfJ10LESVQR XqTkimdLnfTo8+8wWNGFbdil0TFw9HwyRhEOn7AFdjJj94Bzg1P5EeLh0xEb TrR+UAiQ069soGu1GBZnLXvaNfHacKteWSOSn9b5B5DWHosuqMFRlps4jfrC LraI2037JDgp/CoMNpfKtwW44NR8KkNsFob8bcPxI1HOHoQwCMXQhEXHNnn7 RvMPF+4VIeEYJK66Lk3ZYZ8/NgUJTUivlNXRoCaKlpq48ngMBGunLJ5UUji4 ckCP9Y5IYonsKEzTYmmWTF6ELsNE33J5NF3Vm/50XUAjCcfW7NvU+FwaE5LQ U8lYKqtVYDrlwyZAfi41p89PddTlk+8QlCa6Da7bdsftFo1XG+ADIoDN1yR1 aGY5J3NGZC0aN1ToqyOhSRXTxgQ5crgg2wEV5mCSScrKXDkLLDev1bFGqNs+ Jx2U6Hvl4iRPTk7dHyRwTXJQWRszel1GXgCUqE6Vuk1yE3crGuRqqTzeuxa2 dqciri3RXXFYjH205Sc/BKve8g0hHN2TZvwU8d1WMoHzDFXaYXqC1yms4o04 AL9Mh60wItYrGzwnZiyrV+TJnclRZULDMq72dmgLG8fJ+BuETcDGdev6UXZ3 rtxeJOX+AN0SZGVK8okNUzQaf16z/YE2B9GWLMs2Ob+b32DS9chsOctXj+zH Iv0GZB+/yCSrgzKnxIypJVdxsfVSOncSPb44vXpCW8H1ckCcB6HiBIR6yoEX TbeiZcKRP/7uWdTdvJmO0peDC0WI9NLIlJlIXV1GANYjwWzg0Z/nLRa1y1jU RRu5ql8KjqF4Q9c3gUXL+PGXhILiQfZxM2LYt9zAcWBUCk+YG4JJ6wJKUr9j ZbyT9K+MQ4a0bPRCN6DhM3+boaphOdVFGRLU+5s4QxDrrRyduruz09vZ2YmJ ujNN1ifwy+DNwFaSQfg3AqXGLd+Oow7RJuoQn7fw0NGF02EIGgQp8r+MZMjo 19GinARJhuHVuRgMp0WCmYpkaYs89iLmg4ukupECyn7xRi7sME20IKRZFW7U UnbEYDAv1MmtbIxtG9Lre531bCE12kvt0oelgMrKCdJsAdbiIxuAtSOVFUT2 QiXFTWS2a3SLJNb5I6ZmVJgUKxSIr5NYYZMHJlhN5fyUZn8tL9W4apHYAs7Q cyDzY623HMmWe/EJe0nhfkrSlDWxwNZnWoBaIa5tdG0Cbc4NWZCN3jqRGJum RfMmL7DEdnQgRdzGGYmCpQuEKh2wfU6aT1bP/URLphUuWABWTu9INPnlPiFE PcfaN2vm1FetZT/thBxn7FLGan+s7eJ0zJ4OfqhcmI4HsDr8F4JVW9id6Aee xGymZktbMIGxl/OCCJFukHDszlRmBcA65cRE82wS9ySZQBcqDmvLivQFIiV1 EHRon0gcUhZztOT4Gt1qh13ploUVUyLZTeTXlDslzMul5JgWLVMcz63rEcG2 KqgXte7yAqdc3S5sMEAStwU3fYE/qQHBuSwXSW39pOd9CbdlT16klUdrouLj 9NW2ia8+8lmguuSSM1DRiaeEvY5LQU88nahcZoXhCH4TDqweCyGAI9h9Q/+I mM5IWec/ZEjCdh5drRHSLxKkzXQGJi2YFNdSTidLOBnw0+PN9a+fBKmCmZhm brKC0VHHfSQkoqxqjsVfIXbUpQe7SoZESMZatBcGBUND1I0EkfIBuZK7D6J4 NyYRRHxUHFC3IjTCeXxM0FoFxZr5PH4pOI6CLaEuAJ4QTaJFUAh5MUYIgkkT l4I7rDol3MeiCdPLo0eg9I/i2vQsSCA+EfJrkyvctjqfw/aU4lhhLgIhpfZs o6vNhH3Ai9NQ5fmqZBOb8ktN6pShcplYixFPwlqip+rZO5tITUi0KE5SBCag XHRtAlNMSUoCc52BncF7XuuQFb/mo9V+r11MFZKqoUGAiehSZX5ll8e/L0dP TDMbvovISrQMTfxV5rRc1Aa81aWBSOkkuxcJR0EuQqSNQah9NaH1mBrTOjfI JY3UdJ2mzILm6onOLolqkohgt0R15THni+Xc4E9uU6+O5TlaYN6ikp00OOGS /3VUtdxHDqJn1XJEgO5ST/810sW4H1+c0f696LSOCz6w4QAYIKPb7iwihTuT /1q+rkUPo3cImRIWFNPZ66MndLki5BR5UuReHVKtO511iguYIGxBEsEhU1+c fX8MfMJduONMEDngqoFcWpSMuyiJHA4QDkkQj0xMijPQABaslw5vBIDuR4yb IrKRBGqFU/AWDLA3D+U8wDESBcHYumobGwZQpp3nFNtS8C3/Mxr1GKdMvIcg uCkILnW7Gd3UF84a0CftG55Mu65oJOYZDi3mcvFSi90zv/F6wvipDWUio/d8 FaDqdbdGrJbnaEhVleg64gUy7hZw+I2nbkq1TkxKUOBMFJu8jqUU2VlizpjS iZ6oS+8NpH2UidCE0YyN9pgP5XJVtaT5G5YXOedLN+Hzenp0MAS9wdiYuPqx