rfc9505.original.xml   rfc9505.xml 
<?xml version='1.0' encoding='utf-8'?> <?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE rfc [ <!DOCTYPE rfc [
<!ENTITY nbsp "&#160;"> <!ENTITY nbsp "&#160;">
<!ENTITY zwsp "&#8203;"> <!ENTITY zwsp "&#8203;">
<!ENTITY nbhy "&#8209;"> <!ENTITY nbhy "&#8209;">
<!ENTITY wj "&#8288;"> <!ENTITY wj "&#8288;">
]> ]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.6.27 (Ruby 3.0. <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft
2) --> -irtf-pearg-censorship-10" number="9505" submissionType="IRTF" category="info"
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft consensus="true" tocInclude="true" sortRefs="true" symRefs="true" updates="" obs
-irtf-pearg-censorship-10" category="info" tocInclude="true" sortRefs="true" sym oletes="" xml:lang="en" version="3">
Refs="true" version="3">
<!-- xml2rfc v2v3 conversion 3.17.0 -->
<front> <front>
<title abbrev="draft-irtf-pearg-censorship">A Survey of Worldwide Censorship <title abbrev="Survey of Censorship Techniques">A Survey of Worldwide Censor
Techniques</title> ship Techniques</title>
<seriesInfo name="Internet-Draft" value="draft-irtf-peargq-censorship-10"/> <seriesInfo name="RFC" value="9505"/>
<author initials="J. L." surname="Hall" fullname="Joseph Lorenzo Hall"> <author initials="J. L." surname="Hall" fullname="Joseph Lorenzo Hall">
<organization>Internet Society</organization> <organization>Internet Society</organization>
<address> <address>
<email>hall@isoc.org</email> <email>hall@isoc.org</email>
</address> </address>
</author> </author>
<author initials="M. D." surname="Aaron" fullname="Michael D. Aaron"> <author initials="M. D." surname="Aaron" fullname="Michael D. Aaron">
<organization>CU Boulder</organization> <organization>CU Boulder</organization>
<address> <address>
<email>michael.drew.aaron@gmail.com</email> <email>michael.drew.aaron@gmail.com</email>
skipping to change at line 51 skipping to change at line 51
<address> <address>
<email>feamster@uchicago.edu</email> <email>feamster@uchicago.edu</email>
</address> </address>
</author> </author>
<author initials="M." surname="Knodel" fullname="Mallory Knodel"> <author initials="M." surname="Knodel" fullname="Mallory Knodel">
<organization>Center for Democracy &amp; Technology</organization> <organization>Center for Democracy &amp; Technology</organization>
<address> <address>
<email>mknodel@cdt.org</email> <email>mknodel@cdt.org</email>
</address> </address>
</author> </author>
<date year="2023" month="March" day="29"/> <date year="2023" month="November"/>
<area>General</area> <workgroup>Privacy Enhancements and Assessments</workgroup>
<workgroup>pearg</workgroup> <keyword>network censorship</keyword>
<keyword>Internet-Draft</keyword> <keyword>network blocking</keyword>
<keyword>network throttling</keyword>
<keyword>traffic impairment</keyword>
<keyword>censorship circumvention</keyword>
<abstract> <abstract>
<t>This document describes technical mechanisms employed in network censor <t>This document describes technical mechanisms employed in network
ship that regimes around censorship that regimes around the world use for blocking or impairing
the world use for blocking or impairing Internet traffic. It aims Internet traffic. It aims to make designers, implementers, and users of
to make designers, implementers, and users of Internet protocols aware Internet protocols aware of the properties exploited and mechanisms used
of the properties exploited and mechanisms used for censoring for censoring end-user access to information. This document makes no
end-user access to information. This document makes no suggestions on suggestions on individual protocol considerations, and is purely
individual protocol considerations, and is purely informational, informational, intended as a reference. This document is a product of
intended as a reference. This document is a product of the Privacy Enhancement a the Privacy Enhancement and Assessment Research Group (PEARG) in the
nd Assessment Research Group (PEARG) in the IRTF.</t> IRTF.</t>
</abstract> </abstract>
</front> </front>
<middle> <middle>
<section anchor="intro"> <section anchor="intro">
<name>Introduction</name> <name>Introduction</name>
<t>Censorship is where an entity in a position of power -- such as a <t>Censorship is where an entity in a position of power -- such as a
government, organization, or individual -- suppresses communication government, organization, or individual -- suppresses communication that
that it considers objectionable, harmful, sensitive, politically it considers objectionable, harmful, sensitive, or
incorrect or inconvenient <xref target="WP-Def-2020"/>. Although censors that en inconvenient <xref target="WP-Def-2020"/>. Although censors that engage
gage in censorship in censorship must do so through legal, martial, or other means, this
must do so through legal, military, or document focuses largely on technical mechanisms used to achieve network
other means, this document focuses largely on technical censorship.</t>
mechanisms used to achieve network censorship.</t>
<t>This document describes technical mechanisms that censorship regimes <t>This document describes technical mechanisms that censorship regimes
around the world use for blocking or impairing Internet traffic. See around the world use for blocking or impairing Internet traffic. See
<xref target="RFC7754"/> for a discussion of Internet blocking and filtering in <xref target="RFC7754"/> for a discussion of Internet blocking and
terms of implications for Internet architecture, rather than end-user filtering in terms of implications for Internet architecture rather than
access to content and services. There is also a growing field of end-user access to content and services. There is also a growing field
academic study of censorship circumvention (see the review article of of academic study of censorship circumvention (see the review article of
<xref target="Tschantz-2016"/>), results from which we seek to make relevant her <xref target="Tschantz-2016"/>), results from which we seek to make
e relevant here for protocol designers and implementers.</t>
for protocol designers and implementers.</t> <t>Censorship circumvention also impacts the cost of implementation of a
<t>Censorship circumvention also impacts the cost of implementation of a c censorship measure, and we include mentions of trade-offs in relation to
ensorship measure and we include mentions of tradeoffs in relation to such costs such costs in conjunction with each technical method identified
in conjunction with each technical method identified below.</t> below.</t>
<t>This document has seen extensive discussion and review in the IRTF Priv <t>This document has seen extensive discussion and review in the IRTF
acy Enhancement and Assessment Research Group (PEARG) and represents the consens Privacy Enhancement and Assessment Research Group (PEARG) and represents
us of that group. It is not an IETF product and is not a standard.</t> the consensus of that group. It is not an IETF product and is not a
standard.</t>
</section> </section>
<section anchor="terms"> <section anchor="terms">
<name>Terminology</name> <name>Terminology</name>
<t>We describe three elements of Internet censorship: prescription, <t>We describe three elements of Internet censorship: prescription,
identification, and interference. The document contains three major identification, and interference. This document contains three major
sections, each corresponding to one of these elements. Prescription is sections, each corresponding to one of these elements. Prescription is
the process by which censors determine what types of material they the process by which censors determine what types of material they
should censor, e.g., classifying pornographic websites as undesirable. should censor, e.g., classifying pornographic websites as undesirable.
Identification is the process by which censors classify specific Identification is the process by which censors classify specific traffic
traffic or traffic identifiers to be blocked or impaired, e.g., or traffic identifiers to be blocked or impaired, e.g., deciding that
deciding that webpages containing "sex" in an HTTP (Hypertext Transport Protocol webpages containing "sex" in an HTTP header or that accept traffic
) Header or that through the URL "www.sex.example" are likely to be undesirable.
accept traffic through the URL www.sex.example are likely to be Interference is the process by which censors intercede in communication
undesirable. Interference is the process by which censors intercede and prevent access to censored materials by blocking access or impairing
in communication and prevent access to censored materials by blocking the connection, e.g., implementing a technical solution capable of
access or impairing the connection, e.g., implementing a technical identifying HTTP headers or URLs and ensuring they are rendered wholly
solution capable of identifying HTTP headers or URLs and ensuring they or partially inaccessible.</t>
are rendered wholly or partially inaccessible.</t>
</section> </section>
<section anchor="tech-prescrip"> <section anchor="tech-prescrip">
<name>Technical Prescription</name> <name>Technical Prescription</name>
<t>Prescription is the process of figuring out what censors would like to <t>Prescription is the process of figuring out what censors would like
block <xref target="Glanville-2008"/>. Generally, censors aggregate information to block <xref target="Glanville-2008"/>. Generally, censors aggregate
"to information "to block" in blocklists, databases of image hashes <xref
block" in blocklists, databases of image hashes <xref target="ekr-2021"/>, or us target="ekr-2021"/>, or use real-time heuristic assessment of content
e real-time heuristic assessment of content <xref target="Ding-1999"/>. Some national networks are designed to more
<xref target="Ding-1999"/>. Some national networks are designed to more naturall naturally serve as points of control <xref target="Leyba-2019"/>. There
y are also indications that online censors use probabilistic machine
serve as points of control <xref target="Leyba-2019"/>. There are also indicatio learning techniques <xref target="Tang-2016"/>. Indeed, web crawling and
ns machine learning techniques are an active research area in the effort to
that online censors use probabilistic machine learning techniques identify content deemed as morally or commercially harmful to companies
<xref target="Tang-2016"/>. Indeed, web crawling and machine learning techniques or consumers in some jurisdictions <xref target="SIDN-2020"/>.</t>
are an active research area in the effort to identify content deemed <t>There are typically a few types of blocklist elements: keyword, domain
as morally or commercially harmful to companies or consumers in some name, protocol, or IP address. Keyword and domain name
jurisdictions <xref target="SIDN2020"/>.</t>
<t>There are typically a few types of blocklist elements: Keyword, domain
name, protocol, or Internet Protocol (IP) address. Keyword and domain name
blocking take place at the application level, e.g., HTTP; protocol blocking blocking take place at the application level, e.g., HTTP; protocol blocking
often occurs using deep packet inspection to identify a forbidden protocol; often occurs using deep packet inspection (DPI) to identify a forbidden protocol ;
IP blocking tends to take place using IP addresses in IPv4/IPv6 headers. IP blocking tends to take place using IP addresses in IPv4/IPv6 headers.
Some censors also use the presence of certain keywords to enable more Some censors also use the presence of certain keywords to enable more
aggressive blocklists <xref target="Rambert-2021"/> or to be more permissive wit h aggressive blocklists <xref target="Rambert-2021"/> or to be more permissive wit h
content <xref target="Knockel-2021"/>.</t> content <xref target="Knockel-2021"/>.</t>
<t>The mechanisms for building up these blocklists vary. Censors can purch ase <t>The mechanisms for building up these blocklists vary. Censors can purch ase
from private industry "content control" software, from private industry "content control" software,
which lets censors filter traffic from broad categories they would like to which lets censors filter traffic from broad categories they would like to
block, such as gambling or pornography <xref target="Knight-2005"/>. In these ca ses, block, such as gambling or pornography <xref target="Knight-2005"/>. In these ca ses,
these private services attempt to categorize every semi-questionable these private services attempt to categorize every semi-questionable
website to allow for meta-tag blocking. Similarly, they tune real-time website to allow for meta-tag blocking. Similarly, they tune real-time
content heuristic systems to map their assessments onto categories of content heuristic systems to map their assessments onto categories of
objectionable content.</t> objectionable content.</t>
<t>Countries that are more interested in retaining specific political cont rol <t>Countries that are more interested in retaining specific political cont rol
typically have ministries or organizations that maintain blocklists. Examples typically have ministries or organizations that maintain blocklists.
include the Ministry of Industry and Information Technology in China, Ministry o
f Examples
Culture and Islamic Guidance in Iran, and specific to copyright in France <xref include the Ministry of Industry and Information Technology in China, the Minist
target="HADOPI-2020"/> ry of
and across the EU for consumer protection law <xref target="Reda-2017"/>.</t> Culture and Islamic Guidance in Iran, and the organizations specific to copyrigh
<t>Content-layer filtering of images and video requires institutions or or t law in France <xref target="HADOPI"/>
ganizations to store hashes of images or videos to be blocked in databases, whic and consumer protection law across the EU <xref target="Reda-2017"/>.</t>
h can then be compared, with some degree of tolerance, to content that is sent, <t>Content-layer filtering of images and video requires institutions or
received or stored using centralized, content applications and services <xref ta organizations to store hashes of images or videos to be blocked in
rget="ekr-2021"/>.</t> databases, which can then be compared, with some degree of tolerance, to
content that is sent, received, or stored using centralized content
applications and services <xref target="ekr-2021"/>.</t>
</section> </section>
<section anchor="tech-id"> <section anchor="tech-id">
<name>Technical Identification</name> <name>Technical Identification</name>
<section anchor="poc"> <section anchor="poc">
<name>Points of Control</name> <name>Points of Control</name>
<t>Internet censorship takes place in all parts of the network <t>Internet censorship takes place in all parts of the network
topology. It may be implemented in the network itself (e.g., local loop topology. It may be implemented in the network itself (e.g., local
or backhaul), on the services side of communication (e.g., web hosts, loop or backhaul), on the services side of communication (e.g., web
cloud providers or content delivery networks), in the ancillary hosts, cloud providers, or content delivery networks), in the
services eco-system (e.g., domain name system or certificate ancillary services ecosystem (e.g., domain name system (DNS) or certific
authorities) or on the end-client side (e.g., in an end-user device ate
such as a smartphone, laptop or desktop or software executed on such authorities (CAs)), or on the end-client side (e.g., in an end-user devi
devices). An important aspect of pervasive technical interception is ce,
the necessity to rely on software or hardware to intercept the content such as a smartphone, laptop, or desktop, or software executed on such
the censor is interested in. There are various logical and physical devices). An important aspect of pervasive technical interception is
points-of-control censors may use for interception mechanisms, the necessity to rely on software or hardware to intercept the content
including, though not limited to, the following:</t> the censor is interested in. There are various logical and physical
<ul spacing="normal"> points of control that censors may use for interception mechanisms,
<li>Internet Backbone: If a censor controls elements of Internet netwo including, though not limited to, the following:</t>
rk <dl spacing="normal" newline="true">
infrastructure, such as the international gateways into a region or <dt>Internet Backbone:</dt>
Internet exchange points, those chokepoints can be used to filter <dd>If a censor controls elements of Internet network
undesirable traffic that is traveling into and out of the region by infrastructure, such as the international gateways into a region or
packet sniffing and port mirroring. Censorship at gateways is most Internet Exchange Points (IXPs), those choke points can be used to filt
effective at controlling the flow of information between a region er
and the rest of the Internet, but is ineffective at identifying undesirable traffic that is traveling into and out of the region by
content traveling between the users within a region, which would packet sniffing and port mirroring. Censorship at gateways is most
have to be accomplished at exchange points or other network effective at controlling the flow of information between a region
aggregation points. Some national network designs naturally serve as and the rest of the Internet, but is ineffective at identifying
more effective chokepoints and points of control <xref target="Leyba-2019"/>.</l content traveling between the users within a region, which would
i> have to be accomplished at exchange points or other network
<li>Internet Service Providers: Internet Service Providers are aggregation points. Some national network designs naturally serve as
frequently exploited points of control. They more effective choke points and points of control <xref
have the benefit of being easily enumerable by a censor -- often target="Leyba-2019"/>.</dd>
falling under the jurisdictional or operational control of a censor <dt>Internet Service Providers (ISPs):</dt>
in an indisputable way -- with the additional feature that an ISP <dd>ISPs are frequently exploited points of
can identify the regional and international traffic control. They have the benefit of being easily enumerable by a
of all their users. The censor's filtration mechanisms can be placed censor -- often falling under the jurisdictional or operational
on an ISP via governmental mandates, ownership, or voluntary/coercive influence. control of a censor in an indisputable way -- with the additional
</li> feature that an ISP can identify the regional and international
<li>Institutions: Private institutions such as corporations, traffic of all their users. The censor's filtration mechanisms can
schools, and Internet cafes can use filtration mechanisms. be placed on an ISP via governmental mandates, ownership, or
These mechanisms are occasionally at the request of a voluntary/coercive influence.</dd>
government censor, but can also be implemented to help achieve <dt>Institutions:</dt>
institutional goals, such as fostering a particular moral outlook on <dd>Private institutions such as corporations, schools, and Internet
life by school-children, independent of broader society or cafes can use filtration mechanisms. These mechanisms are
government goals.</li> occasionally at the request of a government censor but can also be
<li>Content Distribution Network (CDN): CDNs seek to collapse network implemented to help achieve institutional goals, such as fostering a
topology in order to better locate content closer to the service's particular moral outlook on life by schoolchildren, independent of
users. This reduces content transmission latency and improves quality broader society or government goals.</dd>
of service. The CDN service's content <dt>Content Distribution Network (CDN):</dt>
servers, located "close" to the user in a network-sense, can be <dd>CDNs seek to collapse network topology in order to better locate
powerful points of control for censors, especially if the location content closer to the service's users. This reduces content
of CDN repositories allow for easier interference.</li> transmission latency and improves QoS. The CDN
<li>Certificate Authorities (CAs) for Public-Key Infrastructures (PKIs service's content servers, located "close" to the user in a
): network sense, can be powerful points of control for censors,
Authorities that issue cryptographically secured resources can be a especially if the location of CDN repositories allows for easier
significant point of control. CAs that issue certificates to domain interference.</dd>
holders for TLS/HTTPS (the Web PKI) or Regional/Local Internet
Registries (RIRs) that issue Route Origination Authorizations (ROAs) <dt>CAs for Public Key Infrastructures (PKIs):</dt>
to BGP operators can be forced to issue rogue certificates that may <dd>Authorities that issue cryptographically secured resources can
allow compromise, i.e., by allowing censorship software to engage in be a significant point of control. CAs that issue certificates to
identification and interference where it may not have been possible before. CAs domain holders for TLS/HTTPS (the Web PKI) or Regional or Local
may Internet Registries (RIRs or LIRs) that issue Route Origin
also be forced to revoke certificates. This may lead to adversarial Authorizations (ROAs) to BGP operators can be forced to issue rogue
traffic routing or TLS interception being allowed, or an otherwise certificates that may allow compromise, i.e., by allowing censorship
rightful origin or destination point of traffic flows being unable software to engage in identification and interference where it may
to communicate in a secure way.</li> not have been possible before. CAs may also be forced to revoke
<li>Services: Application service providers can be pressured, certificates. This may lead to adversarial traffic routing, TLS
coerced, or legally required to censor specific content or data flows. interception being allowed, or an otherwise rightful origin or
Service providers naturally face incentives to maximize their destination point of traffic flows being unable to communicate in a
potential customer base, and potential service shutdowns or legal secure way.</dd>
liability due to censorship efforts may seem much less attractive <dt>Services:</dt>
than potentially excluding content, users, or uses of their <dd>Application service providers can be pressured, coerced, or
service. Services have increasingly become focal points of legally required to censor specific content or data flows. Service
censorship discussions, as well as the focus of discussions of moral providers naturally face incentives to maximize their potential
imperatives to use censorship tools.</li> customer base, and potential service shutdowns or legal liability
<li>Content sites: On the service side of communications lie many plat due to censorship efforts may seem much less attractive than
forms that potentially excluding content, users, or uses of their
publish user-generated content and require terms of service compliance with all service. Services have increasingly become focal points of
content censorship discussions as well as discussions of moral
and user accounts in order to avoid intermediary liability for the web hosts. imperatives to use censorship tools.</dd>
In aggregate, these policies, actions and remedies are known as content moderati <dt>Content Sites:</dt>
on. <dd>On the service side of communications lie many platforms that
Content moderation happens above the services or application layer, but publish user-generated content and require terms of service
these mechanisms are built to filter, sort and block content and users compliance with all content and user accounts in order to avoid
thus making them available to censors through direct pressure on the private ent intermediary liability for the web hosts. In aggregate, these
ity.</li> policies, actions, and remedies are known as content moderation.