XisD1IPx564GwoflmHpOk0vMIdQ2mDDyyqHZzFU+TqxTh2fS2rMlTDZtxlVE uV6e0q3Vlto2rRq6Wz/8XzytYUKDd3qIN0mk0qGkanVuxNC9b99et3VyY7qX QPuol5kt3WPQ0+KhF2Kr6z5uLAwQaSanQ2iYdnAJFBNQe/1QmpoYbI187JdQ korgxpsOa0lPIkjYP/qA1RrozAlcWODZu5HgFQI9Yb5jOvZhdC3cbZzwI5FR 92rJfDVpID0p4ex73NdS6DBCEl5TIhZv56mkTxdlsVqUrZcAvDHlnMlXzily mfJTy2M/tdy4soVv4QiCZplBVKaUdIv1inQqH6kXsmbzd2QXKNztDZpXJzf2 cdyV5MFrByyS/9Z2Hn3PzjtzS2gPYE5mjqYGNkwEEq6v09pugs4SuWT5IXJH 6vWJyI48JzQKwM3oTxnzAOcYXUt8GF99mqPDqehSJsWewz3Pm3lGYniiC4Q1 bF3lVpF8JVx9RIOeGDVYHBlP6z3XY4ZE0CyfKJs0bxP2IfhGbJnxNFqdQWWs 1jR5z68OEp+dlaOQ/MMrwDVrTHXohHsyYwF9FkQzbRzQDddYJKYzmk6dueQC 2e11yUUPw6TJ0DHG5u4SmFch3lr4iW2iY+CNhXDTD0rSiyEH6IOyFemMHmgq rLK6P+POjx6V0gfiS7Um6hgOBFLEYFXS4qm2sEvCy2vU4BQbnun20MmT/PaD LcSxVpdIlKTRXAqZXsn8Fy6ifVORgXV9yhbyIKYqspopwV/rmdc7DOn4jN6D NQwCmmx6DfQ4MUTXcZK+bLb0FMzh0VphFRRg6NScsS3rdIunrEDSGs+xzFCM JOqIBZLGBcQYK13dJGE7ileESLtm6fZwR8Q/2D8C0fxFUPOUK7Uwq9+kOdJq z8KHEY1tHkbMXdmOhe9wF9lEoJb1sEnJ/kRdnDZxgSk6Vn9T7TVknpqOTiw9 QKyAwUu6jGr5InIxLkGdcnpTy+g6tdxUWQzqxciTJuvTvOGfiXiikMXTcBsV CWQudE4z92nTZZltmYNiqoOzdP5AMAUkfZo5t3aCKy5GY+VsriiEvektW9HO 9/tw+xnINlnQz6onGr4AnyaCYV0qLZRoJSyAvN49iOE3XfBL1vuHbqUusHO0 /Du7crVpBsGfLtLdpbp5Me3WJfzFZg37UfphbPuuc7THoqVtLt7EdkGdoCQx MgizrKUvLpfC0yGWulwlu27Yh1hIdbWN9RckDE5MtH51CtuhIagoaX/GLse6 PlOs6zMxQsJD1XDdTLVus/BaNfn1noQ7XV0M4hMPVdjncsXptn9pM3bPyRok 1EYSYu2d8cdFnpZ1xI9dzcDh/p5+gBsHX90eRK6BGqvi8XB373n4zFPXZO2J Z6GVs49McxI2fAiJJLqVmjKb6ABf6nMwtizd8o7UzZrr71+RUi2lBQax3/jN tCH2IkHTqoVn78LUKkNVaU4IC7RiraKzd0WZiAg22dtUPBZ31iIKAAe2fyIX ro9d+rkVBelvwj7iCTrKRfbB9NzvSDeIQ2WAT0r3IOjuE2lVBAWIOrTpY35y NFM+JK1LzEZVfllpz3enjWlk4jV9ygcx29ZqDb26XTYWBRlq3VW6FiXahsDd llx3eq6+e3FllPMIBASXocsFgED2/Qlnpskm8xddf8/sm9OZbGNEc1dE2nS+ NuqBOjLZcRg4KT5MDmVg0f1OdGAYM8Qg1oU5QlDaZlbqRAD54POdXlT7hTkt uBnnB0caGYu6p0kxkkkpc8TAWHmvLnPT8JwmlQxxju7B4qSOQ2cNBwf70gss Mkord2D+SyvBh2FOCapro98Rs3DdlNXZWJCwVhD6omKLX7fYva+ZW8DOsELP nc5cs6fzBi1f0UHwYTssOJaX3HRB5BHXxiJ6vmPrs7laoZp8ionOwuCdNauF fbQlPlqwYKsZb60wqI1jRb8cp4jA3wiaL1cgBVDd8TNBH69MpK6sULwxBGbo /cLMwVQp4QKKUlqu7+UdSjQmJt07jB+P3l5fSZUZBPWKcmPbJTMsmfIKzGws ueIIALS8ENEoq29gk0HadA6KrF2Mk9JmrDJtNQUD6rWJbR1j6ShpTLAuflFP LSU4tEPEFvtbk+JBJbgVnOnGzgQZ6k3tJA+dXeQoShP0yNPVHyK/poupXhua 3EnCDe4XqqiuqsBs2FTLTbwKcyMP4JzUpUNl2QRfm1qk1j3T00UMgsgxKGhi 8LbVaboTIgCAw+e17XutLNyxKS/oxL8w+shmgPO9p+UM3jOmxyC6tgm3Ty4g A/BGnbeZqNhyzkeWCHXSXidbX4g+Vosrzasey26qVY52oKAfzvFhCrf2XIJ6 2PNJpx8x6tplSc6YSN2kcn5W+eI2u3EmoBHNf5sVyhl8LqzhhgVaHeEa1CMX a40uKcZSr8HpBYo82jILLAiI4Uxa1GlGHDaAC8qCMfxYEA3dDJsWwV5636Um slEEHJ+o2zIXaZn7mbH5ktBCayzCP/zSI+vzo4ueynE5NRd/BXm30VvedCaF zDw+Yav6BsFjC8h5qRwMw36CDWTZKLGvj3VGrh6pwR2lxtOF7dKsHwuCXm2n e3h0FVNw7iXAV2MoECmKwRm4TsQrL5FFysk0qsN6XHWdzZMM0DwPK2KRz5YO 0t05fLW7ULNSvpB4RkzeThFIBiWC6WuRX2GEr13AAT6C1Cm7tQ3Xa0K9bN2x zqGC08zYFCw36Axp15xV8JEB2cXH+ArW1ZabFjHB5AfoMN+IQZStxskq0Eb9 xnw9Wyah6SS+SUdNiIFbvmpVZ8YpQWojzjsD2SYkZyS+LsW90O0ZGChumt7q V/5QXrCGOxpd9gJ524t0Tmo0kTV3hrhYPb9LVbOlArwCG6L72LY3QfZdZPwC ngzDQovRay11Gbh2Y2zQ4jA5r4rDmMScTbUf4MRBDXnx1E5sKonJPPUJu+Nl XkilX8fCvZ6x+ZhIGRrviINk4Bi6C9zgHW0jI5nL0pPC2NGPVq780atHkCak R7IGbxTY8Uog03Y/MlpvD8En/VvFJdG60oMgjQdDHG/RFpZrTjxq7iX36VjA 2iOIXhE9nS2pXNU1c9dRmP2r23UZoT836QrumzpNs16wG6dCyhG6tCj0TPFS waVwc2ibML07bMr2j/o7P8bepkA9tTjh23msYQBCwbaY6G3I6qpWe7FxtNlI FDHU3mhT270aRhVYstkFUOi637ZJnYOU2pTdkJ2zzm5VwC0ApXFZdxYyZLEn JTGwQxZBNkbPbdlcZI1Zxk7G8mPHY8Aqd9OgutHotW+g1c0EorZoa1alQtfN zjNdtormFdLendiS7wimj1W9RsW33goWrruAmNUj+s4sjmCFxFQBHb/BKxYl BU5EfTstF6lGz8ZGw0ajhoO0edYPo2vt9GOPvvtPjvzSfkBnf9TUR8pBPhH+ TPupWtJJT7KGtsqW7mtdan9tvzYLni/ClXcsnEraxVLT195RDPaKoWH2Rgrx +OwdCcYcf4A7YJyIvbIOoqkKjbSGBa48bbMwESLEPAHsz95oh6REspc9U2Ga HUZib7YOse0imIv8JcmB+wbsd1yoWwqGILkhmyD8wWt6++2HSo86CZY7JYj2 bBqJIsoImMgNl4p1bzKTMDNTkJWYREtEAWa3Uie9E3R2p9VnSYK2OvgkqwEY MFjSS2Ou+BV1RCy/vTHClGqvIoDz5IXlBlj10NHXkaSUmwoI7o5ghXZn1YnC 5fw5Jric4MGKjxgiwxLRhlvboqO2bbVpuucaz9i+41+QUpRqM1wU9MNGVbpG ctzWF8ZxHMySuZaTyQ+TLjnB+QjoyGmHE+jii/BYVtlsBu+hX+KP0SbSmYmm DFdgKuLcJ+nst3oR7/WbFtzmsU4xh0lQp2ZfXD3pRfv3/f5v2PUTFuUO1p77 NzHB6Er45uFB/FJKhK3l70tZRPaS8ExrPjd7UhAHkNtkEs81FKpJBzi4fsRG 6HAGjW60dkDd8agAjTRj4woBQSgmdx3g0tihuA6fu44y2w4LYh/moHPXGdoa LlwhEvZeSCBtJ/vfYZ1rxaeDw2yFl0hCthAw4LQi/TNyDGyPaWNu2iJedHQb Axgb97bByicyKVsLvSehPkjsqq7EGaa/o09qJTkh7M/T9tNo00dtswijhol7 X1KlOcDxC+7CrBvf00C7dTpZcxjMLvYnW/5Dd9d2feOSJlqvsMB+Vc1iTY1Q DVl0/gxzoYvpvqV5Sd/CZDl2Jfma3MwhXK4hQXRtCduFT9i+/QCK1/eJ3a/R Txv+t6HJ0XpfIxNDgFCjzmcmRd1foMEDrfjXiMu8a2oVFH32qqP7tStir3aF kEUiAToiU2OBBCexdZ47rmrJ34YzaeQhnESUE8l4L99dePl2F6fH7971R6Nj k5vin7CrDTR3VRV6dC/LnHFRejMWsUL4rAlQ0w3DuAiI/xD0hQpd0IwzbxC7 is6NPRZY+IMINnEaiwULB6xzhxCUSX/2WY0RwOTyws8Pnh9oydX+jDg8/vHZ 80OUTjNFNaKF5DupTqtZdnC6TwV97OumHRuLCyAUdrFKyK3ZMSeHmvdX6wdg Ix1MZ2EpMKlLppRFf5k086C7bA+kVYZTqHMImazLwhoy5DrGKy7CwWU0mfPQ sh5hHQYAH0kLINPlWYoOOnsZweGmjxtnib8DL4aBhSqdVdNJm/JPwSsjRDv1 /H6aipgcFOMp6ElXaGMan5RirXh8J219ILsmd9J+hAVckQURitgXN66pN2U2 T+z3Pa6wrFW0/jGuIMHLNeEakHgAfcItdE4ACeCSQEISxQq5tSZ5wAte2BjB xFUxuQkLiXaZ5vjKxZN41WVJniTlyCtjwpKPJB4P4nPTz1OYuVJxp8J/Vpja CeieDqq64tqiHDno9ieJk2xiYJ7m36jNJcL0xgXEnQKfsOXRVVBzV8pg14sE kY10UpR2F96L5pWeiM4z5fVRMm8akOp4wFx/RIh5CSpnIlNjks28+iCRQByX 