<li>Personal Devices: Censors can mandate censorship software be Content moderation happens above the services or application layer,
installed on the device level. This has many disadvantages in terms but these mechanisms are built to filter, sort, and block content and
of scalability, ease-of-circumvention, and operating system users, thus making them available to censors through direct pressure
requirements. (Of course, if a personal device is treated with on the private entity.</dd>
censorship software before sale and this software is difficult to <dt>Personal Devices:</dt>
reconfigure, this may work in favor of those seeking to control <dd>Censors can mandate censorship software be installed on the
information, say for children, students, customers, or employees.) device level. This has many disadvantages in terms of scalability,
The emergence of mobile devices has exacerbate these feasibility ease of circumvention, and operating system requirements. (Of
problems. This software can also be mandated by institutional actors course, if a personal device is treated with censorship software
acting on non-governmentally mandated moral imperatives.</li> before sale and this software is difficult to reconfigure, this may
</ul> work in favor of those seeking to control information, say, for
<t>At all levels of the network hierarchy, the filtration mechanisms use children, students, customers, or employees.) The emergence of
d mobile devices has exacerbated these feasibility problems. This
to censor undesirable traffic are essentially the same: a censor software can also be mandated by institutional actors acting on
either directly identifies undesirable content using the identifiers non-governmentally mandated moral imperatives.</dd>
described below and then uses a blocking or shaping mechanism such as </dl>
the ones exemplified below to prevent or impair access, or requests <t>At all levels of the network hierarchy, the filtration mechanisms
that an actor ancillary to the censor, such as a private entity, used to censor undesirable traffic are essentially the same: a censor
perform these functions. Identification of undesirable traffic can either directly identifies undesirable content using the identifiers
occur at the application, transport, or network layer of the IP described below and then uses a blocking or shaping mechanism (such as
stack. Censors often focus on web traffic, so the relevant protocols the ones exemplified below to prevent or impair access), or requests
tend to be filtered in predictable ways (see <xref target="http-req"/> and that an actor ancillary to the censor (such as a private entity)
<xref target="http-resp"/>). For example, a subversive image might make it past perform these functions. Identification of undesirable traffic can
a occur at the application, transport, or network layer of the IP
keyword filter. However, if later the image is deemed undesirable, a stack. Censors often focus on web traffic, so the relevant protocols
censor may then blocklist the provider site's IP address.</t> tend to be filtered in predictable ways (see Sections <xref
target="http-req" format="counter"/> and <xref target="http-resp"
format="counter"/>). For example, a subversive image might make it
past a keyword filter. However, if later the image is deemed
undesirable, a censor may then blocklist the provider site's IP
address.</t>
</section> </section>
<section anchor="app-layer"> <section anchor="app-layer">
<name>Application Layer</name> <name>Application Layer</name>
<t>The following subsections describe properties and tradeoffs of common <t>The following subsections describe properties and trade-offs of commo n
ways in which censors filter using application-layer information. Each ways in which censors filter using application-layer information. Each
subsection includes empirical examples describing these common subsection includes empirical examples describing these common
behaviors for further reference.</t> behaviors for further reference.</t>
<section anchor="http-req"> <section anchor="http-req">
<name>HTTP Request Header Identification</name> <name>HTTP Request Header Identification</name>
<t>An HTTP header contains a lot of useful information for traffic <t>An HTTP header contains a lot of useful information for traffic
identification. Although "host" is the only required field in an HTTP identification. Although "host" is the only required field in an
request header (for HTTP/1.1 and later), an HTTP method field is necessary HTTP request header (for HTTP/1.1 and later), an HTTP method field
to do anything is necessary to do anything useful. As such, "method" and "host" are
useful. As such, "method" and "host" are the two fields used the two fields used most often for ubiquitous censorship. A censor
most often for ubiquitous censorship. A censor can sniff traffic and can sniff traffic and identify a specific domain name (host) and
identify a specific domain name (host) and usually a page name (GET usually a page name (for example, GET /page) as well. This identificat
/page) as well. This identification technique is usually paired with ion
transport header identification (see <xref target="sec_thid"/>) for a more robus technique is usually paired with transport header identification
t (see <xref target="sec_thid"/>) for a more robust method.</t>
method.</t>
<t>Tradeoffs: Request Identification is a technically straight-forward <t>Trade-offs: HTTP request header identification is a technically
identification method that can be easily implemented at the Backbone straightforward identification method that can be easily
or ISP level. The hardware needed for this sort of identification is implemented at the backbone or ISP level. The hardware needed for
cheap and easy-to-acquire, making it desirable when budget and scope this sort of identification is cheap and easy to acquire, making it
are a concern. HTTPS (Hyptertext Transport Protocol Secure) will encrypt the rel desirable when budget and scope are a concern. HTTPS (Hypertext
evant request and response Transport Protocol Secure) will encrypt the relevant request and
fields, so pairing with transport identification (see <xref target="sec_thid"/>) response fields, so pairing with transport identification (see <xref
is target="sec_thid"/>) is necessary for HTTPS filtering. However, some
necessary for HTTPS filtering. However, some countermeasures can countermeasures can trivially defeat simple forms of HTTP request
trivially defeat simple forms of HTTP Request Header Identification. header identification. For example, two cooperating endpoints -- an
For example, two cooperating endpoints -- an instrumented web server instrumented web server and client -- could encrypt or otherwise
and client -- could encrypt or otherwise obfuscate the "host" header in obfuscate the "host" header in a request, potentially thwarting
a request, potentially thwarting techniques that match against "host" header val techniques that match against "host" header values.</t>
ues.</t>
<t>Empirical Examples: Studies exploring censorship mechanisms have fo <t>Empirical Examples: Studies exploring censorship mechanisms have
und found evidence of HTTP header and/or URL filtering in many countries,
evidence of HTTP header/ URL filtering in many countries, including including Bangladesh, Bahrain, China, India, Iran, Malaysia,
Bangladesh, Bahrain, China, India, Iran, Malaysia, Pakistan, Russia, Pakistan, Russia, Saudi Arabia, South Korea, Thailand, and Turkey
Saudi Arabia, South Korea, Thailand, and Turkey <xref target="Verkamp-2012"/> <xref target="Nabi-2013"/> <xref
<xref target="Verkamp-2012"/> <xref target="Nabi-2013"/> <xref target="Aryan-201 target="Aryan-2013"/>. Commercial technologies are often purchased
2"/>. Commercial technologies are often purchased by by censors <xref target="Dalek-2013"/>. These commercial
censors <xref target="Dalek-2013"/>. These commercial technologies use a technologies use a combination of HTTP request header identification a
combination of HTTP Request Identification and Transport Header nd
Identification to filter specific URLs. Dalek et al. and Jones et transport header identification to filter specific URLs. Dalek et
al. identified the use of these products in the wild al. and Jones et al. identified the use of these products in the
<xref target="Dalek-2013"/> <xref target="Jones-2014"/>.</t> wild <xref target="Dalek-2013"/> <xref target="Jones-2014"/>.</t>
</section> </section>
<section anchor="http-resp"> <section anchor="http-resp">
<name>HTTP Response Header Identification</name> <name>HTTP Response Header Identification</name>
<t>While HTTP Request Header Identification relies on the information <t>While HTTP request header identification relies on the information
contained in the HTTP request from client to server, response contained in the HTTP request from client to server, HTTP response header
identification uses information sent in response by the server to identification uses information sent in response by the server to
client to identify undesirable content.</t> client to identify undesirable content.</t>
<t>Tradeoffs: As with HTTP Request Header Identification, the techniqu es <t>Trade-offs: As with HTTP request header identification, the techniq ues
used to identify HTTP traffic are well-known, cheap, and relatively used to identify HTTP traffic are well-known, cheap, and relatively
easy to implement. However, they are made useless by HTTPS because easy to implement. However, they are made useless by HTTPS because
HTTPS encrypts the response and its headers.</t> HTTPS encrypts the response and its headers.</t>
<t>The response fields are also less helpful for identifying content t han <t>The response fields are also less helpful for identifying content t han
request fields, as "Server" could easily be identified using HTTP request fields, as "Server" could easily be identified using HTTP
Request Header identification, and "Via" is rarely relevant. HTTP request header identification, and "Via" is rarely relevant. HTTP
Response censorship mechanisms normally let the first n packets response censorship mechanisms normally let the first n packets
through while the mirrored traffic is being processed; this may allow through while the mirrored traffic is being processed; this may allow
some content through and the user may be able to detect that the some content through, and the user may be able to detect that the
censor is actively interfering with undesirable content.</t> censor is actively interfering with undesirable content.</t>
<t>Empirical Examples: In 2009, Jong Park et al. at the University of New <t>Empirical Examples: In 2009, Jong Park et al. at the University of New
Mexico demonstrated that the Great Firewall of China (GFW) has used this Mexico demonstrated that the Great Firewall of China (GFW) has used this
technique <xref target="Crandall-2010"/>. However, Jong Park et al. found that t he technique <xref target="Crandall-2010"/>. However, Jong Park et al. found that t he
GFW discontinued this practice during the course of the study. Due to GFW discontinued this practice during the course of the study. Due to
the overlap in HTTP response filtering and keyword filtering (see the overlap in HTTP response filtering and keyword filtering (see
<xref target="kw-filt"/>), it is likely that most censors rely on keyword <xref target="kw-filt"/>), it is likely that most censors rely on keyword
filtering over TCP streams instead of HTTP response filtering.</t> filtering over TCP streams instead of HTTP response filtering.</t>
</section> </section>
<section anchor="tls"> <section anchor="tls">
<name>Transport Layer Security (TLS)</name> <name>Transport Layer Security (TLS)</name>
<t>Similar to HTTP, censors have deployed a variety of techniques towa <t>Similar to HTTP, censors have deployed a variety of techniques
rds towards censoring TLS (and by extension
censoring Transport Layer Security (TLS) (and by extension HTTPS). Most of HTTPS). Most of these techniques relate to the Server Name
these techniques relate to the Server Name Indication (SNI) field, Indication (SNI) field, including censoring SNI, Encrypted SNI (ESNI),
including censoring SNI, Encrypted SNI, or omitted SNI. Censors can also or
censor HTTPS content via server certificates. omitted SNI. Censors can also censor HTTPS content via server
Note that TLS 1.3 acts as a security component of QUIC.</t> certificates. Note that TLS 1.3 acts as a security component of
QUIC.</t>
<section anchor="sni"> <section anchor="sni">
<name>Server Name Indication (SNI)</name> <name>Server Name Indication (SNI)</name>
<t>In encrypted connections using TLS, there <t>In encrypted connections using TLS, there may be servers that
may be servers that host multiple "virtual servers" at a given network host multiple "virtual servers" at a given network address, and
address, and the client will need to specify in the the client will need to specify in the ClientHello message which
Client Hello message which domain name it seeks to connect to (so that domain name it seeks to connect to (so that the server can respond
the server can respond with the appropriate TLS certificate) using the with the appropriate TLS certificate) using, the SNI TLS extension
Server Name Indication (SNI) TLS extension <xref target="RFC6066"/>. <xref target="RFC6066"/>. The ClientHello message is unencrypted
The Client Hello message is unencrypted for TCP-based TLS. for TCP-based TLS. When using QUIC, the ClientHello message is
When using QUIC, the Client Hello message is encrypted but its encrypted, but its confidentiality is not effectively protected
confidentiality is not effectively protected because the initial encryption because the initial encryption keys are derived using a value that
keys are derived using a value that is visible on the wire. Since SNI is is visible on the wire. Since SNI is often sent in the clear (as
often sent in the clear (as are the cert fields sent in response), are the cert fields sent in response), censors and filtering
censors and filtering software can use it (and response cert fields) software can use it (and response cert fields) as a basis for
as a basis for blocking, filtering, or impairment by dropping blocking, filtering, or impairment by dropping connections to
connections to domains that match prohibited content (e.g., domains that match prohibited content (e.g., "bad.foo.example" may
bad.foo.example may be censored while good.foo.example is not) be censored while "good.foo.example" is not) <xref
<xref target="Shbair-2015"/>. There are ongoing standardization efforts in the target="Shbair-2015"/>. There are ongoing standardization efforts
TLS Working Group to encrypt SNI <xref target="I-D.ietf-tls-sni-encryption"/> in the TLS Working Group to encrypt SNI <xref target="RFC8744"/>
<xref target="I-D.ietf-tls-esni"/> and recent research shows promi <xref target="I-D.ietf-tls-esni"/>, and recent research shows
sing results in promising results in the use of ESNI in the face of
the use of encrypted SNI in the face of SNI-based filtering SNI-based filtering <xref target="Chai-2019"/> in some
<xref target="Chai-2019"/> in some countries.</t> countries.</t>
<t>Domain fronting has been one popular way to avoid identification <t>Domain fronting has been one popular way to avoid
by identification by censors <xref target="Fifield-2015"/>. To avoid
censors <xref target="Fifield-2015"/>. To avoid identification by censors, identification by censors, applications using domain fronting put
applications using domain fronting put a different domain name in the a different domain name in the SNI extension than in the "host"
SNI extension than in the Host: header, which is protected by header, which is protected by HTTPS. The visible SNI would
HTTPS. The visible SNI would indicate an unblocked domain, while the indicate an unblocked domain, while the blocked domain remains
blocked domain remains hidden in the encrypted application header. hidden in the encrypted application header. Some encrypted
Some encrypted messaging services relied on domain fronting to enable messaging services relied on domain fronting to enable their
their provision in countries employing SNI-based filtering. These provision in countries employing SNI-based filtering. These
services used the cover provided by domains for which blocking at the services used the cover provided by domains for which blocking at
domain level would be undesirable to hide their true domain the domain level would be undesirable to hide their true domain
names. However, the companies holding the most popular domains have names. However, the companies holding the most popular domains
since reconfigured their software to prevent this practice. It may be have since reconfigured their software to prevent this practice.
possible to achieve similar results using potential future options to It may be possible to achieve similar results using potential
encrypt SNI.</t> future options to encrypt SNI.</t>
<t>Tradeoffs: Some clients do not send the SNI extension (e.g., clie <t>Trade-offs: Some clients do not send the SNI extension (e.g.,
nts clients that only support versions of SSL and not TLS), rendering
that only support versions of SSL and not TLS), rendering this method this method ineffective (see <xref target="omitsni"/>).