7tV7i9f2RpCxe7Q32BnsDfasGxJ7iB7d3d0NXAaVqb35KHZVcNihyc+tP/XY 6V06MR0mBfrcHdqPExxyFRRuVBXp3Xvre7R79HxwuDvY3dkZ7DyymVB8OC+i KKb//Qtv99/q/7eyq+tu28iS7/0reJSHSGdJJZlMJjPjl5Wt2PGM5WgtJZnZ N5AEKUQQwCEIKYzO7m/frrof3QCp7O6TLYoCGo3uvl91q+5Qmfi3po0mJnrk k39Pj3MxOf4I/PNXr/JgEINboofuFV6WsdkvEr0Vjpvl/+/GR2+bP1cIWIij k8zVcf2oE7dopcWqIiN5G5Vv/fTuEuuU757OTGPcFyoCT5wGNwPppF2ohnO9 6Cm86Gc7/jYzZ0zT/KuvFvcCnBSrMLxydtVwQK3PbIAztOTv/vn5e+Db98i+ /Bnuy5vRDFH4MsZzzsaVeBJUnzG7M2NdPMEYhBaKXYyGNyIeLMJvCtDqORyr BWd/hpuL+usr426QDaoYHJ1wqREJCsgnEngYLiLvlsbE6+xI9tvDOh1OOWCB AMlQYjBeFEIZYxQL1Spwoyc8n7dWdankuJweG+OJTG25PAnS4TN+M6dxcX38 x+UPVxfvP4qXczawd/liCL4Y+o1kkCa+hLJFMGWvjJRRfPv70SuZHp2v04HY OXV20px2rTJyZEOOkWZSGlT5Zq7qBjsBm0ERglQRjDPNVQUpw/MwYg2Cc10V gywKtmex1dAtMZsOKlehbGZcElP7jjxpouSCN1pyW0lUg8uMysoDL5nUcIXa 8ictlixAbxXnnQ+qTSH0dOgInSi+I/gBoVLBWU1LLKH5yM5xPpvpUSG9IdRb DtmpkF6pw9UyqgF1yb3/H1eTLm1pNeYKeTIJ3ZeODK1K61UCQprt7reHcl+6 rsFBwN1lCn94tIE/6zLrOUObUO2g/7UrjbENp4YWCqEnjVnFxVwumfvBeKFR ITLvpzWCsrwMiW91OkUXUqO5Nuzy5ILQ9XgCiF/+pz/8UehEtiXM5Oj9nLmB TiaAOyWVg4m2sxKEF9/k0NHtlm1tvTrfZBcS9LDZG6aA6vWL4RfPLFmznxA0 k3VJ40T8JZ5S3VIY1oSjBpPoDcxK/Bof5CfVhblWbeSPOounP11/PAvuPkIy KXPeNSsztAjcHuLjyaEkXwy5py5nOag59eDXGMXMQ5FrKyiQVNJEQh57AFFW 8rC8PVhWPjBtr1L7DV34kHMzJdktqcI1OU8h4485sMfm4yXbaEwmPOXV3HFC RhJeugOrnRW0+EXoiWZ6ADxjc9iU7jvk50uZQcUf5nLHt5K2HUCJUxGjsC4q aQvOCVzEW9fFEgbLgR3+a8ZYns/bKsOQCpYlYwkcJxynmewRjMH2Hzb45kFT ybZ1M+B0MjpiusUXgP0vKtVoLZWcYFC5Hnak7IzLQDiTEtxxMsC07oYTNZVK 08GpVARF+E1TFlKjWVpCynkQGJtsUPD9Dzq2A1JLQXZmuRTT/oo3v/nuDSMW MTtWmwmSVMAvH4u6WsoCT99TFIPlYCW/y/zGgZt42mg/Me0UDkNSX9G7akli h0hF1J8UjhxkGA/a6K4D4RQoXlnvaFoPKx9uSMM9yxMpeYab8k+62R9KzoUk kThm4oiDBJFbHgN6f0kxy+XQR9F8vrPJgbXfipL9VCAHkswLKvjm5lXG/cUR u2lX6gixiD5l23d8f4nzlEwV3imf02ALoEfVUMIgmlU1wKIzqCUyvwLpd3TZ N1+D9RO5rq++/IuXuhIH/eBtpCQU7qP6RC9nnM4UP+0DsmTWgDZRxhfaDFeW 4UBH+L7WyVhN1SHPaIU8o5XIw9MM7LxlmXG8ckNkgsMvJLvHO1Ub/wVZN+wF mOJodalMKx8MaY8QLQoBf1LIlo4yWG2Vo00SNwfnBDlCCM4lidUMKR5Lhq6A Tu6kozaxgd4+sW2fG+mfbX/bz0vJJhU1oa9PcVskBYN4ESD2BqfgCL8jVCSl KaTrG3WyZ8XDKNOB3j3E0VY1nw/kI+9voms+UM1uBs1GYrxEaAZndGKwBARa 3FeQQj1Uv5RP3X3lzZWTH+sYw6suQH43oGdYP7irfin0dCY9c0r/ZBROH5gL /PrzTia/UZxOGDhARwfwwnJxDyRGRoMVA7uZTyhrtiOmnJPsyCe9CjpVTtC+ 2Ez+VjTGI/RHAwvao4r1HD9qwJ4Q47dVzvG8L3nyszafxutgl1qUNA3LuKWi P/IUPbDzuIQdoiQoXdsPmWuBuXDnzOJsFSaNE8LlL1hqjGOXuSL25BZLzLQH BFQ8lLFrJkDAgjsQOfxrnX4Fbcxu3r9788PVlYk1m/CT4dUHra6mYuK6JcIi prgJUaasukXPc8TBYKVJKlx2xq8lviKRC6zF0CNSea3MJYiT+77bFnGHh9Pz qj5zBYM49npebnfWt8njLW+8MD7eBKWomuCEX0nfilgZ66A50tqXydfcQapZ uMVceu4jsg5xQoZ0atPJ67JeV338z2XZCNXX26qhknZ4uy241N+VQGczXi5F