ineffective (see <xref target="omitsni"/>). In addition, this technique requires
deep packet In addition, this technique requires deep packet inspection (DPI)
inspection (DPI) techniques that can be computationally and techniques that can be
infrastructurally expensive, especially when applied to QUIC where DPI requires expensive in terms of computational complexity and infrastructure, e
key extraction and decryption of the Client Hello in order to read the SNI. Impr specially when applied to QUIC where DPI requires key
oper configuration of an SNI-based extraction and decryption of the ClientHello in order to read the
block can result in significant overblocking, e.g., when a SNI. Improper configuration of an SNI-based block can result in
second-level domain like populardomain.example is inadvertently significant over-blocking, e.g., when a second-level domain like
blocked. In the case of encrypted SNI, pressure to censor may "populardomain.example" is inadvertently blocked. In the case of
transfer to other points of intervention, such as content and application provid ESNI, pressure to censor may transfer to other points of
ers.</t> intervention, such as content and application providers.</t>
<t>Empirical Examples: There are many examples of security firms tha <t>Empirical Examples: There are many examples of security firms
t that offer SNI-based filtering products <xref
offer SNI-based filtering products <xref target="Trustwave-2015"/> <xref target= target="Trustwave-2015"/> <xref target="Sophos-2023"/> <xref
"Sophos-2015"/> target="Shbair-2015"/>. The governments of China, Egypt, Iran,
<xref target="Shbair-2015"/>, and the governments of China, Egypt, Qatar, South Korea, Turkey, Turkmenistan, and the United Arab Emirat
Iran, Qatar, es all do
South Korea, Turkey, Turkmenistan, and the UAE all do widespread SNI widespread SNI filtering or blocking <xref target="OONI-2018"/>
filtering or blocking <xref target="OONI-2018"/> <xref target="OONI-2019"/> <xre <xref target="OONI-2019"/> <xref target="NA-SK-2019"/> <xref
f target="NA-SK-2019"/> target="CitizenLab-2018"/> <xref target="Gatlan-2019"/> <xref
<xref target="CitizenLab-2018"/> <xref target="Gatlan-2019"/> <xre target="Chai-2019"/> <xref target="Grover-2019"/> <xref
f target="Chai-2019"/> <xref target="Grover-2019"/> target="Singh-2019"/>. SNI blocking against QUIC traffic was first
<xref target="Singh-2019"/>. SNI blocking against QUIC traffic was observed in Russia in March 2022 <xref
first observed in Russia in March 2022 <xref target="Elmenhorst-2022"/>.</t> target="Elmenhorst-2022"/>.</t>
</section> </section>
<section anchor="esni"> <section anchor="esni">
<name>Encrypted SNI (ESNI)</name> <name>Encrypted SNI (ESNI)</name>
<t>With the data leakage present with the SNI field, a natural respo <t>With the data leakage present with the SNI field, a natural
nse is to response is to encrypt it, which is forthcoming in TLS 1.3 with
encrypt it, which is forthcoming in TLS 1.3 with Encrypted Client Hello Encrypted Client Hello (ECH). Prior to ECH, the ESNI extension is
(ECH). Prior to ECH, the Encrypted SNI (ESNI) extension is available to available to prevent the data leakage caused by SNI, which
prevent the data leakage caused by SNI, which encrypts only the SNI field. encrypts only the SNI field. Unfortunately, censors can target
Unfortunately, censors can target connections that use the ESNI extension connections that use the ESNI extension specifically for
specifically for censorship. This guarantees overblocking for the censor, censorship. This guarantees over-blocking for the censor but can be
but can be worth the cost if ESNI is not yet widely deployed within the worth the cost if ESNI is not yet widely deployed within the
country. Encrypted Client Hello (ECH) is the emerging standard for protecting country. ECH is the emerging standard for protecting the entire
the entire TLS Client Hello, but it is not yet widely deployed.</t> TLS ClientHello, but it is not yet widely deployed.</t>
<t>Tradeoffs: The cost to censoring Encrypted SNI (ESNI) is signific <t>Trade-offs: The cost to censoring ESNI is significantly higher
antly than SNI to a censor, as the censor can no longer target
higher than SNI to a censor, as the censor can no longer target censorship to specific domains and guarantees over-blocking. In
censorship to specific domains and guarantees over-blocking. In these these cases, the censor uses the over-blocking to discourage the
cases, the censor uses the over-blocking to discourage the use of use of ESNI entirely.</t>
ESNI entirely.</t> <t>Empirical Examples: In 2020, China began censoring all uses of
<t>Empirical Examples: In 2020, China began censoring all uses of En ESNI <xref target="Bock-2020b"/>, even for innocuous
crypted connections. The censorship mechanism for China's ESNI censorship
ESNI (ESNI) <xref target="Bock-2020b"/>, even for innocuous connections. The differs from how China censors SNI-based connections, suggesting
censorship mechanism for China's ESNI censorship differs from how that new middleboxes were deployed specifically to target ESNI
China censors SNI-based connections, suggesting that new middleboxes connections.</t>
were deployed specifically to target ESNI connections.</t>
</section> </section>
<section anchor="omitsni"> <section anchor="omitsni">
<name>Omitted-SNI</name> <name>Omitted SNI</name>
<t>Researchers have observed that some clients omit the SNI extensio <t>Researchers have observed that some clients omit the SNI
n extension entirely. This omitted-SNI approach limits the
entirely. This omitted-SNI approach limits the information available information available to a censor. Like with ESNI, censors can
to a censor. Like with ESNI, censors can choose to block connections that choose to block connections that omit the SNI, though this too
omit the SNI, though this too risks over-blocking.</t> risks over-blocking.</t>
<t>Tradeoffs: The approach of censoring all connections that omit th <t>Trade-offs: The approach of censoring all connections that omit
e SNI field the SNI field is guaranteed to over-block, though connections that
is guaranteed to over-block, though connections that omit the SNI field omit the SNI field should be relatively rare in the wild.</t>
should be relatively rare in the wild.</t> <t>Empirical Examples: In the past, researchers have observed
<t>Empirical Examples: In the past, researchers have observed censor censors in Russia blocking connections that omit the SNI field
s in Russia <xref target="Bock-2020b"/>.</t>
blocking connections that omit the SNI field <xref target="Bock-2020b"/>.</t>
</section> </section>
<section anchor="server-response-certificate"> <section anchor="server-response-certificate">
<name>Server Response Certificate</name> <name>Server Response Certificate</name>
<t>During the TLS handshake after the TLS Client Hello, the server w ill respond <t>During the TLS handshake after the TLS ClientHello, the server wi ll respond
with the TLS certificate. This certificate also contains the domain with the TLS certificate. This certificate also contains the domain
the client is trying to access, creating another avenue that censors the client is trying to access, creating another avenue that censors
can use to perform censorship. This technique will not work in TLS 1.3, as the can use to perform censorship. This technique will not work in TLS 1.3, as the
certificate will be encrypted.</t> certificate will be encrypted.</t>
<t>Tradeoffs: Censoring based on the server certificate requires DPI techniques that can be more computationally <t>Trade-offs: Censoring based on the server certificate requires DP I techniques that can be more computationally
expensive compared to other methods. Additionally, the certificate is expensive compared to other methods. Additionally, the certificate is
sent later in the TLS Handshake compared to the SNI field, forcing sent later in the TLS handshake compared to the SNI field, forcing
the censor to track the connection longer.</t> the censor to track the connection longer.</t>
<t>Empirical Examples: Researchers have observed the Reliance Jio <t>Empirical Examples: Researchers have observed the Reliance Jio
ISP in India using certificate response fields to censor connections ISP in India using certificate response fields to censor connections
<xref target="Satija-2021"/>.</t> <xref target="Satija-2021"/>.</t>
</section> </section>
</section> </section>
<section anchor="kw-filt"> <section anchor="kw-filt">
<name>Instrumenting Content Distributors</name> <name>Instrumenting Content Distributors</name>
<t>Many governments pressure content providers to censor themselves, o <t>Many governments pressure content providers to censor themselves,
r or provide the legal framework, within which content distributors
provide the legal framework within which content distributors are are incentivized to follow the content restriction preferences of
incentivized to follow the content restriction preferences of agents agents external to the content distributor <xref
external to the content distributor <xref target="Boyle-1997"/>. Due to the target="Boyle-1997"/>. Due to the extensive reach of such
extensive reach of such censorship, we define content censorship, we define "content distributor" as any service that
distributor as any service that provides utility to users, including provides utility to users, including everything from websites to
everything from web sites to storage to locally installed programs.</t> storage to locally installed programs.</t>
<t>A commonly <t>A commonly
used method of instrumenting content distributors consists of keyword used method of instrumenting content distributors consists of keyword
identification to detect restricted terms on their platforms. Governments identification to detect restricted terms on their platforms. Governments
may provide the terms on such keyword lists. Alternatively, the content may provide the terms on such keyword lists. Alternatively, the content
provider may be expected to come up with their own list.</t> provider may be expected to come up with their own list.</t>
<t>An increasingly common method of instrumenting content distribution consists of hash matching to detect and take action on images and videos known to be restricted either by governments, institutions, organizations or the distr ibutor themselves <xref target="ekr-2021"/>.</t> <t>An increasingly common method of instrumenting content distribution consists of hash matching to detect and take action against images and videos k nown to be restricted either by governments, institutions, organizations or the distributor themselves <xref target="ekr-2021"/>.</t>
<t>A different <t>A different
method of instrumenting content distributors consists of requiring a method of instrumenting content distributors consists of requiring a
distributor to disassociate with some categories of users. See also distributor to disassociate with some categories of users. See also
<xref target="notice"/>.</t> <xref target="notice"/>.</t>
<t>Tradeoffs: By instrumenting content distributors to identify <t>Trade-offs: By instrumenting content distributors to identify
restricted content or content providers, the censor can gain new restricted content or content providers, the censor can gain new
information at the cost of political capital with the companies it information at the cost of political capital with the companies it
forces or encourages to participate in censorship. For example, the forces or encourages to participate in censorship. For example, the
censor can gain insight about the content of encrypted traffic by censor can gain insight about the content of encrypted traffic by
coercing web sites to identify restricted content. Coercing content coercing websites to identify restricted content. Coercing content
distributors to regulate users, categories of users, content and distributors to regulate users, categories of users, content, and
content providers may encourage users and content providers to exhibit content providers may encourage users and content providers to
self-censorship, an additional advantage for censors (see <xref target="selfcens exhibit self-censorship, an additional advantage for censors (see
or"/>). The tradeoffs <xref target="selfcensor"/>). The trade-offs for instrumenting
for instrumenting content distributors are highly dependent on the content distributors are highly dependent on the content provider
content provider and the requested assistance. A typical concern is and the requested assistance. A typical concern is that the targeted
that the targeted keywords or categories of users are too broad, risk keywords or categories of users are too broad, risk being too
being too broadly applied, or are not subjected to a sufficiently broadly applied, or are not subjected to a sufficiently robust legal
robust legal process prior to their mandatory application (see p. 8 of process prior to their mandatory application (see page 8 of <xref
<xref target="EC-2012"/>).</t> target="EC-2012"/>).</t>
<t>Empirical Examples: Researchers discovered keyword identification <t>Empirical Examples: Researchers discovered keyword identification
by content providers on platforms ranging from instant messaging by content providers on platforms ranging from instant messaging
applications <xref target="Senft-2013"/> to search engines <xref target="Rushe-2 applications <xref target="Senft-2013"/> to search engines <xref
015"/> target="Rushe-2014"/> <xref target="Cheng-2010"/> <xref
<xref target="Cheng-2010"/> <xref target="Whittaker-2013"/> <xref ta target="Whittaker-2013"/> <xref target="BBC-2013"/> <xref
rget="BBC-2013"/> <xref target="Condliffe-2013"/>. To target="Condliffe-2013"/>. To demonstrate the prevalence of this
demonstrate the prevalence of this type of keyword identification, we type of keyword identification, we look to search engine
look to search engine censorship.</t> censorship.</t>
<t>Search engine censorship demonstrates keyword identification by <t>Search engine censorship demonstrates keyword identification by
content providers and can be regional or worldwide. Implementation is content providers and can be regional or worldwide. Implementation
occasionally voluntary, but normally it is based on laws and regulations is occasionally voluntary, but normally it is based on laws and
of the country a search engine is operating in. The keyword blocklists regulations of the country a search engine is operating in. The
are most likely maintained by the search engine provider. China is keyword blocklists are most likely maintained by the search engine
known to require search engine providers to "voluntarily" maintain provider. China is known to require search engine providers to
search term blocklists to acquire and keep an Internet content provider "voluntarily" maintain search term blocklists to acquire and keep an
(ICP) license <xref target="Cheng-2010"/>. It is clear these blocklists are Internet Content Provider (ICP) license <xref target="Cheng-2010"/>.