Y/t93LB7anULWwXd+zvInTbo9Lxu5WtkOmLW4eapRA3z+flnUoul0sx3Tfkg QXE0U6g0N8x1rouHOeOBUxtfeN3Xa9DKxe3wWzSjk0+lhC/x5/1mixZvf4Lv 4hpq8E1/gm1Zxn/D932zJsmgPsCHYveI732Ic9oX/BMbO5os+jUct0/xTTaU H6/bx+Ke0uPxfyW/zkcU23Oj2cY/nX99/oe42f8qbGj2KFZ6Cgef/iU++dk0 Ea+hLI5ckBQKT7G2fD18F19otDOLyUXc2ml1nE1DdBtKtg8vJKkocGJEkacy DUi9QVKp1gD7TJk4kPGJX/P+l5e+fqTl+FiV0AuF1xmu/7Jcbwvx5IKpfWtb SG4GM/8oHgl1UvMGqY31E0frFo/bVRs3L2yp7yV2wKd0zLhyODXaIERSTYax zjE0JL9c75OioMSGQg9YqtKE3DKkO5jeaR4/anKAjB4SbYrsLrfxmomNI80P kr8ToWkPfFImWzCoalnwlAi7CEKNi8D8iELiwTQAnhbbSX6rZXof1mmLIK9Q j1ijOUmfSnU9JXhw9Wl6uDYLbcMgTya/K/Y6eWs94oco8EI61ySSlXxYaNo8 kdFJR7cCfYuNN9Bn4gF4bTPGE5zVeVzZ0YVCIjpHxljXr8MYM84kNI1aFQjV tvDCdI3SUrKU3fZLIvClmTbZhVDUT8ASlhhxY4Sv2iVLeGXZbgaxfqFJAbop aA/HaiZjumS40Eth78rSDUWj3Xr5dEtRIfM8Tgmmj7FRHBsGfCbtXdvSNNQT foTCD0fFPswwMkvgLKh4WfJox99HGIQCo/adjOFl0P53kEblUSPIi0tTZ41R 1wiLwZqwAm8H+TXL8mYW1TCa4i1b+cW8+m4o9KjDYt6K2jB2XAT3naz+gMyb cXqJbjG8DCfVS1SlkqTEgxy7VSbgLQoIsuiEYYy1CsW1axfFrQHg5+Ug05En Aj1GTWi4kKUYOom8RoJO1kFhGS/wJWipRMGjLkifp2ykF3rc/jB8g95jmCGa 6HFLCTubIQXdYPXlRA05sizakXtJib3oNokacM7E8P4apXS4yU8NE6DjEYIY 27nrpKM8NCUzhLKJB86hGdfEdPdUdQpF53DQep0RMKmT3vVzPugj/zsTp/IV Lr0eyqdSKAtezBzIFbCkCCUlAnQoCbsYoYGnVsWDvnA8UMlWWLuCLVJJSAOm u8RxdTg8v9We/TPjFWsPPeLLEZKWWyItjd2BwAJ5uyG93YRajkG+6i5lCHZh YgPb1vgAgPFmDWIB+oUy4/4uSBCHDi2lP3oJbH+4IIsJF59iLw1E6xniMMz8 MccHyjFpttHDvCe/99Ip88Rx4B6iPdNWDtuYeM4ZWGk8oq1Av148Cq8wUgZP cQIyFqpwyEJ1yAfR55PrZ2ThLHwV6XJjxI234eCyoxyV9OG7YlX5m01hkvWf hPFk6jkyFDRTDD9+f3PzfRi3YUoBCOsZ7lT0jAb6msWkn8f5i2ux73Lzlni6 PragRNhPDx57mQShkhiU0JePhKiMoobh2nHHNc0xHmmgNQnPDy9fxW5N28ci VoWgY938uEYu5BgrxxFM+ZmJ+gDl78Q+1gPw/Bm+Kcia/0p20ZsEpqnxfzrE IcSpr5pZfNyZ6MBNTq/e316dhQQGOvr8otu2adtVl4wdM0px+cYXQD8iNW6x hnyedShYTlHpMo3/pQboukGpQ2pRbGzIkOg0RvJy6P7we1iEMRTk8WbooMww MDuQtBXQFlqx6indZHri3JUDB/zoLFddyHg/jNBhM5pro7KybrjEbaP9F2E4 Szo7hDjp6PN5Ql4FPWcdOwOPzMkr7DOCEfzRIB9032XzxMZXtQA7UasYYPs7 pe+jfNhWvFW4gVzZio967GssocRU0GWdQuOnxxkjDmv+9vyI6spdvzlXt1pu Yr41PTjkb1g6AZR4l7N2B0l/6C8qlRiF/7zZWaEoRsdbK5rp25EjWmpb7gSF qut6gBNG90O7zH3ZJOXVAbR83RPwmSvM+YEylYcZdnMO+3xlKpwTNCGEtIrc Gf3NcL4PJ3i+D+lvhDQF+a7oGUk/C+Q6dBGdh1Oh2Xw/uzyvyt1qBqDHLPGI ZdSbSk93fjb03C5qA6Q3h6QkSNuhAym1+ZxiHkBnclMuzqbHtxONB5lpXLnF ewiknyv1hlufJv8kHUOiBn9QXfmd/dsg5TBrV7M5OS7y0y1bZd7vyIjtsa2W eege4FvM2YkWV/Y9T6yFEKYK14R43pUkubIg1lJ3MrJghtI0LbOBae//PnGB ZrRR6kYJtbBVYQcnngFnhA1Y94U0ksDEJzZg5faqeChJiRLBA/0oFOhA4dy8 2B2FtjF4KcZUDcZ2eFDdvllEM9/ASitpqJxcsC3ctNKNIWiXAspzs1as0A1O 9NOrH25vzqLJO/oa6XDcqXORRH8I+QU7m6tSZWTDdCSMUcsi7o1YBJqxRMfH 9r2BOdDcth/gIo14l7ecGAXAC+tO7oExnZQNttFJMFDDoDkGg6TiHvMUzXIm nF8yWKJPsia/ogt1GX15lkw0M5/4fcjOpQTUBp+YKp8KaQCjETHyGiU2B/H6 4APzhFD51Sq76DPzgiibSuXuy2//gjyvmsbSB6ozkfq2o6vh9xTUi53c2HMu o1pO4kWNigqOOI9v35TxKvHfpdOtdYjrTiT+kdnVHZW+6Jfxxnfv9XolMOZQ daNy4M4232rARDB5XYM5Hs/3fnwox+n4GMdTLrwOIFzUaSD6+BZrSJekqS8o HVqQdCbaeePrO3K7v2Y84tSQOUGWeXmSrESw15/1W1kBnD6UiBMCEs6oMxvV mHqZmwGnu/opaOabSDPfL1qhQrtpRvyhSG3T3WD8G/772y8hl+J8UTIfnVWU uqw92YkQVVRBt52UbjRd9EU7X/WdkKgks2MHLPqDwW1NPoZ3VV0skUTKW3wQ 3pSPRLZ4TyUd3gGnBephQ4YC5WTYahkygZMG5+8WCg7mHlTbo8cC6FdqwcoO qV6nZDuVosG38uOHKvtB24JQUECZQb9KAEA4fmKmXkn1rTC36uFnNmBiIzK7 /uNl7mh2L5rVSfHQqrFUrmWx1lmElllBdYiXxV7jYsShxHnssKg1NGZxwzwN 8AiGnALNHc+MewddpKR8sf4zHDxG/uEt0uElf50WnFw5qpaboxXYQSiemntd 4BAu2sREfVTg7MiECYmA1OMNPTC1VFgQ05hn8F4ihbGkuKlQ0agDpRSyTo1J u33JemuT95ffTr39fKhUoxzNR1/6oKHcc5a7ASyiC1mn+fPzzeKuLRvtx59O BvS/YHLwfqMfbyZvyyXsGKg6U1q7wzgfKglVtr0gCXVR6BPE/fBT23xo72Jg 2xj4PEuQJJSb56+xv9MjhvSII8TOpt9CIKNz25K5juiqUVUiEPs8anU8E8Xi ASZu0O+fYYmZTYCORohwnFsmfJJE8P9SqGPmwLCZl5RUMd/m+TOVWPGKnRL7 ldu7YqMGBCSQon7JzZdW4AsOuBK1weNu2hEjFcls2Mx0LwnWbTnI2A55bqLB Cs4lwEbbTcE2N8XkQNaS+DqEz3c9NwC2qvTAyBMzq+QZDc2Ro6lJAJ+LnmGY hIeGYbwjEDLRkmNV7/bsyVhuqU9XOx72dbtF5e1dHBaezakiTl+/uz6jQHH1 a5wry9nn0A3HTiok6Hf7j73dTbjFU74qG3h8c3f9upQmgDmxcfQNPZ2/QY6X BUT9bUL3InWwrNbQNB0IoMaprVvvVprH03hVMU5f1+0cUzhLmNmEIJ9j3tAZ eWzMXULEu3YQXAaXAwHAIX78G7poeCKBGm+ZamXsmrVbJQFI0jBbthzlem6m 8a0x9roV0uJFdLnqSQ2VlN0+hvVHh8tOiYJV4YI1khndLoMeynyCmkLmWOkT Pb3FfABTpHJrHLUo8W3ljGAHOyWmk96MDAucOUrak62QY4bm6OZGNqfJFH3Y lQTgydFbys2mgt9BySCRGGFJTVjCqqfBX5gEEqVhFXShaoIG2lU4cqW+ojtl VW3jHYKKqJrcJ3uBVMIbFujJCL3+BulEwtv2BUAfftyE42fZTnX35O9UgPdf PfSZsUHmZV3rfoERirbisp1XpVokMxPpxWvvTkqF8sd/RM+hKtiXjB0XNLGc XhViYUuGrlZ4yaM2Exe+QqkidPFXbvwkXSdXZhdVWSzE3RMlKBwIF/GcnNxs eNeuYDo0uOu12ioRR99pUHx0qoTIdKIki3Gw3633GxFU+lDN94U8x1dfUcb0 iXOEeEbe+M1+W9k3/hBn8faufejalMPXHHclAjSlog2iWZFukNSzFdJc8zyV P8wYgb3hW06atOPjzS/iDNTUFMOusgAc2aHOpdakyvd5l73DJK8Gf1EpZqA+ bcPlaOmjJV6/Uq6ahjv1sSJxuBh6KXGVP3SBhVKEWlIspeFMNQK64TNpzWH3 VcNaHuo1zFFAjgIbqumd7Zx1BHvjjrLTSD16az45sIMsaMKIk5dBX9af+PoQ ScT3elksC40qrLZwoXBrnAafOOqLJgbUca6IUXr+rFg+8mngLFzBqq/AErne ioTouMdLOpi5vMfMHVmruKzEaCoTutO44os0HnaFSD9Wxy+/v06WNQNo8mq5 QSS9E2mw1XEzbuBuGGLUdnqry+MXFEexbpPO5oGGgMitMTJEm1WvKzHvouHN iAxR8gtmiOVMUByIFI21EWff9tvhBfjrx6p80moVa66S79lJ3+sLf5gyZf5y dUnmL9c9q05OGR7VB+9Km0+zS+FdDC7ECbKoWF+YhGDa6w4Xtllawae4Tyzl +bCN2FjWuoCgNfOd5M0ny5KWm5hhXHjbLnumMebtuu8OBuchU6ENXnquVLp1 Ru7Xhf2ew+Q7jeGHyD8YXFvYZeJ8xOHWD8RC31xb9cG+s2bFKy6iXYZHOld9 Xmk+3xB+qczUvbKRqhCeTyeeJ59Sjsu8MHtZ2BNK54bfd2lLDJYFxw23YO6r 