maintained by each search engine provider based on the slight It is clear these blocklists are maintained by each search engine
variations in the intercepted searches <xref target="Zhu-2011"/> provider based on the slight variations in the intercepted searches
<xref target="Whittaker-2013"/>. The United Kingdom has been pushing <xref target="Zhu-2011"/> <xref target="Whittaker-2013"/>. The
search engines United Kingdom has been pushing search engines to self-censor with
to self-censor with the threat of litigation if they do not do it the threat of litigation if they do not do it themselves: Google and
themselves: Google and Microsoft have agreed to block more than Microsoft have agreed to block more than 100,000 queries in the
100,000 queries in the U.K. to help combat abuse <xref target="BBC-2013"/> U.K. to help combat abuse <xref target="BBC-2013"/> <xref
<xref target="Condliffe-2013"/>. European Union law, as well as US target="Condliffe-2013"/>. European Union law, as well as United Stat
law, requires es law,
modification of search engine results in response to either copyright, requires modification of search engine results in response to either
trademark, data protection or defamation concerns <xref target="EC-2012"/>.</t> copyright, trademark, data protection, or defamation concerns <xref
<t>Depending on the output, search engine keyword identification may b target="EC-2012"/>.</t>
e <t>Depending on the output, search engine keyword identification may
difficult or easy to detect. In some cases, specialized or blank be difficult or easy to detect. In some cases, specialized or blank
results provide a trivial enumeration mechanism, but more subtle results provide a trivial enumeration mechanism, but more subtle
censorship can be difficult to detect. In February 2015, Microsoft's search censorship can be difficult to detect. In February 2015, Microsoft's
engine, Bing, was accused of censoring Chinese content outside of search engine, Bing, was accused of censoring Chinese content
China <xref target="Rushe-2015"/> because Bing returned different results for outside of China <xref target="Rushe-2014"/> because Bing returned
censored terms in Chinese and English. However, it is possible that different results for censored terms in Chinese and
censorship of the largest base of Chinese search users, China, biased English. However, it is possible that censorship of the largest base
Bing's results so that the more popular results in China (the of Chinese search users, China, biased Bing's results so that the
uncensored results) were also more popular for Chinese speakers more popular results in China (the uncensored results) were also
outside of China.</t> more popular for Chinese speakers outside of China.</t>
<t>Disassociation by content distributors from certain categories of <t>Disassociation by content distributors from certain categories of
users has happened for instance in Spain, as a result of the conflict users has happened for instance in Spain, as a result of the conflict
between the Catalan independence movement and the Spanish legal between the Catalan independence movement and the Spanish legal
presumption of a unitary state <xref target="Lomas-2019"/>. E-sport event presumption of a unitary state <xref target="Lomas-2019"/>. E-sport event
organizers have also disassociated themselves from top players who organizers have also disassociated themselves from top players who
expressed political opinions in relation to the 2019 Hong Kong expressed political opinions in relation to the 2019 Hong Kong
protests <xref target="Victor-2019"/>. See also <xref target="discon"/>.</t> protests <xref target="Victor-2019"/>. See also <xref target="discon"/>.</t>
</section> </section>
<section anchor="dpi"> <section anchor="dpi">
<name>DPI Identification</name> <name>DPI Identification</name>
<t>DPI (deep packet inspection) technically is any kind of packet <t>DPI technically is any kind of packet analysis beyond IP address
analysis beyond IP address and port number and has become and port number and has become computationally feasible as a
computationally feasible as a component of censorship mechanisms component of censorship mechanisms in recent years <xref
in recent years <xref target="Wagner-2009"/>. Unlike other target="Wagner-2009"/>. Unlike other techniques, DPI reassembles
techniques, DPI reassembles network flows to examine the application network flows to examine the application "data" section, as opposed
"data" section, as opposed to only headers, and is therefore often to only headers, and is therefore often used for keyword
used for keyword identification. DPI also differs from other identification. DPI also differs from other identification
identification technologies because it can leverage additional packet technologies because it can leverage additional packet and flow
and flow characteristics, e.g., packet sizes and timings, when identifying characteristics, e.g., packet sizes and timings, when identifying
content. To prevent substantial quality of service (QoS) impacts, DPI content. To prevent substantial QoS impacts,
normally analyzes a copy of data while the original packets continue DPI normally analyzes a copy of data while the original packets
to be routed. Typically, the traffic is split using either a mirror continue to be routed. Typically, the traffic is split using either
switch or fiber splitter, and analyzed on a cluster of machines a mirror switch or fiber splitter and analyzed on a cluster of
running Intrusion Detection Systems (IDS) configured for censorship.</t> machines running Intrusion Detection Systems (IDSs) configured for
<t>Tradeoffs: DPI is one of the most expensive identification mechanis censorship.</t>
ms <t>Trade-offs: DPI is one of the most expensive identification
and can have a large QoS impact <xref target="Porter-2010"/>. When used as a mechanisms and can have a large QoS impact <xref
keyword filter for TCP flows, DPI systems can cause also major target="Porter-2005"/>. When used as a keyword filter for TCP
overblocking problems. Like other techniques, DPI is less useful flows, DPI systems can cause also major over-blocking problems. Like
against encrypted data, though DPI can leverage unencrypted elements other techniques, DPI is less useful against encrypted data, though
of an encrypted data flow, e.g., the Server Name Indication (SNI) sent DPI can leverage unencrypted elements of an encrypted data flow
in the clear for TLS, or metadata about an encrypted flow, e.g., packet (e.g., the Server Name Indication (SNI) sent in the clear for TLS)
sizes, which differ across video and textual flows, to identify traffic. or metadata about an encrypted flow (e.g., packet sizes, which
See <xref target="sni"/> for more information about SNI-based filtration mechani differ across video and textual flows) to identify traffic. See
sms.</t> <xref target="sni"/> for more information about SNI-based filtration
<t>Other kinds of information can be inferred by comparing certain une mechanisms.</t>
ncrypted elements <t>Other kinds of information can be inferred by comparing certain
exchanged during TLS handshakes to similar data points from known sources. unencrypted elements exchanged during TLS handshakes to similar data
This practice, called TLS fingerprinting, allows a probabilistic identification points from known sources. This practice, called "TLS
of fingerprinting", allows a probabilistic identification of a party's
a party's operating system, browser, or application, based on a comparison of th operating system, browser, or application, based on a comparison of
e the specific combinations of TLS version, ciphersuites, compression
specific combinations of TLS version, ciphersuites, compression options, etc. options, etc., sent in the ClientHello message to similar signatures
sent in the ClientHello message to similar signatures found in unencrypted traff found in unencrypted traffic <xref target="Husak-2016"/>.</t>
ic <xref target="Husak-2016"/>.</t> <t>Despite these problems, DPI is the most powerful identification
<t>Despite these problems, DPI is the most powerful identification met method and is widely used in practice. The Great Firewall of China
hod (GFW), the largest censorship system in the world, uses DPI to
and is widely used in practice. The Great Firewall of China (GFW), the identify restricted content over HTTP and DNS and to inject TCP RSTs
largest censorship system in the world, uses DPI to identify and bad DNS responses, respectively, into connections <xref
restricted content over HTTP and DNS and to inject TCP RSTs and bad DNS target="Crandall-2010"/> <xref target="Clayton-2006"/> <xref
responses, respectively, into connections <xref target="Crandall-2010"/> <xref t target="Anonymous-2014"/>.</t>
arget="Clayton-2006"/> <xref target="Anonymous-2014"/>.</t> <t>Empirical Examples: Several studies have found evidence of
<t>Empirical Examples: Several studies have found evidence of censors censors using DPI for censoring content and tools. Clayton et al.,
using DPI for censoring content and tools. Clayton et al., Crandal et al., Crandal et al., Anonymous, and Khattak et al., all explored the GFW
Anonymous, and Khattak et al., all explored the GFW <xref target="Crandall-2010" <xref target="Crandall-2010"/> <xref target="Clayton-2006"/> <xref
/> target="Anonymous-2014"/>. Khattak et al. even probed the firewall
<xref target="Clayton-2006"/> <xref target="Anonymous-2014"/>. Khatt to discover implementation details like how much state it stores
ak et al. even probed the <xref target="Khattak-2013"/>. The Tor project claims that China,
firewall to discover implementation details like how much state it stores <xref Iran, Ethiopia, and others must have used DPI to block the obfs2
target="Khattak-2013"/>. protocol <xref target="Wilde-2012"/>. Malaysia has been accused of
The Tor project claims that China, Iran, Ethiopia, and others must have used using targeted DPI, paired with DDoS, to identify and subsequently
DPI to block the obfs2 protocol <xref target="Wilde-2012"/>. Malaysia has attack pro-opposition material <xref target="Wagstaff-2013"/>. It
been accused of using targeted DPI, paired with DDoS, to identify and also seems likely that organizations that are not so worried about
subsequently attack pro-opposition material <xref target="Wagstaff-2013"/>. It blocking content in real time could use DPI to sort and
also seems likely that organizations not so worried about blocking categorically search gathered traffic using technologies such as
content in real-time could use DPI to sort and categorically search high-speed packet processing <xref target="Hepting-2011"/>.</t>
gathered traffic using technologies such as high-speed packet processing
<xref target="Hepting-2011"/>.</t>
</section> </section>
</section> </section>
<section anchor="transport"> <section anchor="transport">
<name>Transport Layer</name> <name>Transport Layer</name>
<section anchor="sec_thid"> <section anchor="sec_thid">
<name>Shallow Packet Inspection and Transport Header Identification</n ame> <name>Shallow Packet Inspection and Transport Header Identification</n ame>
<t>Of the various shallow packet inspection methods, Transport Header <t>Of the various shallow packet inspection methods, transport
Identification is the most pervasive, reliable, and predictable type header identification is the most pervasive, reliable, and
of identification. Transport headers contain a few invaluable pieces predictable type of identification. Transport headers contain a few
of information that must be transparent for traffic to be successfully invaluable pieces of information that must be transparent for
routed: destination and source IP address and port. Destination and traffic to be successfully routed: destination and source IP address
Source IP are doubly useful, as not only does it allow a censor to and port. Destination and source IP are doubly useful, as not only
block undesirable content via IP blocklisting, but also allows a do they allow a censor to block undesirable content via IP
censor to identify the IP of the user making the request and the IP blocklisting but also allow a censor to identify the IP of the user
address of the destination being visited, which in most cases can be making the request and the IP address of the destination being
used to infer the domain being visited <xref target="Patil-2019"/>. Port is usef visited, which in most cases can be used to infer the domain being
ul visited <xref target="Patil-2019"/>. Port is useful for allowlisting
for allowlisting certain applications.</t> certain applications.</t>
<t>Combining IP address, port and protocol information found in the tr <t>By combining IP address, port, and protocol information found in
ansport header, shallow packet inspection can be used by a censor to identify sp the transport header, shallow packet inspection can be used by a
ecific TCP or UDP endpoints. UDP endpoint blocking has been observed in the cont censor to identify specific TCP or UDP endpoints. UDP endpoint
ext of QUIC blocking <xref target="Elmenhorst-2021"/>.</t> blocking has been observed in the context of QUIC blocking <xref
<t>Trade offs: header identification is popular due to its simplicity, target="Elmenhorst-2021"/>.</t>
availability, and robustness.</t> <t>Trade-offs: Header identification is popular due to its
<t>Header identification is trivial to implement, but is difficult to simplicity, availability, and robustness.</t>
implement in backbone or ISP routers at scale, and is therefore
typically implemented with DPI. Blocklisting an IP is equivalent to <t>Header identification is trivial to implement in some routers, but i
installing a specific route on a router (such as a /32 route for IPv4 s difficult
addresses and a /128 route for IPv6 addresses). However, due to to implement in backbone or ISP routers at scale, and is therefore
limited flow table space, this cannot scale beyond a few thousand IPs typically implemented with DPI. Blocklisting an IP is equivalent to
at most. IP blocking is also relatively crude. It often leads to installing a specific route on a router (such as a /32 route for
overblocking and cannot deal with some services like content IPv4 addresses and a /128 route for IPv6 addresses). However, due to
distribution networks (CDN) that host content at hundreds or thousands limited flow table space, this cannot scale beyond a few thousand
of IP addresses. Despite these limitations, IP blocking is extremely IPs at most. IP blocking is also relatively crude. It often leads to
effective because the user needs to proxy their traffic through over-blocking and cannot deal with some services like Content
another destination to circumvent this type of identification. Distribution Networks (CDNs) that host content at hundreds or
In addition, IP blocking is effective against all protocols above IP, e.g., thousands of IP addresses. Despite these limitations, IP blocking is
TCP and QUIC.</t> extremely effective because the user needs to proxy their traffic
<t>Port-blocking is generally not useful because many types of content through another destination to circumvent this type of
share the same port and it is possible for censored applications to identification. In addition, IP blocking is effective against all
change their port. For example, most HTTP traffic goes over port 80, protocols above IP, e.g., TCP and QUIC.</t>
so the censor cannot differentiate between restricted and allowed web <t>Port blocking is generally not useful because many types of
content solely on the basis of port. HTTPS goes over port 443, with content share the same port, and it is possible for censored
similar consequences for the censor except only partial metadata may applications to change their port. For example, most HTTP traffic
now be available to the censor. Port allowlisting is occasionally goes over port 80, so the censor cannot differentiate between
used, where a censor limits communication to approved ports, such as restricted and allowed web content solely on the basis of
80 for HTTP traffic, and is most effective when used in conjunction port. HTTPS goes over port 443, with similar consequences for the
with other identification mechanisms. For example, a censor could censor except only partial metadata may now be available to the
block the default HTTPS port, port 443, thereby forcing most users to censor. Port allowlisting is occasionally used, where a censor
fall back to HTTP. A counter-example is that port 25 (SMTP) has long limits communication to approved ports (such as 80 for HTTP traffic),
been blocked on residential ISP networks to reduce the risk of and is most effective when used in conjunction with other
email spam, but doing this also prohibits residential ISP customers identification mechanisms. For example, a censor could block the
from running their own email servers.</t> default HTTPS port (port 443), thereby forcing most users to fall
back to HTTP. A counterexample is that port 25 (SMTP) has long been
blocked on residential ISP networks to reduce the risk of email
spam, but doing this also prohibits residential ISP customers from
running their own email servers.</t>
</section> </section>
<section anchor="prot-id"> <section anchor="prot-id">
<name>Protocol Identification</name> <name>Protocol Identification</name>
<t>Censors sometimes identify entire protocols to be blocked using a <t>Censors sometimes identify entire protocols to be blocked using a
variety of traffic characteristics. For example, Iran impairs the variety of traffic characteristics. For example, Iran impairs the
performance of HTTPS traffic, a protocol that prevents further performance of HTTPS traffic, a protocol that prevents further
analysis, to encourage users to switch to HTTP, a protocol that they analysis, to encourage users to switch to HTTP, a protocol that they
can analyze <xref target="Aryan-2012"/>. A simple protocol identification can analyze <xref target="Aryan-2013"/>. A simple protocol
would be to recognize all TCP traffic over port 443 as HTTPS, but more identification would be to recognize all TCP traffic over port 443
sophisticated analysis of the statistical properties of payload data as HTTPS, but a more sophisticated analysis of the statistical
and flow behavior, would be more effective, even when port 443 is not properties of payload data and flow behavior would be more
used <xref target="Hjelmvik-2010"/> <xref target="Sandvine-2014"/>.</t> effective, even when port 443 is not used <xref
<t>If censors can detect circumvention tools, they can block them, so target="Hjelmvik-2010"/> <xref target="Sandvine-2015"/>.</t>
censors like China are extremely interested in identifying the <t>If censors can detect circumvention tools, they can block
protocols for censorship circumvention tools. In recent years, this them. Therefore, censors like China are extremely interested in
has devolved into an competition between censors and circumvention tool identifying the protocols for censorship circumvention tools. In
developers. As part of this competition, China developed an extremely recent years, this has devolved into a competition between censors
effective protocol identification technique that researchers call and circumvention tool developers. As part of this competition,
active probing or active scanning.</t> China developed an extremely effective protocol identification
<t>In active probing, the censor determines whether hosts are running technique that researchers call "active probing" or "active
a scanning".</t>
circumvention protocol by trying to initiate communication using the <t>In active probing, the censor determines whether hosts are
circumvention protocol. If the host and the censor successfully running a circumvention protocol by trying to initiate communication
negotiate a connection, then the censor conclusively knows that the host using the circumvention protocol. If the host and the censor
is running a circumvention tool. China has used active scanning to successfully negotiate a connection, then the censor conclusively
great effect to block Tor <xref target="Winter-2012"/>.</t> knows that the host is running a circumvention tool. China has used
<t>Trade offs: Protocol identification only provides insight active scanning to great effect to block Tor <xref
into the way information is traveling, and not the information itself.</t> target="Winter-2012"/>.</t>
<t>Trade-offs: Protocol identification only provides insight into
the way information is traveling, and not the information itself.</t>
<t>Protocol identification is useful for detecting and blocking <t>Protocol identification is useful for detecting and blocking
circumvention tools, like Tor, or traffic that is difficult to circumvention tools (like Tor) or traffic that is difficult to
analyze, like VoIP or SSL, because the censor can assume that this analyze (like Voice over IP (VoIP) or SSL) because the censor can
traffic should be blocked. However, this can lead to over-blocking assume that this traffic should be blocked. However, this can lead
problems when used with popular protocols. These methods are to over-blocking problems when used with popular protocols. These
expensive, both computationally and financially, due to the use of methods are expensive, both computationally and financially, due to
statistical analysis, and can be ineffective due to their imprecise the use of statistical analysis and can be ineffective due to their
nature.</t> imprecise nature.</t>
<t>Censors have also used protocol identification in the past in an <t>Censors have also used protocol identification in the past in an
'allowlist' filtering capacity, such as by only allowing specific, "allowlist" filtering capacity, such as by only allowing specific,
pre-vetted protocols to be used and blocking any unrecognized pre-vetted protocols to be used and blocking any unrecognized
protocols <xref target="Bock-2020"/>. These protocol filtering approaches can al protocols <xref target="Bock-2020"/>. These protocol filtering
so lead to approaches can also lead to over-blocking if the allowed lists of
over-blocking if the allowed lists of protocols is too small or protocols are too small or incomplete but can be cheap to implement,
incomplete, but can be cheap to implement, as many standard 'allowed' as many standard "allowed" protocols are simple to identify (such as
protocols are simple to identify (such as HTTP).</t> HTTP).</t>
<t>Empirical Examples: Protocol identification can be easy to detect i <t>Empirical Examples: Protocol identification can be easy to detect
f if it is conducted in real time and only a particular protocol is
it is conducted in real time and only a particular protocol is blocked. However, some types of protocol identification, like active
blocked, but some types of protocol identification, like active scanning, are much more difficult to detect. Protocol identification
scanning, are much more difficult to detect. Protocol identification has been used by Iran to identify and throttle Secure Shell (SSH) prot
has been used by Iran to identify and throttle SSH traffic to make it ocol traffic to make
unusable <xref target="Anonymous-2007"/> and by China to identify and block Tor it unusable <xref target="Van-der-Sar-2007"/> and by China to
relays <xref target="Winter-2012"/>. Protocol identification has also been used identify and block Tor relays <xref target="Winter-2012"/>. Protocol
for identification has also been used for traffic management, such as
traffic management, such as the 2007 case where Comcast in the United the 2007 case where Comcast in the United States used RST injection
States used RST injection (injection of a TCP RST packet into the stream) to int (injection of a TCP RST packet into the stream) to interrupt
errupt BitTorrent Traffic BitTorrent traffic <xref target="Winter-2012"/>. In 2020, Iran
<xref target="Winter-2012"/>. In 2020, Iran deployed an allowlist protocol filte deployed an allowlist protocol filter, which only allowed three
r, protocols to be used (DNS, TLS, and HTTP) on specific ports, and
which only allowed three protocols to be used (DNS, TLS, and HTTP) on censored any connection it could not identify <xref
specific ports and censored any connection it could not identify <xref target="B target="Bock-2020"/>. In 2022, Russia seemed to have used protocol
ock-2020"/>. identification to block most HTTP/3 connections <xref
In 2022, Russia seemed to have used protocol identification to block most target="Elmenhorst-2022"/>.</t>
HTTP/3 connections <xref target="Elmenhorst-2022"/>.</t>
</section> </section>
</section> </section>
<section anchor="residualcensorship"> <section anchor="residualcensorship">
<name>Residual Censorship</name> <name>Residual Censorship</name>
<t>Another feature of some modern censorship systems is residual censors <t>Another feature of some modern censorship systems is residual
hip, a censorship, a punitive form of censorship whereby after a censor
punitive form of censorship whereby after a censor disrupts a forbidden disrupts a forbidden connection, the censor continues to target
connection, the censor continues to target subsequent connections, even if they subsequent connections, even if they are innocuous <xref
are innocuous <xref target="Bock-2021"/>. Residual censorship can take many form target="Bock-2021"/>. Residual censorship can take many forms and
s often relies on the methods of technical interference described in the
and often relies on the methods of technical interference described in the next next section.</t>
section.</t> <t>An important facet of residual censorship is precisely what the
<t>An important facet of residual censorship is precisely what the censo censor continues to block after censorship is initially
r triggered.
continues to block after censorship is initially triggered. There are three There are three common options available to an adversary:
common options available to an adversary: 2-tuple (client IP, server IP), 2-tuple (client IP, server IP), 3-tuple (client IP, server IP,
3-tuple (client IP, server IP+port), or 4-tuple (client IP+port, server server port), or 4-tuple (client IP, client port, server IP,
IP+port). Future connections that match the tuple of information the censor server port).
records will be disrupted <xref target="Bock-2021"/>.</t> Future connections that
<t>Residual censorship can sometimes be difficult to identify and can of match the tuple of information the censor records will be disrupted
ten complicate <xref target="Bock-2021"/>.</t>
censorship measurement.</t> <t>Residual censorship can sometimes be difficult to identify and can
<t>Trade offs: The impact of residual censorship is to provide users wit often complicate censorship measurement.</t>
h further <t>Trade-offs: The impact of residual censorship is to provide users
discouragement from trying to access forbidden content, though it is not with further discouragement from trying to access forbidden content,
clear how successful it is at accomplishing this.</t> though it is not clear how successful it is at accomplishing this.</t>
<t>Empirical Examples: China has used 3-tuple residual censorship in con <t>Empirical Examples: China has used 3-tuple residual censorship in
junction conjunction with their HTTP censorship for years, and researchers have
with their HTTP censorship for years and researchers have reported seeing simila reported seeing similar residual censorship for HTTPS. China seems to
r use a mix of 3-tuple and 4-tuple residual censorship for their
residual censorship for HTTPS. China seems to use a mix of 3-tuple and 4-tuple censorship of HTTPS with ESNI. Some censors that perform censorship
residual censorship for their censorship of HTTPS with ESNI. Some censors that via packet dropping often accidentally implement 4-tuple residual
perform censorship via packet dropping often accidentally implement 4-tuple censorship, including Iran and Kazakhstan <xref
residual censorship, including Iran and Kazakhstan <xref target="Bock-2021"/>.</ target="Bock-2021"/>.</t>
t>
</section> </section>
</section> </section>
<section anchor="tech-interference"> <section anchor="tech-interference">
<name>Technical Interference</name> <name>Technical Interference</name>
<section anchor="application-layer"> <section anchor="application-layer">
<name>Application Layer</name> <name>Application Layer</name>
<section anchor="dns-mangling"> <section anchor="dns-mangling">
<name>DNS Interference</name> <name>DNS Interference</name>
<t>There are a variety of mechanisms that censors can use to block or <t>There are a variety of mechanisms that censors can use to block or
filter access to content by altering responses from the DNS filter access to content by altering responses from the DNS
<xref target="AFNIC-2013"/> <xref target="ICANN-SSAC-2012"/>, including blocking the response, <xref target="AFNIC-2013"/> <xref target="ICANN-SSAC-2012"/>, including blocking the response,
replying with an error message, or responding with an incorrect replying with an error message, or responding with an incorrect
address. Note that there are now encrypted transports for DNS queries address. Note that there are now encrypted transports for DNS queries
in DNS-over-HTTPS <xref target="RFC8484"/> and DNS-over-TLS <xref target="RFC785 8"/> that can in DNS over HTTPS <xref target="RFC8484"/> and DNS over TLS <xref target="RFC785 8"/> that can
mitigate interference with DNS queries between the stub and the mitigate interference with DNS queries between the stub and the
resolver.</t> resolver.</t>
<t>Responding to a DNS query with an incorrect address can be achieved <t>Responding to a DNS query with an incorrect address can be achieved
with on-path interception, off-path cache poisoning, and lying by with on-path interception, off-path cache poisoning, or lying by
the nameserver.</t> the name server.</t>
<t>"DNS mangling" is a network-level technique of on-path interception <t>"DNS mangling" is a network-level technique of on-path
where an incorrect IP interception where an incorrect IP address is returned in response
address is returned in response to a DNS query to a censored to a DNS query to a censored destination. Some Chinese networks, for
destination. Some Chinese networks, for example, do this (we example, do this. (We are not aware of any other wide-scale uses of
are not aware of any other wide-scale uses of mangling). On those mangling.) On those Chinese networks, each DNS request in transit
Chinese networks, every DNS request in transit is examined (presumably is examined (presumably by network inspection technologies such as
by network inspection technologies such as DPI) and, if it matches a DPI), and if it matches a censored domain, a false response is
censored domain, a false response is injected. End users can see this injected. End users can see this technique in action by simply
technique in action by simply sending DNS requests to any unused IP sending DNS requests to any unused IP address in China (see example
address in China (see example below). If it is not a censored name, below). If it is not a censored name, there will be no response. If
there will be no response. If it is censored, a forged response it is censored, a forged response will be returned. For example,
will be returned. For example, using the command-line dig utility to using the command-line dig utility to query an unused IP
query an unused IP address in China of 192.0.2.2 for the name address in China of 192.0.2.2 for the name "www.uncensored.example"
"www.uncensored.example" compared with compared with "www.censored.example" (censored at the time of
"www.censored.example" (censored at the time of writing), we get a writing), we get a forged IP address "198.51.100.0" as a
forged IP address "198.51.100.0" as a response:</t> response:</t>
<artwork><![CDATA[
<sourcecode><![CDATA[
% dig +short +nodnssec @192.0.2.2 A www.uncensored.example % dig +short +nodnssec @192.0.2.2 A www.uncensored.example
;; connection timed out; no servers could be reached ;; connection timed out; no servers could be reached
% dig +short +nodnssec @192.0.2.2 A www.censored.example % dig +short +nodnssec @192.0.2.2 A www.censored.example
198.51.100.0 198.51.100.0
]]></artwork> ]]></sourcecode>
<t>DNS cache poisoning happens off-path and refers to a mechanism wher
e a censor interferes <t>DNS cache poisoning happens off-path and refers to a mechanism
with the response sent by an authoritative DNS name server to a recursive where a censor interferes with the response sent by an authoritative
resolver by responding more quickly than the authoritative name server DNS name server to a recursive resolver by responding more quickly
can respond with an alternative IP address <xref target="Halley-2008"/>. than the authoritative name server can respond with an alternative
Cache poisoning occurs IP address <xref target="Halley-2008"/>. Cache poisoning occurs
after the requested site's name servers resolve the request and after the requested site's name servers resolve the request and
attempt to forward the true IP back to the requesting device; on the attempt to forward the true IP back to the requesting device. On the
return route the resolved IP is recursively cached by each DNS server return route, the resolved IP is recursively cached by each DNS
that initially forwarded the request. During this caching process if server that initially forwarded the request. During this caching
an undesirable keyword is recognized, the resolved IP is "poisoned" process if an undesirable keyword is recognized, the resolved IP is
and an alternative IP (or NXDOMAIN error) is returned more quickly "poisoned", and an alternative IP (or NXDOMAIN error) is returned
than the upstream resolver can respond, causing a forged IP more quickly than the upstream resolver can respond, causing a
address to be cached (and potentially recursively so). The alternative forged IP address to be cached (and potentially recursively so). The
IPs usually direct to a nonsense domain or a warning page. alternative IPs usually direct to a nonsense domain or a warning
Alternatively, Iranian censorship appears to prevent the communication page. Alternatively, Iranian censorship appears to prevent the
en-route, preventing a response from ever being sent <xref target="Aryan-2012"/> communication en route, preventing a response from ever being sent
.</t> <xref target="Aryan-2013"/>.</t>
<t>There are also cases of what is colloquially called "DNS lying", wh ere <t>There are also cases of what is colloquially called "DNS lying", wh ere
a censor mandates that the DNS responses provided -- by an operator of a censor mandates that the DNS responses provided -- by an operator of
a recursive resolver such as an Internet access provider -- be a recursive resolver such as an Internet Access Provider -- be
different than what an authoritative name server would provide different than what an authoritative name server would provide
<xref target="Bortzmeyer-2015"/>.</t> <xref target="Bortzmeyer-2015"/>.</t>
<t>Trade offs: These forms of DNS interference require the censor to <t>Trade-offs: These forms of DNS interference require the censor to
force a user to traverse a controlled DNS hierarchy (or intervening force a user to traverse a controlled DNS hierarchy (or intervening
network on which the censor serves as an Active Pervasive Attacker network on which the censor serves as an active pervasive attacker
<xref target="RFC7624"/> to rewrite DNS responses) for the mechanism to be <xref target="RFC7624"/> to rewrite DNS responses) for the mechanism
effective. It can be circumvented by using alternative DNS resolvers to be effective. DNS interference can be circumvented by using alterna
(such as any of the public DNS resolvers) that may fall outside of the tive DNS
jurisdictional control of the censor, or Virtual Private Network (VPN) resolvers (such as any of the public DNS resolvers) that may fall
technology. DNS mangling and cache poisoning also imply returning an outside of the jurisdictional control of the censor or Virtual
incorrect IP to those attempting to resolve a domain name, but in some Private Network (VPN) technology. DNS mangling and cache poisoning
cases the destination may be technically accessible; over HTTP, for also imply returning an incorrect IP to those attempting to resolve
example, the user may have another method of obtaining the IP address a domain name, but in some cases the destination may be technically
of the desired site and may be able to access it if the site is accessible. For example, over HTTP, the user may have another method
configured to be the default server listening at this IP address. of obtaining the IP address of the desired site and may be able to
Target blocking has also been a problem, as occasionally users outside access it if the site is configured to be the default server
of the censor's region will be directed through DNS servers or listening at this IP address. Target blocking has also been a
DNS-rewriting network equipment controlled by a censor, causing the problem, as occasionally users outside of the censor's region will
request to fail. The ease of circumvention, paired with the large risk be directed through DNS servers or DNS-rewriting network equipment
of content blocking and target blocking, make DNS interference a controlled by a censor, causing the request to fail. The ease of
partial, difficult, and less than ideal censorship circumvention paired with the large risk of content blocking and
mechanism.</t> target blocking make DNS interference a partial, difficult, and
less-than-ideal censorship mechanism.</t>
<t>Additionally, the above mechanisms rely on DNSSEC not being deploye d <t>Additionally, the above mechanisms rely on DNSSEC not being deploye d
or DNSSEC validation not being active on the client or recursive or DNSSEC validation not being active on the client or recursive
resolver (neither of which are hard to imagine given limited resolver (neither of which is hard to imagine given limited
deployment of DNSSEC and limited client support for DNSSEC deployment of DNSSEC and limited client support for DNSSEC
validation). Note that an adversary seeking to merely block resolution validation). Note that an adversary seeking to merely block resolution
can serve a DNSSEC record that doesn't validate correctly, assuming of can serve a DNSSEC record that doesn't validate correctly, assuming of
course that the client/recursive resolver validates.</t> course that the client or recursive resolver validates.</t>
<t>Previously, techniques were used for censorship that relied on <t>Previously, techniques were used for censorship that relied on
DNS requests being passed in cleartext over port 53 DNS requests being passed in cleartext over port 53
<xref target="SSAC-109-2020"/>. With the deployment of encrypted DNS (e.g., <xref target="SSAC-109-2020"/>. With the deployment of encrypted DNS (e.g.,
DNS-over-HTTPS <xref target="RFC8484"/>) these requests are now increasingly pas DNS over HTTPS <xref target="RFC8484"/>) these requests are now increasingly pas
sed sed
on port 443 with other HTTPS traffic, or in the case of DNS-over-TLS on port 443 with other HTTPS traffic, or in the case of DNS over TLS
<xref target="RFC7858"/> no longer passed in the clear (see also <xref target="s ec_thid"/>).</t> <xref target="RFC7858"/> no longer passed in the clear (see also <xref target="s ec_thid"/>).</t>
<t>Empirical Examples: DNS interference, when properly implemented, is <t>Empirical Examples: DNS interference, when properly implemented,
easy to identify based on the shortcomings identified above. Turkey is easy to identify based on the shortcomings identified
relied on DNS interference for its country-wide block of websites, including above. Turkey relied on DNS interference for its country-wide block
Twitter and YouTube, for almost week in March of 2014. The ease of of websites, including Twitter and YouTube, for almost a week in March
circumvention resulted in an increase in the popularity of Twitter of 2014. The ease of circumvention resulted in an increase in the
until Turkish ISPs implemented an IP blocklist to achieve the popularity of Twitter until Turkish ISPs implemented an IP blocklist
governmental mandate <xref target="Zmijewski-2014"/>. Ultimately, Turkish ISPs to achieve the governmental mandate <xref target="Zmijewski-2014"/>.
started hijacking all requests to Google and Level 3's international Ultimately, Turkish ISPs started hijacking all requests to Google
DNS resolvers <xref target="Zmijewski-2014"/>. DNS interference, when incorrectl and Level 3's international DNS resolvers <xref
y target="Zmijewski-2014"/>. DNS interference, when incorrectly
implemented, has resulted in some of the largest "censorship implemented, has resulted in some of the largest censorship
disasters". In January 2014, China started directing all requests disasters. In January 2014, China started directing all requests
passing through the Great Fire Wall to a single domain, passing through the Great Fire Wall to a single domain
dongtaiwang.com, due to an improperly configured DNS poisoning "dongtaiwang.com", due to an improperly configured DNS poisoning
attempt; this incident is thought to be the largest Internet-service attempt. This incident is thought to be the largest Internet service
outage in history <xref target="AFP-2014"/> <xref target="Anon-SIGCOMM12"/>. Cou outage in history <xref target="AFP-2014"/> <xref
ntries such as target="Anon-SIGCOMM12"/>.