3V9wfIQv3v/jmn4NVn4tWDHQJCXno0zIIBq9P09jDHVPifPJrZyKqaX+n3HU PVaSVeGkb0dPV/+7hBWnSNed6nnD3cye3VrodHrPFWXwZL8XfVB970tzYuJD RUvgHa1DYet0RJRGipw82XINDjQHZNuz2JtoD5/btOzBBLVUDuiulSoLHMU7 NJloAP7Vn+PYeSDARiiQfQD50M8WddsvE0200vDdxCO3Wu1F56iGD+AixUwj 41a5bKG0XANgYBz72trXqYBTPJ5qO+l23Yhh/5ZBaX74crKlZeUBq8uavlr1 p3RKwJBgXBXpLc/i2Yq24bhlnp/lMWGTYtRO9hapUDes9Arlur7LgbnASH+8 ydcO2+mAswO63voqEv2fvSWxil+ea0tDI5VWdV9OUXgX9Ky5n/joqzOps+0o JgSPk8OQSgI6X61lQyZo8DIIt726+PjpRmzuFfCdMyqq8j4foxNV/04gn2L5 SxNQAFIfGGW+wRtTpoTg0hlC+2XbwVb//tftXBUqHwW+aFbMi2LBEhEnd/Hz aDFBq3mijYvQAUGx507KkedGeTdiKA0Y14COVJCsGXsQulGYarzVBAK6u2HX 0nfkKjZo5ETuq80sfoY1Q5EbnKeIMSZKC/PUpryz6nUm11IuFDxSQjDyakJt xXZp05BpE0u9XGZOlr3RTgbJyht4UyZUe8M3oiGiV82uQSr8LUMUGYioerX6 YX63rs2urYc9cFL0TUqoFnaldIvjxIcbcgKUMRu2TvIrjcycvBVWbdgYz8Ta gKEi5ULUh+fJEx14c2Fw9iSk9FEAXgZo1Pr4GMWNwJTpcnXdZHFY/yDQz9JZ i+hVTmp1DOjVCZme4naC4Kxo3ZCuQOTq7IqsbHIN/R+rybfKjyQzrwlXrpZF sY0nDAUz8xKRXF1Tk6IiKq2ksibG/MEZv7BVblMVcyuNUxAijWelE5gV2bZb ZtvbciGpqx+nWjRjhoOx6o3RCp/n75/9YMtqbsovg5ZFmyi5UsahYBkD5/7l vFYPbORCT91s12qOaIgGC46ePAYo/N33/wJGWYJSaQY6//s5JNmhLFlLwjYa trUIEWYKcQKBeZesxyjpDPWif/XoyopPe/ruzff/cTaV5+TEwSKVKCbGAyou PAu+kvvwCZSy0fLEY+n0/ac3Z3Br4BnHoNnDdTlaH0rEckzMOJQyI1C/2TeT tzw/eGPB47+apI+pcljtrGhrKDdPIaNWImzJlBLAtx7hDT44XYPo9oiPktrr xNW0UrPDukT/Os4wlAhaMlXrKRsk2+8KAkgjfPfpFmkM9qlGe9Tp3lfB8GSl 0Rpg0xLXlAxQ2CC4q7ZU4sqzhqmOqfkMOZ1AjSH2Jrzuo3NNnXHARMv+sfQC 7RuFLAtUUuQW4ikvTkB8jr9vi8dd1z4WTir3n9XDvJg/wZb/EJdk42U7ugqq kxj/8ip6n2z3sz4oGsPj2om2khJILFNBtJZp5nRlF2nSCX6MlOaE5Parb6yN sC7i3YEuKyaZuTT+CCHIIRpDip+BNCSLIUJ9qHeKlsE5+FNP5PM3cLCbk6ks j6eiC0Os0uRvxWNxs9hWG3iZy1LiY+TrKeemAERzCVVJkRhehRcqLVYpyopW DIlHwrpUEAfwcjp1nlkJrlXI1RRfQ7zwb1Jc/SalOjJOXrDvlZvdHdQO47kz 9TxAonF8gKPGXo1U+oArgOFFzxY9tEztZ82e+P0Slz05H92Mnx5jt32lTBV6 +6SJQ7/STkUrHxwbk9F/pHPVGTHmpIQbKEwl3mW41/FyMf4kMu5sKn1R0qsI cgMgdWovlAslOuSEcvsgEo7S3eI8JHIJzI2PN/UYHeE13rXj55bxnw3UTIOR SUrTCnuLQRKQLiJdQlbhP80I7b0NtG+eimaIH7Der6kLDLnATOq5EdLK/O/O Rg7VS++b8e9uq0wMmZch/WKYqSmSmRULUgxNk+b9OpogjLfsVMI0zd5fnWkZ r43YoccC0MOA/xtQdVSe27Npq9spW4dJ/jABwAcVFwuTH1DySlxacBWUjd8Q QotW4EHKf5XxDzCTWnmZumOqWjWR/anTYj5GdW0b7SVG2yOzLRTNpj/NLSZ0 H17RC9oB0kmvMPEI5KEeUtc60Dvp7Aqa1lg34F6wpD5czzaSqWHdvJLoC9s8 StVNTxskF0eIbkOlGeCc13wOe0PNDt1e2UoJx7eVAQjH58kA35eRzs6FO31b ZIi7xAM/2nkjKvi0A5nIzZQRcjlMJKG0V09FyQ52nbGe+AU0QjjU18aF9eZD /vcQEFa/SJ7bYBrAw7Y7zporzLmAKILn6K3rUTx/9sCPXKHiQIw3xuoXnZYh HkoD5E0z1mq5QlyZ89axdgjXSkIxyEQh7fhondecuJsBPSipzTwam5ywWYwr MX2MQdAlwa6lvqpZc+o3ibhBw1up1RhaTJqd6NsqHU4Oghc1FxqWvP11W6L8 R7XGVV2sOxt1HOw7a4UJHoFMUjdM0e9aZNYXSfljqtNEorjtLiM/CPkSxn3W 