China, Iran, Turkey, and the United States have discussed blocking
entire TLDs as well, but only Iran has acted by blocking all Israeli Countries such as China, Turkey,
(.il) domains <xref target="Albert-2011"/>. DNS-blocking is commonly deployed in and the United States have discussed blocking entire Top-Level
European countries to deal with undesirable content, such as child Domains (TLDs) as well <xref target="Albert-2011"/>. DNS blocking is
abuse content (Norway, United Kingdom, Belgium, Denmark, Finland, commonly deployed in European countries to deal with undesirable
France, Germany, Ireland, Italy, Malta, the Netherlands, Poland, Spain content, such as</t>
and Sweden <xref target="Wright-2013"/> <xref target="Eneman-2010"/>), online ga <ul>
mbling (Belgium, <li>child abuse content (Norway, United Kingdom,
Bulgaria, Czech Republic, Cyprus, Denmark, Estonia, France, Greece, Belgium, Denmark, Finland, France, Germany, Ireland, Italy, Malta,
Hungary, Italy, Latvia, Lithuania, Poland, Portugal, Romania, the Netherlands, Poland, Spain, and Sweden <xref
Slovakia, Slovenia, Spain (see Section 6.3.2 of: <xref target="EC-gambling-2012" target="Wright-2013"/> <xref target="Eneman-2010"/>),</li>
/>, <li>online
<xref target="EC-gambling-2019"/>)), copyright infringement (all European Econom gambling (Belgium, Bulgaria, Czech Republic, Cyprus, Denmark,
ic Area countries), Estonia, France, Greece, Hungary, Italy, Latvia, Lithuania, Poland,
hate-speech and extremism (France <xref target="Hertel-2015"/>) and terrorism Portugal, Romania, Slovakia, Slovenia, and Spain (see Section 6.3.2
content (France <xref target="Hertel-2015"/>).</t> of <xref target="EC-gambling-2012"/>, <xref target="EC-gambling-2019
"/>)),</li>
<li>copyright infringement (all European Economic Area countries),</l
i>
<li>hate speech and extremism (France <xref target="Hertel-2015"/>),
and</li>
<li>terrorism content (France <xref target="Hertel-2015"/>).</li>
</ul>
</section> </section>
</section> </section>
<section anchor="transport-layer"> <section anchor="transport-layer">
<name>Transport Layer</name> <name>Transport Layer</name>
<section anchor="performance-degradation"> <section anchor="performance-degradation">
<name>Performance Degradation</name> <name>Performance Degradation</name>
<t>While other interference techniques outlined in this section mostly <t>While other interference techniques outlined in this section
focus on blocking or preventing access to content, it can be an mostly focus on blocking or preventing access to content, it can be
effective censorship strategy in some cases to not entirely block an effective censorship strategy in some cases to not entirely block
access to a given destination or service, but instead to degrade the access to a given destination or service but instead to degrade the
performance of the relevant network connection. The resulting user performance of the relevant network connection. The resulting user
experience for a site or service under performance degradation can be experience for a site or service under performance degradation can
so bad that users opt to use a different site, service, or method of be so bad that users opt to use a different site, service, or method
communication, or may not engage in communication at all if there are of communication or may not engage in communication at all if there
no alternatives. Traffic shaping techniques that rate-limit the are no alternatives. Traffic-shaping techniques that rate-limit the
bandwidth available to certain types of traffic is one example of a bandwidth available to certain types of traffic is one example of a
performance degradation.</t> performance degradation.</t>
<t>Trade offs: While implementing a performance degradation will not <t>Trade-offs: While implementing a performance degradation will not
always eliminate the ability of people to access a desire resource, it always eliminate the ability of people to access a desire resource,
may force them to use other means of communication where censorship it may force them to use other means of communication where
(or surveillance) is more easily accomplished.</t> censorship (or surveillance) is more easily accomplished.</t>
<t>Empirical Examples: Iran has been known to shape the bandwidth avai <t>Empirical Examples: Iran has been known to shape the bandwidth
lable to available to HTTPS traffic to encourage unencrypted HTTP traffic
HTTPS traffic to encourage unencrypted HTTP traffic <xref target="Aryan-2012"/>. <xref target="Aryan-2013"/>.</t>
</t>
</section> </section>
<section anchor="packet-dropping"> <section anchor="packet-dropping">
<name>Packet Dropping</name> <name>Packet Dropping</name>
<t>Packet dropping is a simple mechanism to prevent undesirable <t>Packet dropping is a simple mechanism to prevent undesirable
traffic. The censor identifies undesirable traffic and chooses to not traffic. The censor identifies undesirable traffic and chooses to
properly forward any packets it sees associated with the traversing not properly forward any packets it sees associated with the
undesirable traffic instead of following a normal routing traversing undesirable traffic instead of following a normal routing
protocol. This can be paired with any of the previously described protocol. This can be paired with any of the previously described
mechanisms so long as the censor knows the user must route traffic mechanisms so long as the censor knows the user must route traffic
through a controlled router.</t> through a controlled router.</t>
<t>Trade offs: Packet Dropping is most successful when every traversin <t>Trade-offs: Packet dropping is most successful when every
g traversing packet has transparent information linked to undesirable
packet has transparent information linked to undesirable content, such content, such as a destination IP. One downside packet dropping
as a Destination IP. One downside Packet Dropping suffers from is the suffers from is the necessity of blocking all content from otherwise
necessity of blocking all content from otherwise allowable IPs allowable IPs based on a single subversive subdomain; blogging
based on a single subversive sub-domain; blogging services and github services and GitHub repositories are good examples. China famously
repositories are good examples. China famously dropped all github dropped all GitHub packets for three days based on a single
packets for three days based on a single repository hosting repository hosting undesirable content <xref
undesirable content <xref target="Anonymous-2013"/>. The need to inspect every target="Anonymous-2013"/>. The need to inspect every traversing
traversing packet in close to real time also makes Packet Dropping packet in almost real time also makes packet dropping somewhat
somewhat challenging from a QoS perspective.</t> challenging from a QoS perspective.</t>
<t>Empirical Examples: Packet Dropping is a very common form of techni <t>Empirical Examples: Packet dropping is a very common form of
cal technical interference and lends itself to accurate detection given
interference and lends itself to accurate detection given the unique the unique nature of the timeout requests it leaves in its
nature of the time-out requests it leaves in its wake. The Great wake. The Great Firewall of China has been observed using packet
Firewall of China has been observed using packet dropping as one of its primary dropping as one of its primary technical censorship mechanisms <xref
technical censorship mechanisms <xref target="Ensafi-2013"/>. Iran has also used target="Ensafi-2013"/>. Iran has also used packet dropping as the
Packet Dropping as the mechanism for throttling SSH mechanism for throttling SSH <xref target="Aryan-2013"/>. These are
<xref target="Aryan-2012"/>. These are but two examples of a ubiquitous censorsh but two examples of a ubiquitous censorship practice. Notably,
ip packet dropping during the handshake or working connection is the
practice. Notably, packet dropping during the handshake or working connection is only interference technique observed for QUIC traffic to date (e.g.,
the only interference technique observed for QUIC traffic to date (e.g., in Ind in India, Iran, Russia, and Uganda <xref target="Elmenhorst-2021"/>
ia, Iran, Russia and Uganda <xref target="Elmenhorst-2021"/><xref target="Elmenh <xref target="Elmenhorst-2022"/>).</t>
orst-2022"/>).</t>
</section> </section>
<section anchor="rst-inject"> <section anchor="rst-inject">
<name>RST Packet Injection</name> <name>RST Packet Injection</name>
<t>Packet injection, generally, refers to a man-in-the-middle (MITM) <t>Packet injection, generally, refers to a machine-in-the-middle (MIT
network interference technique that spoofs packets in an established M)
traffic stream. RST packets are normally used to let one side of a TCP network interference technique that spoofs packets in an established
connection know the other side has stopped sending information, and traffic stream. RST packets are normally used to let one side of a
that the receiver should close the connection. RST Packet Injection is TCP connection know the other side has stopped sending information
a specific type of packet injection attack that is used to interrupt and that the receiver should close the connection. RST packet
an established stream by sending RST packets to both sides of a TCP injection is a specific type of packet injection attack that is used
connection; as each receiver thinks the other has dropped the to interrupt an established stream by sending RST packets to both
connection, the session is terminated.</t> sides of a TCP connection; as each receiver thinks the other has
<t>QUIC is not vulnerable to these types of injection attacks once the dropped the connection, the session is terminated.</t>
connection has been setup. While QUIC implements a stateless reset mechanism, <t>QUIC is not vulnerable to these types of injection attacks once
such a reset is only accepted by a peer if the packet ends in a previously the connection has been set up. While QUIC implements a stateless
issued (stateless reset) token which is difficult to guess. reset mechanism, such a reset is only accepted by a peer if the
During the handshake, QUIC only provides effective protection packet ends in a previously issued (stateless reset) token, which is
against off-path attackers but is vulnerable to injection attacks by difficult to guess. During the handshake, QUIC only provides
attackers that have parsed prior packets. effective protection against off-path attackers but is vulnerable to
(See <xref target="I-D.ietf-quic-transport"/> for more details.)</t> injection attacks by attackers that have parsed prior packets. (See
<t>Trade offs: Although ineffective against non-TCP protocols (QUIC, I <xref target="RFC9000"/> for more details.)</t>
PSec), RST Packet Injection has a few advantages that make it <t>Trade-offs: Although ineffective against non-TCP protocols (QUIC,
extremely popular as a technique employed for censorship. RST Packet Injection i IPsec), RST packet injection has a few advantages that make it
s extremely popular as a technique employed for censorship. RST packet
an out-of-band interference mechanism, allowing the avoidance of the injection is an out-of-band interference mechanism, allowing the
QoS bottleneck one can encounter with inline techniques such as Packet avoidance of the QoS bottleneck that one can encounter with inline
Dropping. This out-of-band property allows a censor to inspect a copy techniques such as packet dropping. This out-of-band property allows
of the information, usually mirrored by an optical splitter, making it a censor to inspect a copy of the information, usually mirrored by
an ideal pairing for DPI and protocol identification an optical splitter, making it an ideal pairing for DPI and protocol
<xref target="Weaver-2009"/> (this asynchronous version of a MITM is often calle identification <xref target="Weaver-2009"/>. (This asynchronous
d a version of a MITM is often called a machine-on-the-side (MOTS).) RST
Man-on-the-Side (MOTS)). packet injection also has the advantage of only requiring one of the
RST Packet Injection also has the advantage of only two endpoints to accept the spoofed packet for the connection to be
requiring one of the two endpoints to accept the spoofed packet for interrupted.</t>
the connection to be interrupted.</t> <t>The difficult part of RST packet injection is spoofing "enough"
<t>The difficult part of RST Packet Injection is spoofing "enough" correct information to ensure one endpoint accepts a RST packet as
correct information to ensure one end-point accepts an RST packet as legitimate; this generally implies a correct IP, port, and TCP
legitimate; this generally implies a correct IP, port, and TCP sequence number.
sequence number. Sequence number is the hardest to get correct, as
<xref target="RFC0793"/> specifies an RST Packet should be in-sequence to be The sequence number is the hardest to get correct, as <xref target="RFC
accepted, although the RFC also recommends allowing in-window packets 9293"/> specifies that a RST packet should be in sequence to be
as "good enough". This in-window recommendation is important; if it accepted, although that RFC also recommends allowing in-window packets.
is implemented, it allows for successful Blind RST Injection attacks This in-window
<xref target="Netsec-2011"/>. When in-window sequencing is allowed, it is trivi recommendation is important; if it is implemented, it allows for
al successful Blind RST Injection attacks <xref target="Netsec-2011"/>.
to conduct a Blind RST Injection: while the term "blind" injection When in-window sequencing is allowed, it is trivial to conduct a
implies the censor Blind RST Injection. While the term "blind" injection implies the
doesn't know any sensitive sequencing information about censor doesn't know any sensitive sequencing information about the
the TCP stream they are injecting into, they can simply enumerate all TCP stream they are injecting into, they can simply enumerate all
~70000 possible windows; this is particularly useful for interrupting ~70000 possible windows. This is particularly useful for
encrypted/obfuscated protocols such as SSH or Tor <xref target="Gilad"/>. interrupting encrypted/obfuscated protocols such as SSH or Tor <xref
Some censorship evasion systems work by trying to confuse the censor target="Gilad"/>. Some censorship evasion systems work by trying to
into tracking incorrect information, rendering their RST Packet Injection confuse the censor into tracking incorrect information, rendering
useless <xref target="Khattak-2013"/>, <xref target="Wang-2017"/>, <xref target= their RST packet injection useless <xref target="Khattak-2013"/>
"Li-2017"/>, <xref target="Bock-2019"/>, <xref target="Wang-2017"/> <xref target="Li-2017"/> <xref
<xref target="Wang-2020"/>.</t> target="Bock-2019"/> <xref target="Wang-2020"/>.</t>
<t>RST Packet Injection relies on a stateful network, making it useles <t>RST packet injection relies on a stateful network, making it
s against UDP useless against UDP connections. RST packet injection is among the
connections. RST Packet Injection is among the most popular censorship most popular censorship techniques used today given its versatile
techniques used today given its versatile nature and effectiveness nature and effectiveness against all types of TCP traffic. Recent
against all types of TCP traffic. Recent research shows that a TCP RST research shows that a TCP RST packet injection attack can even work
packet injection attack can even work in the case of an off-path in the case of an off-path attacker <xref target="Cao-2016"/>.</t>
attacker <xref target="Cao-2016"/>.</t> <t>Empirical Examples: RST packet injection, as mentioned above, is
<t>Empirical Examples: RST Packet Injection, as mentioned above, is mo most often paired with identification techniques that require
st splitting, such as DPI or protocol identification. In 2007, Comcast
often paired with identification techniques that require splitting, was accused of using RST packet injection to interrupt traffic it
such as DPI or protocol identification. In 2007, Comcast was accused of identified as BitTorrent <xref target="Schoen-2007"/>, subsequently
using RST Packet Injection to interrupt traffic it identified as leading to a US Federal Communications Commission ruling
BitTorrent <xref target="Schoen-2007"/>, subsequently leading to a US Federal against Comcast <xref target="VonLohmann-2008"/>. China has also
Communications Commission ruling against Comcast been known to use RST packet injection for censorship purposes. This
<xref target="VonLohmann-2008"/>. China has also been known to use RST Packet interference is especially evident in the interruption of
Injection for censorship purposes. This interference is especially encrypted/obfuscated protocols, such as those used by Tor <xref
evident in the interruption of encrypted/obfuscated protocols, such as target="Winter-2012"/>.</t>
those used by Tor <xref target="Winter-2012"/>.</t>
</section> </section>
</section> </section>
<section anchor="routing-layer"> <section anchor="routing-layer">
<name>Routing Layer</name> <name>Routing Layer</name>
<section anchor="discon"> <section anchor="discon">
<name>Network Disconnection</name> <name>Network Disconnection</name>
<t>While it is perhaps the crudest of all techniques employed for cens orship, there is <t>While it is perhaps the crudest of all techniques employed for cens orship, there is
no more effective way of making sure undesirable information isn't no more effective way of making sure undesirable information isn't
allowed to propagate on the web than by shutting off the network. The allowed to propagate on the web than by shutting off the network. The
network can be logically cut off in a region when a censoring entity network can be logically cut off in a region when a censoring entity
withdraws all of the Border Gateway Protocol (BGP) prefixes routing withdraws all of the Border Gateway Protocol (BGP) prefixes routing
through the censor's country.</t> through the censor's country.</t>
<t>Trade offs: The impact of a network disconnection in a region is hu ge <t>Trade-offs: The impact of a network disconnection in a region is hu ge
and absolute; the censor pays for absolute control over digital and absolute; the censor pays for absolute control over digital
information by losing the benefits a globally-accessible Internet brings. Networ k disconnections are also politically expensive as citizens accustomed to access ing Internet platforms and services see such disconnections as a loss of civil l iberty. information by losing the benefits a globally accessible Internet brings. Networ k disconnections are also politically expensive as citizens accustomed to access ing Internet platforms and services see such disconnections as a loss of civil l iberty.
Network disconnection is rarely a long-term solution for any censor and is norma lly only used Network disconnection is rarely a long-term solution for any censor and is norma lly only used
as a last resort in times of substantial civil unrest in a country.</t> as a last resort in times of substantial civil unrest in a country.</t>
<t>Empirical Examples: Network Disconnections tend to only happen in <t>Empirical Examples: Network disconnections tend to only happen in
times of substantial unrest, largely due to the huge social, times of substantial unrest, largely due to the huge social,
political, and economic impact such a move has. One of the first, political, and economic impact such a move has. One of the first,
highly covered occurrences was when the Junta in Myanmar employed highly covered occurrences was when the junta in Myanmar employed
Network Disconnection to help Junta forces quash a rebellion in 2007 network disconnection to help junta forces quash a rebellion in 2007
<xref target="Dobie-2007"/>. China disconnected the network in the Xinjiang regi <xref target="Dobie-2007"/>. China disconnected the network in the
on Xinjiang region during unrest in 2009 in an effort to prevent the
during unrest in 2009 in an effort to prevent the protests from protests from spreading to other regions <xref
spreading to other regions <xref target="Heacock-2009"/>. The Arab Spring saw th target="Heacock-2009"/>. The Arab Spring saw the most frequent
e usage of network disconnection, with events in Egypt and Libya in
the most frequent usage of Network Disconnection, with events in Egypt 2011 <xref target="Cowie-2011"/> and Syria in 2012 <xref
and Libya in 2011 <xref target="Cowie-2011"/>, and Syria in 2012 target="Thomson-2012"/>. Russia indicated that it would attempt to
<xref target="Thomson-2012"/>. Russia indicated that it would attempt to disconnect all Russian networks from the global Internet in April
disconnect all Russian networks from the global Internet in April 2019 2019 as part of a test of the nation's network independence. Reports
as part of a test of the nation's network independence. Reports also also indicate that, as part of the test disconnect, Russian
indicate that, as part of the test disconnect, Russian telecommunications firms telecommunications firms must now route all traffic to
must now route all traffic to state-operated monitoring points state-operated monitoring points <xref
<xref target="Cimpanu-2019"/>. India saw the largest number of target="Cimpanu-2019"/>. India saw the largest number of Internet
Internet shutdowns per year in 2016 and 2017 <xref target="Dada-2017"/>.</t> shutdowns per year in 2016 and 2017 <xref target="Dada-2017"/>.</t>
</section> </section>
<section anchor="advroute"> <section anchor="advroute">
<name>Adversarial Route Announcement</name> <name>Adversarial Route Announcement</name>
<t>More fine-grained and potentially wide-spread censorship can be ach <t>More fine-grained and potentially wide-spread censorship can be ach
ieved with BGP hijacking, which adversarially re-routes BGP IP prefixes incorrec ieved with BGP hijacking, which adversarially re-routes BGP IP prefixes incorrec
tly within a region and beyond. This restricts and effectively censors the corre tly within a region and beyond. This restricts and effectively censors the corre
ctly known location of information that flows into or out of a jurisdiction and ctly known location of information that flows into or out of a jurisdiction and
will similarly prevent people from outside your jurisdiction from viewing conten will similarly prevent people from outside your jurisdiction from viewing conten
t generated outside your jurisdiction as the adversarial route announcement prop t generated outside that jurisdiction as the adversarial route announcement prop
agates. The first can be achieved by an adversarial BGP announcement of incorrec agates. The first can be achieved by an adversarial BGP announcement of incorrec
t routes that are not intended to leak beyond a jurisdiction, where the latter a t routes that are not intended to leak beyond a jurisdiction, where the latter a
ttacks traffic by deliberately introducing bogus BGP announcements that reach th ttacks traffic by deliberately introducing bogus BGP announcements that reach th
e global internet.</t> e global Internet.</t>
<t>Trade offs: A global leak of a misrouted website can overwhelm an I <t>Trade-offs: A global leak of a misrouted website can overwhelm an I
SP if the website gets a lot of traffic. It is not a permanent solution because SP if the website gets a lot of traffic. It is not a permanent solution because
incorrect BGP routes that leak globally can be fixed, but leaks within a jurisdi incorrect BGP routes that leak globally can be fixed, but leaks within a jurisdi
ction can only be corrected by an ISP/IXP for local users.</t> ction can only be corrected by an ISP/IXP for local users.</t>
<t>Empirical examples: In 2008, Pakistan Telecom censored Youtube at t <t>Empirical Examples: In 2008, Pakistan Telecom censored YouTube at t
he request of the Pakistan government by changing its BGP routes for the website he request of the Pakistan government by changing its BGP routes for the website
. The new routes were announced to the ISP's upstream providers and beyond. The . The new routes were announced to the ISP's upstream providers and beyond. The
entire Internet began directing Youtube routes to Pakistan Telecom and continued entire Internet began directing YouTube routes to Pakistan Telecom and continued
doing so for many hours. In 2018 nearly all Google services and Google cloud cu doing so for many hours.