8vDuWyZGDbRSQW8FELNas2o85MJDiaoKzmLccTvQ2pAKnsIWsuYPgSxFJ597 cEE5WXOcxEboc+DcyJqdV1lLkKfEdwivpcUvJdiz70jAbSgfXTIkatAahNY1 0vBpHZnHMJTEaxVM/QKJNkmKzGZymn0Oj/tBEBlShCIarwh5Pxm21GuhWo7H AsngVM8sERvoyPy9BaF4JOqs4cqodr3aMg6BHBgaI73RN3ntSVnzZDT3Gef5 57Kat1OfiRjXwpuFNxzj4FJ5erWi5uSo8SY/NE5VFRcc/1x8Q4kvD66imZD1 thTnD45mPOTjlJw8tnWvB15dLtfliVaHtMRyci1Ua9f8JZ78pqxXM5QN48EO x9bAxeb2+gS8b5Z9DOL3J9ozBzYr7Il48xPUeOK+k2gn9Ju7tl5KPkdGsQQT UV8O9Y+Y8X5zbWxCdyWzNoVKdXIQ8DGk4SSj3c5Hl2VUBwsgnql8sIGwBdrf 5Fg+IkvOrw9p84f6MO2iz70FcDGsGHxKg1pFUkprM60LYcw5kjSImwEKVXpY eqdx6EYDkJ3XUoAF34QvxKkj+5l1DeKgK+5LUdsGiPLRW5/KwgCgJNCRBaAi kHFgq+IRd8bI4tktcbLNu130NDXdpfrvdIz30/XO8tU0lLvF+ZlVrrFPftZU n4CQwO6MNBa4izJNDEbm7Jgcv4dGEaoxmMPu/bndxnVyTQLPt3EDROcbS7P8 VTn8Cfj++bWb1hvJG9zG52HSA8sAn9y3RxbBRQ57hNFXLps5iGCu+m1cBHcO NDCiOJbRJY0cNncxtMZ0eTVWOkCZKVY8GB6ABM3HMkrQAGxNYTCBomQLEF5j /VBKHqz91Hpf5hqoX9WSERMNq3z3RuKraRR07wgxIr6s8B0Wb8D5UcR93i9g 8YIOfef8Cbm1lYeWct7k8NHj/WFFtSM3MXV6YjhlKT1Ly+QBQuCP7a7S9tXs 3TX89NCR4dt7r360s5FMkROiqq13iZa/gv8pI1lfVo+ie4C6OO2tvYrBeNmI hY3NC2akfoW/OsoDUpfBIgnJcmngwVCaj+EHgUUISqelGsbiEAfP9c73woXd VCZSrRaH8G8C2WnXTz5VTnMU3rbbdbuLtzlhImqhSSPcwDlcfmRay6tan25f vwVgmxkeOh3RiqSAedvXapGY09nG82CRcrleqxRaGctEmeKwUcrM0A3OkLZJ 73dn7xdZdfJT8RAaUiVdCuxvcsUEWVP1D9EkG1HNxWI3Ob28enNx5uw33xD4 c3n14Xr2jUJRLxmnzz7C172Ju6THKxLViE5/PLqyZvanwvYvCfIiDqZd97J5 8PnMiSMNMjPfB1kuhGZWZWf9RHjOjivU2onTJ7Y7HsjMgqBoyQ7FBIAcUIjS 9mtILY6dMyMLIFTjG7mBJqrK4RWS1eJoSfa8hGlfM5Mpjyh8izFOEhpVjohl KiA2xamoi6fzSTZTE5tVIdVPzHxeqWM1U//aKHordX7tTj55OfGUtfeXS99+ 9KofjDZBxTZkHaKD+e1bRxKpMBDhVs+frfjTDD8N46uQC5+z88laYjVDGYfL ifMwWTQqyVvBA/tIZUKFXt2dkKBrwSW+2FYqv4iZEo8/DRUZnAJNn6xdPEUX S+laNko1sWhVRtCzgo4HOjoSh78RtqtFpXnJetWihuVL4p+rYRptzeBQfMr9 RPRqtdCK8UomTEKw/WgmRmKdeatAPPXKmjw7Vpzl5Xj4eEe4QN3cK0lfUGMy oHylaVGRHPVrJCo8NiGuGMWF8cCDRedhnw8UzOoSwNHeQu+IxKOJABsOgXSu JHkXYdMeGFepCsq4iSUQlDZ2dKYqm8ua0f9UUiSnVYK5/KEZc8kKrj9xJ6YE R00UxVow4wT6W49MHkyaKLlKT3mtkGlXp7/O5nEkX5atcYm8tb897RnpgGlH IxfMWxoXgPDlSkttSmFsFz6fAOLXPpa5rv2RVabox91eU0SZ2DG2mipn+XhO NnW/XhvXjUriTE88vVHD/nVTH0anSx8EIHFe6yT2hkFbC4Vl1kz1xfW4V7+z PVrvGbOshxU1sXnpV8VY8U6CJqd0mUTHfzkglnp+vm23mYRpm+nHmi43QfNy lezYGfSIELupuqJdmlZInrdxFX4oQIkmxucAhBXnPcYQwmw2yXWXRqeSdDnx RFGyf0VxJ3axrGtqeJjmiLFCcKokj4BXwTSqrJrDfV7+KuiKwdWE4XAjZPaU MC6f8pGmFW9FK9Es4duQ2RVq8RBYw0P9G6fa82f5j2OjczsYg74WnM54McoV yaqvkidhv216eXHhsoheGLgUO5wBN7tyE70B9n8oqf108lMVj86q76D1suub Yhre9VssoRhavkPFJH7nollu47NeLeJAiawExyIyW5OPVd3x2ldxLxRlHT7h 37ga8Nl1Adzq/eSnYlHec2hv7mLAGWO2Fg3JM2RlACD5H7CN+6edlQEA --></rfc>