stomers, like Spotify, all lost more than one hour of service after it lost cont
rol of several million of its IP addresses. Those IP prefixes were being misdire In 2018, nearly all Google services and Google Cloud customers, like Spotify, al
cted to China Telecom, a Chinese government-owned ISP <xref target="Google-2018" l lost more than one hour of service after Google lost control of several millio
/>}, in a manner similar to the BGP hijacking of US government and military webs n of its IP addresses. Those IP prefixes were being misdirected to China Telecom
ites by China Telecom in 2010. ISPs in both Russia (2022) and Myanmar (2021) hav , a Chinese government-owned ISP <xref target="Google-2018"/>, in a manner simil
e tried to hijack the same Twitter prefix more than once <xref target="MANRS"/>. ar to the BGP hijacking of US government and military websites by China Telecom
</t> in 2010. ISPs in both Russia (2022) and Myanmar (2021) have tried to hijack the
same Twitter prefix more than once <xref target="Siddiqui-2022"/>.</t>
</section> </section>
</section> </section>
<section anchor="multi-layer-and-non-layer"> <section anchor="multi-layer-and-non-layer">
<name>Multi-layer and Non-layer</name> <name>Multi-layer and Non-layer</name>
<section anchor="ddos"> <section anchor="ddos">
<name>Distributed Denial of Service (DDoS)</name> <name>Distributed Denial of Service (DDoS)</name>
<t>Distributed Denial of Service attacks are a common attack mechanism <t>Distributed Denial of Service attacks are a common attack
used by "hacktivists" and malicious hackers. Censors have also used mechanism used by "hacktivists" and malicious hackers. Censors have
DDoS in the past for a variety of reasons. There is a wide variety of also used DDoS in the past for a variety of reasons. There is a wide
DDoS attacks <xref target="Wikip-DoS"/>, but at a high level two possible impact variety of DDoS attacks <xref target="Wikip-DoS"/>. However, at a
s from the attack high level, two possible impacts from the attack tend to occur: a
tend to occur; a flood attack results in the service being unusable flood attack results in the service being unusable while resources
while resources are being spent to flood the service, a crash attack are being spent to flood the service, and a crash attack aims to
aims to crash the service so resources can be reallocated elsewhere crash the service so resources can be reallocated elsewhere without
without "releasing" the service.</t> "releasing" the service.</t>
<t>Trade offs: DDoS is an appealing mechanism when a censor would like
to <t>Trade-offs: DDoS is an appealing mechanism when a censor would like
prevent all access to undesirable content, instead of only preventing access in to prevent all access (not just regional access) to undesirable content
their region for a limited period of time. The latter is really the only for a limited period of time. Temporal impermanence is really the only unique
uniquely beneficial feature for DDoS as a technique employed for censorship. The ly
resources required to carry out a successful DDoS against major beneficial feature of DDoS as a technique employed for censorship. The resource
targets are computationally expensive, usually requiring rental or s required to carry
ownership of a malicious distributed platform such as a botnet, and out a successful DDoS against major targets are computationally
they are imprecise. DDoS is an incredibly crude censorship technique, and expensive, usually requiring rental or ownership of a malicious
appears to largely be used as a timely, easy-to-access mechanism for distributed platform such as a botnet, and they are imprecise. DDoS
blocking undesirable content for a limited period of time.</t> is an incredibly crude censorship technique and appears to largely
<t>Empirical Examples: In 2012 the U.K.'s signals intelligence organiz be used as a timely, easy-to-access mechanism for blocking
ation, the Government Communications Headquarters (GCHQ), used DDoS to temporari undesirable content for a limited period of time.</t>
ly <t>Empirical Examples: In 2012, the U.K.'s signals intelligence organi
zation, the Government Communications Headquarters (GCHQ), used DDoS to temporar
ily
shutdown Internet Relay Chat (IRC) chat rooms frequented by members of Anonymous using the shutdown Internet Relay Chat (IRC) chat rooms frequented by members of Anonymous using the
Syn Flood DDoS method; Syn Flood exploits the handshake used by TCP to Syn Flood DDoS method; Syn Flood exploits the handshake used by TCP to
overload the victim server with so many requests that legitimate overload the victim server with so many requests that legitimate
traffic becomes slow or impossible traffic becomes slow or impossible
<xref target="Schone-2014"/> <xref target="CERT-2000"/>. Dissenting opinion webs ites are <xref target="NBC-2014"/> <xref target="CERT-2000"/>. Dissenting opinion website s are
frequently victims of DDoS around politically sensitive events like the DDoS in frequently victims of DDoS around politically sensitive events like the DDoS in
Burma <xref target="Villeneuve-2011"/>. Controlling parties in Russia Burma <xref target="Villeneuve-2011"/>. Controlling parties in Russia
<xref target="Kravtsova-2012"/>, Zimbabwe <xref target="Orion-2013"/>, and Malay sia <xref target="Kravtsova-2012"/>, Zimbabwe <xref target="Orion-2013"/>, and Malay sia
<xref target="Muncaster-2013"/> have been accused of using DDoS to interrupt <xref target="Muncaster-2013"/> have been accused of using DDoS to interrupt
opposition support and access during elections. opposition support and access during elections.
In 2015, China launched a DDoS attack using a true MITM system In 2015, China launched a DDoS attack using a true MITM system (dubbed "Great Ca
collocated with the Great Firewall, dubbed "Great Cannon", that was nnon"),
collocated with the Great Firewall, that was
able to inject JavaScript code into web visits to a Chinese search able to inject JavaScript code into web visits to a Chinese search
engine that commandeered those user agents to send DDoS traffic to engine that commandeered those user agents to send DDoS traffic to
various sites <xref target="Marczak-2015"/>.</t> various sites <xref target="Marczak-2015"/>.</t>
</section> </section>
<section anchor="censorship-in-depth"> <section anchor="censorship-in-depth">
<name>Censorship in Depth</name> <name>Censorship in Depth</name>
<t>Often, censors implement multiple techniques in tandem, creating <t>Often, censors implement multiple techniques in tandem, creating
"censorship in depth". Censorship in depth can take many forms; some "censorship in depth". Censorship in depth can take many forms; some
censors block the same content through multiple techniques (such as censors block the same content through multiple techniques (such as
blocking a domain by DNS, IP blocking, and HTTP simultaneously), some deploy blocking a domain by DNS, IP blocking, and HTTP simultaneously), some deploy
parallel systems to improve censorship reliability (such as deploying parallel systems to improve censorship reliability (such as deploying
multiple different censorship systems to block the same domain), and others multiple different censorship systems to block the same domain), and others
can use complimentary systems to limit evasion (such as by blocking can use complimentary systems to limit evasion (such as by blocking
unwanted protocols entirely, forcing users to use other filtered protocols).</t> unwanted protocols entirely, forcing users to use other filtered protocols).</t>
<t>Trade offs: Censorship in depth can be attractive for censors to de <t>Trade-offs: Censorship in depth can be attractive for censors to
ploy, deploy, as it offers additional guarantees about censorship: even if
as it offers additional guarantees about censorship: even if someone evades someone evades one type of censorship, they may still be blocked by
one type of censorship, they may still be blocked by another. The main another. The main drawback to this approach is the cost to initial
drawback to this approach is the cost to initial deployment, as it requires deployment, as it requires the system to deploy multiple censorship
the system to deploy multiple censorship systems in tandem.</t> systems in tandem.</t>
<t>Empirical Examples: Censorship in depth is present in many large ce <t>Empirical Examples: Censorship in depth is present in many large
nsoring censoring nation states today. Researchers have observed that China
nation states today. Researchers have observed that China has deployed has deployed significant censorship in depth, often censoring the
significant censorship in depth, often censoring the same resource across same resource across multiple protocols <xref target="Chai-2019"/>
multiple protocols <xref target="Chai-2019"/> <xref target="Bock-2020b"/>, or de <xref target="Bock-2020b"/> or deploying additional censorship
ploying additional systems to censor the same content and protocol <xref
censorship systems to censor the same content and protocol <xref target="Bock-20 target="Bock-2021b"/>. Iran also has deployed a complimentary
21b"/>. protocol filter to limit which protocols can be used on certain
Iran also has deployed a complimentary protocol filter to limit which ports, forcing users to rely on protocols their censorship system
protocols can be used on certain ports, forcing users to rely on protocols can filter <xref target="Bock-2020"/>.</t>
their censorship system can filter <xref target="Bock-2020"/>.</t>
</section> </section>
</section> </section>
</section> </section>
<section anchor="nontechint"> <section anchor="nontechint">
<name>Non-Technical Interference</name> <name>Non-technical Interference</name>
<section anchor="manualfiltering"> <section anchor="manualfiltering">
<name>Manual Filtering</name> <name>Manual Filtering</name>
<t>As the name implies, sometimes manual labor is the easiest way to fig <t>As the name implies, sometimes manual labor is the easiest way to
ure figure out which content to block. Manual filtering differs from the
out which content to block. Manual Filtering differs from the common common tactic of building up blocklists in that it doesn't necessarily
tactic of building up blocklists in that it doesn't necessarily target target a specific IP or DNS but instead removes or flags content.
a specific IP or DNS, but instead removes or flags content. Given the Given the imprecise nature of automatic filtering, manually sorting
imprecise nature of automatic filtering, manually sorting through through content and flagging dissenting websites, blogs, articles, and
content and flagging dissenting websites, blogs, articles and other other media for filtration can be an effective technique on its own or
media for filtration can be an effective technique on its own, or combined with combined with other automated techniques of detection that are then
other automated techniques of detection that are then followed by an action that followed by an action that would require manual confirmation. This
would require manual confirmation. This filtration filtration can occur on the backbone or ISP level. China's army of
can occur on the Backbone/ISP level -- China's army of monitors is a monitors is a good example <xref target="BBC-2013b"/>, but more
good example <xref target="BBC-2013b"/> -- but more commonly manual filtering commonly, manual filtering occurs on an institutional level. ICPs,
occurs on an institutional level. Internet Content Providers such as such as Google or Weibo, require a business license to operate in
Google or Weibo, require a business license to operate in China. One China. One of the prerequisites for a business license is an
of the prerequisites for a business license is an agreement to sign a agreement to sign a "voluntary pledge" known as the "Public Pledge on
"voluntary pledge" known as the "Public Pledge on Self-discipline for Self-discipline for the Chinese Internet Industry". The failure to
the Chinese Internet Industry". The failure to "energetically "energetically uphold" the pledged values can lead to the ICPs being
uphold" the pledged values can lead to the ICPs being held liable for held liable for the offending content by the Chinese government <xref
the offending content by the Chinese government <xref target="BBC-2013b"/>.</t> target="BBC-2013b"/>.</t>
</section> </section>
<section anchor="selfcensor"> <section anchor="selfcensor">
<name>Self-Censorship</name> <name>Self-Censorship</name>
<t>Self-censorship is difficult to document, as it manifests primarily <t>Self-censorship is difficult to document as it manifests primarily
through a lack of undesirable content. Tools which encourage through a lack of undesirable content. Tools that encourage
self-censorship are those which may lead a prospective speaker to self-censorship may lead a prospective speaker to believe that
believe that speaking increases the risk of unfavourable outcomes for speaking increases the risk of unfavorable outcomes for the speaker
the speaker (technical monitoring, identification requirements, (technical monitoring, identification requirements, etc.). Reporters
etc.). Reporters Without Borders exemplify methods of imposing Without Borders exemplify methods of imposing self-censorship in their
self-censorship in their annual World Press Freedom Index reports annual World Press Freedom Index reports <xref target="RWB-2020"/>.</t>
<xref target="RWB2020"/>.</t>
</section> </section>
<section anchor="serverko"> <section anchor="serverko">
<name>Server Takedown</name> <name>Server Takedown</name>
<t>As mentioned in passing by <xref target="Murdoch-2011"/>, servers mus <t>As mentioned in passing by <xref target="Murdoch-2008"/>, servers
t have a must have a physical location somewhere in the world. If undesirable
physical location somewhere in the world. If undesirable content is content is hosted in the censoring country, the servers can be
hosted in the censoring country, the servers can be physically seized physically seized, or -- in cases where a server is virtualized in a
or -- in cases where a server is virtualized in a cloud infrastructure cloud infrastructure where it may not necessarily have a fixed
where it may not necessarily have a fixed physical location -- the physical location -- the hosting provider can be required to prevent
hosting provider can be required to prevent access.</t> access.</t>
</section> </section>
<section anchor="notice"> <section anchor="notice">
<name>Notice and Takedown</name> <name>Notice and Takedown</name>
<t>In many countries, legal mechanisms exist where an individual or othe r <t>In many countries, legal mechanisms exist where an individual or othe r
content provider can issue a legal request to a content host that content provider can issue a legal request to a content host that
requires the host to take down content. Examples include the systems requires the host to take down content. Examples include the systems
employed by companies like Google to comply with "Right to be employed by companies like Google to comply with "Right to be
Forgotten" policies in the European Union <xref target="Google-RTBF"/>, Forgotten" policies in the European Union <xref target="Google-RTBF"/>,
intermediary liability rules for electronic platform providers intermediary liability rules for electronic platform providers
<xref target="EC-2012"/>, or the copyright-oriented notice and takedown regime o f <xref target="EC-2012"/>, or the copyright-oriented notice and takedown regime o f
the United States Digital Millennium Copyright Act (DMCA) Section 512 the United States Digital Millennium Copyright Act (DMCA) Section 512
<xref target="DMLP-512"/>.</t> <xref target="DMLP-512"/>.</t>
</section> </section>
<section anchor="dns-seizures"> <section anchor="dns-seizures">
<name>Domain-Name Seizures</name> <name>Domain Name Seizures</name>
<t>Domain names are catalogued in name-servers operated by <t>Domain names are catalogued in name servers operated by legal
legal entities called registries. These registries can be made to cede entities called registries. These registries can be made to cede
control over a domain name to someone other than the entity which control over a domain name to someone other than the entity that
registered the domain name through a legal procedure grounded in either registered the domain name through a legal procedure grounded in
private contracts or public law. Domain name seizures is increasingly either private contracts or public law. Domain name seizure is
used by both public authorities and private entities to deal with increasingly used by both public authorities and private entities to
undesired content dissemination <xref target="ICANN2012"/> <xref target="EFF2017 deal with undesired content dissemination <xref target="ICANN-2012"/>
"/>.</t> <xref target="EFF-2017"/>.</t>
</section> </section>
</section> </section>
<section anchor="future-work"> <section anchor="future-work">
<name>Future work</name> <name>Future Work</name>
<t>In addition to establishing a thorough resource for describing censorsh <t>In addition to establishing a thorough resource for describing
ip techniques, this document implicates critical areas for future work.</t> censorship techniques, this document implicates critical areas for
<t>Taken as a whole the apparent costs of implementation of censorship tec future work.</t>
hniques indicate a need for better classification of censorship regimes as they <t>Taken as a whole, the apparent costs of implementation of censorship
evolve and mature, and specifying censorship circumvention techniques themselves techniques indicate a need for better classification of censorship
. Censors maturity refers to the technical maturity required of the censor to pe regimes as they evolve and mature and better specification of censorship
rform the specific censorship technique. Future work might classify techniques b circumvention techniques themselves. Censor maturity refers to the
y essentially how hard a censor must work, including what infrastructure is requ technical maturity required of the censor to perform the specific
ired, in order to successfully censor content, users or services.</t> censorship technique. Future work might classify techniques by
<t>On circumvention, the increase in protocols leveraging encryption is an essentially how hard a censor must work, including what infrastructure
effective counter-measure against some forms of censorship described in this do is required, in order to successfully censor content, users, or
cument, but that thorough research on circumvention and encryption be left for a services.</t>
nother document. Moreover the censorship circumvention community has developed a <t>On circumvention, the increase in protocols leveraging encryption is
n area of research on "pluggable transports," which collects, documents and make an effective countermeasure against some forms of censorship described
s agile methods for obfuscating the on-path traffic of censorship circumvention in this document, but that thorough research on circumvention and
tools such that it appears indistinguishable from other kinds of traffic <xref t encryption is left for another document. Moreover, the censorship
arget="Tor-2020"/>. Those methods would benefit from future work in the internet circumvention community has developed an area of research on "pluggable
standards community, too.</t> transports," which collect, document, and make agile methods for
<t>Lastly the empirical examples demonstrate that censorship techniques ca obfuscating the on-path traffic of censorship circumvention tools such
n evolve quickly, and experience shows that this document can only be a point-in that it appears indistinguishable from other kinds of traffic <xref
-time statement. Future work might extend this document with updates and new tec target="Tor-2019"/>. Those methods would benefit from future work in the
hniques described using a comparable methodology.</t> Internet standards community, too.</t>
<t>Lastly, the empirical examples demonstrate that censorship techniques c
an evolve quickly, and experience shows that this document can only be a point-i
n-time statement. Future work might extend this document with updates and new te
chniques described using a comparable methodology.</t>
</section> </section>
<section anchor="Contributors">
<name>Contributors</name> <section>
<t>This document benefited from discussions with and input from <name>IANA Considerations</name>
David Belson, Stephane Bortzmeyer, Vinicius Fortuna, <t>
Gurshabad Grover, Andrew McConachie, Martin Nilsson, Michael This document has no IANA actions.
Richardson, Patrick Vacek and Chris Wood.</t> </t>
</section> </section>
<section>
<name>Security Considerations</name>
<t>
This document is a survey of existing literature on network censorship
techniques. As such, it does not introduce any new security
considerations to be taken into account beyond what is already
discussed in each paper surveyed.
</t>
</section>
</middle> </middle>
<back> <back>
<displayreference target="I-D.ietf-tls-esni" to="TLS-ESNI"/>
<references> <references>
<name>Informative References</name>
<reference anchor="RFC0793">
<front>
<title>Transmission Control Protocol</title>
<author fullname="J. Postel" initials="J." surname="Postel">
<organization/>
</author>
<date month="September" year="1981"/>
</front>
<seriesInfo name="RFC" value="793"/>
<seriesInfo name="DOI" value="10.17487/RFC0793"/>
</reference>
<reference anchor="RFC7754">
<front>
<title>Technical Considerations for Internet Service Blocking and Filt
ering</title>
<author fullname="R. Barnes" initials="R." surname="Barnes">
<organization/>
</author>
<author fullname="A. Cooper" initials="A." surname="Cooper">
<organization/>
</author>
<author fullname="O. Kolkman" initials="O." surname="Kolkman">
<organization/>
</author>
<author fullname="D. Thaler" initials="D." surname="Thaler">
<organization/>
</author>
<author fullname="E. Nordmark" initials="E." surname="Nordmark">
<organization/>
</author>
<date month="March" year="2016"/>
<abstract>
<t>The Internet is structured to be an open communications medium.
This openness is one of the key underpinnings of Internet innovation, but it can
also allow communications that may be viewed as undesirable by certain parties.
Thus, as the Internet has grown, so have mechanisms to limit the extent and im
pact of abusive or objectionable communications. Recently, there has been an in
creasing emphasis on "blocking" and "filtering", the active prevention of such c
ommunications. This document examines several technical approaches to Internet
blocking and filtering in terms of their alignment with the overall Internet arc
hitecture. When it is possible to do so, the approach to blocking and filtering
that is most coherent with the Internet architecture is to inform endpoints abo
ut potentially undesirable services, so that the communicants can avoid engaging
in abusive or objectionable communications. We observe that certain filtering
and blocking approaches can cause unintended consequences to third parties, and
we discuss the limits of efficacy of various approaches.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="7754"/>
<seriesInfo name="DOI" value="10.17487/RFC7754"/>
</reference>
<reference anchor="RFC7624">
<front>
<title>Confidentiality in the Face of Pervasive Surveillance: A Threat
Model and Problem Statement</title>
<author fullname="R. Barnes" initials="R." surname="Barnes">
<organization/>
</author>
<author fullname="B. Schneier" initials="B." surname="Schneier">
<organization/>
</author>
<author fullname="C. Jennings" initials="C." surname="Jennings">
<organization/>
</author>
<author fullname="T. Hardie" initials="T." surname="Hardie">
<organization/>
</author>
<author fullname="B. Trammell" initials="B." surname="Trammell">
<organization/>
</author>
<author fullname="C. Huitema" initials="C." surname="Huitema">
<organization/>
</author>
<author fullname="D. Borkmann" initials="D." surname="Borkmann">
<organization/>
</author>
<date month="August" year="2015"/>
<abstract>
<t>Since the initial revelations of pervasive surveillance in 2013,
several classes of attacks on Internet communications have been discovered. In
this document, we develop a threat model that describes these attacks on Interne
t confidentiality. We assume an attacker that is interested in undetected, indi
scriminate eavesdropping. The threat model is based on published, verified atta
cks.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="7624"/>
<seriesInfo name="DOI" value="10.17487/RFC7624"/>
</reference>
<reference anchor="RFC6066">
<front>
<title>Transport Layer Security (TLS) Extensions: Extension Definition
s</title>
<author fullname="D. Eastlake 3rd" initials="D." surname="Eastlake 3rd
">
<organization/>
</author>
<date month="January" year="2011"/>
<abstract>
<t>This document provides specifications for existing TLS extensions
. It is a companion document for RFC 5246, "The Transport Layer Security (TLS)
Protocol Version 1.2". The extensions specified are server_name, max_fragment_l
ength, client_certificate_url, trusted_ca_keys, truncated_hmac, and status_reque
st. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="6066"/>
<seriesInfo name="DOI" value="10.17487/RFC6066"/>
</reference>
<reference anchor="RFC8484">
<front>
<title>DNS Queries over HTTPS (DoH)</title>
<author fullname="P. Hoffman" initials="P." surname="Hoffman">
<organization/>
</author>
<author fullname="P. McManus" initials="P." surname="McManus">
<organization/>
</author>
<date month="October" year="2018"/>
<abstract>
<t>This document defines a protocol for sending DNS queries and gett
ing DNS responses over HTTPS. Each DNS query-response pair is mapped into an HT
TP exchange.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8484"/>
<seriesInfo name="DOI" value="10.17487/RFC8484"/>
</reference>
<reference anchor="RFC7858">
<front>
<title>Specification for DNS over Transport Layer Security (TLS)</titl
e>
<author fullname="Z. Hu" initials="Z." surname="Hu">
<organization/>
</author>
<author fullname="L. Zhu" initials="L." surname="Zhu">
<organization/>
</author>
<author fullname="J. Heidemann" initials="J." surname="Heidemann">
<organization/>
</author>
<author fullname="A. Mankin" initials="A." surname="Mankin">
<organization/>
</author>
<author fullname="D. Wessels" initials="D." surname="Wessels">
<organization/>
</author>
<author fullname="P. Hoffman" initials="P." surname="Hoffman">
<organization/>
</author>
<date month="May" year="2016"/>
<abstract>
<t>This document describes the use of Transport Layer Security (TLS)
to provide privacy for DNS. Encryption provided by TLS eliminates opportunitie
s for eavesdropping and on-path tampering with DNS queries in the network, such
as discussed in RFC 7626. In addition, this document specifies two usage profil
es for DNS over TLS and provides advice on performance considerations to minimiz
e overhead from using TCP and TLS with DNS.</t>
<t>This document focuses on securing stub-to-recursive traffic, as p
er the charter of the DPRIVE Working Group. It does not prevent future applicat
ions of the protocol to recursive-to-authoritative traffic.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="7858"/>
<seriesInfo name="DOI" value="10.17487/RFC7858"/>
</reference>
<reference anchor="I-D.ietf-tls-sni-encryption">
<front>
<title>Issues and Requirements for Server Name Identification (SNI) En
cryption in TLS</title>
<author fullname="Christian Huitema" initials="C." surname="Huitema">
<organization>Private Octopus Inc.</organization>
</author>
<author fullname="Eric Rescorla" initials="E." surname="Rescorla">
<organization>RTFM, Inc.</organization>
</author>
<date day="28" month="October" year="2019"/>
<abstract>
<t>This document describes the general problem of encrypting the Ser
ver Name Identification (SNI) TLS parameter. The proposed solutions hide a hidde
n service behind a fronting service, only disclosing the SNI of the fronting ser
vice to external observers. This document lists known attacks against SNI encryp
tion, discusses the current "HTTP co-tenancy" solution, and presents requirement
s for future TLS-layer solutions.
In practice, it may well be that no solution can meet every requirement and tha <name>Informative References</name>
t practical solutions will have to make some compromises.
</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-tls-sni-encryption-0
9"/>
</reference>
<reference anchor="I-D.ietf-tls-esni">
<front>
<title>TLS Encrypted Client Hello</title>
<author fullname="Eric Rescorla" initials="E." surname="Rescorla">
<organization>RTFM, Inc.</organization>
</author>
<author fullname="Kazuho Oku" initials="K." surname="Oku">
<organization>Fastly</organization>
</author>
<author fullname="Nick Sullivan" initials="N." surname="Sullivan">
<organization>Cloudflare</organization>
</author>
<author fullname="Christopher A. Wood" initials="C. A." surname="Wood"
>
<organization>Cloudflare</organization>
</author>
<date day="3" month="October" year="2022"/>
<abstract>
<t> This document describes a mechanism in Transport Layer Securit
y (TLS)
for encrypting a ClientHello message under a server public key.
Discussion Venues <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7754.xml"
/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7624.xml"
/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6066.xml"
/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8484.xml"
/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7858.xml"
/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8744.xml"
/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9000.xml"
/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9293.xml"
/>
This note is to be removed before publishing as an RFC. <!-- [I-D.ietf-tls-esni] IESG state I-D Exists -->
Source for this draft and an issue tracker can be found at <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-tl
https://github.com/tlswg/draft-ietf-tls-esni s-esni.xml"/>
(https://github.com/tlswg/draft-ietf-tls-esni).
</t> <reference anchor="RWB-2020" target="https://rsf.org/en/2020-world-press-f
</abstract> reedom-index-entering-decisive-decade-journalism-exacerbated-coronavirus">
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-tls-esni-15"/>
</reference>
<reference anchor="I-D.ietf-quic-transport">
<front>
<title>QUIC: A UDP-Based Multiplexed and Secure Transport</title>
<author fullname="Jana Iyengar" initials="J." surname="Iyengar">
<organization>Fastly</organization>
</author>
<author fullname="Martin Thomson" initials="M." surname="Thomson">
<organization>Mozilla</organization>
</author>
<date day="14" month="January" year="2021"/>
<abstract>
<t>This document defines the core of the QUIC transport protocol. Q
UIC provides applications with flow-controlled streams for structured communicat
ion, low-latency connection establishment, and network path migration. QUIC inc
ludes security measures that ensure confidentiality, integrity, and availability
in a range of deployment circumstances. Accompanying documents describe the in
tegration of TLS for key negotiation, loss detection, and an exemplary congestio
n control algorithm.
</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-quic-transport-34"/>
</reference>
<reference anchor="RWB2020" target="https://rsf.org/en/2020-world-press-fr
eedom-index-entering-decisive-decade-journalism-exacerbated-coronavirus">
<front> <front>
<title>2020 World Press Freedom Index: Entering a decisive decade for journalism, exacerbated by coronavirus</title> <title>2020 World Press Freedom Index: 'Entering a decisive decade for journalism, exacerbated by coronavirus'</title>
<author> <author>
<organization>Reporters Without Borders</organization> <organization>Reporters Without Borders (RSF)</organization>
</author> </author>
<date year="2020"/> <date month="April" year="2020"/>
</front> </front>
</reference> </reference>
<reference anchor="HADOPI-2020" target="https://www.hadopi.fr/en/node/3668
"> <reference anchor="HADOPI" target="https://www.hadopi.fr/">
<front> <front>
<title>Présentation</title> <title>Hadopi | Haute Autorité pour la diffusion des oeuvres et la pro tection des droits sur internet</title>
<author> <author>
<organization>Haute Autorité pour la Diffusion des oeuvres et la Pro tection des Droits sur Internet</organization> <organization>Hadopi</organization>
</author> </author>
<date year="2020"/>
</front> </front>
</reference> </reference>
<reference anchor="SSAC-109-2020" target="https://www.icann.org/en/system/ files/files/sac-109-en.pdf"> <reference anchor="SSAC-109-2020" target="https://www.icann.org/en/system/ files/files/sac-109-en.pdf">
<front> <front>
<title>SAC109: The Implications of DNS over HTTPS and DNS over TLS</ti tle> <title>SAC109: The Implications of DNS over HTTPS and DNS over TLS</ti tle>
<author> <author>
<organization>ICANN Security and Stability Advisory Committee</organ <organization>ICANN Security and Stability Advisory Committee
ization> (SSAC)</organization>
</author> </author>
<date year="2020"/> <date month="March" year="2020"/>
</front> </front>
</reference> </reference>
<reference anchor="ICANN2012" target="https://www.icann.org/en/system/file
s/files/guidance-domain-seizures-07mar12-en.pdf"> <reference anchor="ICANN-2012" target="https://www.icann.org/en/system/fil
es/files/guidance-domain-seizures-07mar12-en.pdf">
<front> <front>
<title>Guidance for Preparing Domain Name Orders, Seizures &amp; Taked <title>Guidance for Preparing Domain Name Orders, Seizures &amp;
owns</title> Takedowns</title>
<author> <author>
<organization>ICANN Security and Stability Advisory Committee</organ <organization>ICANN Security and Stability Advisory
ization> Committee</organization>
</author> </author>
<date year="2012"/> <date month="January" year="2012"/>
</front> </front>
</reference> </reference>
<reference anchor="Tor-2020" target="https://2019.www.torproject.org/docs/
pluggable-transports.html.en"> <reference anchor="Tor-2019" target="https://2019.www.torproject.org/docs/
pluggable-transports.html.en">
<front> <front>
<title>Tor: Pluggable Transports</title> <title>Tor: Pluggable Transports</title>
<author> <author>
<organization>The Tor Project</organization> <organization>Tor</organization>
</author> </author>
<date year="2020"/> <date year="2019"/>
</front> </front>
</reference> </reference>
<reference anchor="WP-Def-2020" target="https://en.wikipedia.org/w/index.p hp?title=Censorship&amp;oldid=943938595"> <reference anchor="WP-Def-2020" target="https://en.wikipedia.org/w/index.p hp?title=Censorship&amp;oldid=943938595">
<front> <front>
<title>Censorship</title> <title>Censorship</title>
<author> <author>
<organization>Wikipedia contributors</organization> <organization>Wikipedia</organization>
</author> </author>
<date year="2020"/> <date month="March" year="2020"/>
</front> </front>
</reference> </reference>
<reference anchor="EC-gambling-2012" target="https://eur-lex.europa.eu/leg al-content/EN/TXT/?uri=CELEX:52012SC0345"> <reference anchor="EC-gambling-2012" target="https://eur-lex.europa.eu/leg al-content/EN/TXT/?uri=CELEX:52012SC0345">
<front> <front>
<title>Online gambling in the Internal Market</title> <title>Online gambling in the Internal Market Accompanying the documen t Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions Towards a compre hensive framework for online gambling</title>
<author> <author>
<organization>European Commission</organization> <organization>European Commission</organization>
</author> </author>
<date year="2012"/> <date year="2012"/>
</front> </front>
</reference> </reference>
<reference anchor="EC-gambling-2019" target="https://ec.europa.eu/growth/c ontent/evaluation-regulatory-tools-enforcing-online-gambling-rules-and-channelli ng-demand-towards-1_en"> <reference anchor="EC-gambling-2019" target="https://ec.europa.eu/growth/c ontent/evaluation-regulatory-tools-enforcing-online-gambling-rules-and-channelli ng-demand-towards-1_en">
<front> <front>
<title>Evaluation of regulatory tools for enforcing online gambling ru les and channeling demand towards controlled offers</title> <title>Evaluation of regulatory tools for enforcing online gambling ru les and channelling demand towards controlled offers</title>
<author> <author>
<organization>European Commission</organization> <organization>European Commission</organization>
</author> </author>
<date year="2019"/> <date month="January" year="2019"/>
</front> </front>
</reference> </reference>
<reference anchor="EC-2012" target="https://ec.europa.eu/information_socie ty/newsroom/image/document/2017-4/consultation_summary_report_en_2010_42070.pdf" > <reference anchor="EC-2012" target="https://ec.europa.eu/information_socie ty/newsroom/image/document/2017-4/consultation_summary_report_en_2010_42070.pdf" >
<front> <front>
<title>Summary of the results of the Public Consultation on the future of electronic commerce in the Internal Market and the implementation of the Dir ective on electronic commerce (2000/31/EC)</title> <title>Summary of the results of the Public Consultation on the future of electronic commerce in the Internal Market and the implementation of the Dir ective on electronic commerce (2000/31/EC)</title>
<author> <author>
<organization>European Commission</organization> <organization>European Commission</organization>
</author> </author>
<date year="2012"/> <date month="January" year="2012"/>
</front>
</reference>
<reference anchor="Bentham-1791" target="https://www.google.com/books/edit
ion/_/Ec4TAAAAQAAJ?hl=en">
<front>
<title>Panopticon Or the Inspection House</title>
<author initials="J." surname="Bentham" fullname="Jeremy Bentham">
<organization/>
</author>
<date year="1791"/>
</front>
</reference>
<reference anchor="Ellul-1973" target="https://www.penguinrandomhouse.com/
books/46234/propaganda-by-jacques-ellul/">
<front>
<title>Propaganda: The Formation of Men's Attitudes</title>
<author initials="J." surname="Ellul" fullname="Jacques Ellul">
<organization/>
</author>
<date year="1973"/>
</front> </front>
</reference> </reference>
<reference anchor="Reda-2017" target="https://juliareda.eu/2017/11/eu-webs
ite-blocking/"> <reference anchor="Reda-2017" target="https://felixreda.eu/2017/11/eu-webs
ite-blocking/">
<front> <front>
<title>New EU law prescribes website blocking in the name of 'consumer <title>New EU law prescribes website blocking in the name of "consumer
protection'</title> protection"</title>
<author initials="J." surname="Reda" fullname="Julia Reda"> <author initials="F." surname="Reda" fullname="Felix Reda">
<organization/> <organization/>
</author> </author>
<date year="2017"/> <date month="November" year="2017"/>
</front> </front>
</reference> </reference>
<reference anchor="Knight-2005" target="https://www.newscientist.com/artic le/dn7589-iranian-net-censorship-powered-by-us-technology/"> <reference anchor="Knight-2005" target="https://www.newscientist.com/artic le/dn7589-iranian-net-censorship-powered-by-us-technology/">
<front> <front>
<title>Iranian net censorship powered by US technology</title> <title>Iranian net censorship powered by US technology</title>
<author initials="W." surname="Knight" fullname="Will Knight"> <author initials="W." surname="Knight" fullname="Will Knight">
<organization/> <organization/>
</author> </author>
<date year="2005"/> <date month="June" year="2005"/>
</front> </front>
</reference> </reference>
<reference anchor="SIDN2020" target="https://labs.ripe.net/Members/giovane
_moura/detecting-and-taking-down-fraudulent-webshops-at-a-cctld"> <reference anchor="SIDN-2020" target="https://labs.ripe.net/Members/giovan
e_moura/detecting-and-taking-down-fraudulent-webshops-at-a-cctld">
<front> <front>
<title>Detecting and Taking Down Fraudulent Webshops at the .nl ccTLD< /title> <title>Detecting and Taking Down Fraudulent Webshops at the .nl ccTLD< /title>
<author initials="G." surname="Moura" fullname="Giovane Moura"> <author initials="G." surname="Moura" fullname="Giovane Moura">
<organization/> <organization/>
</author> </author>
<date year="2020"/> <date month="February" year="2020"/>
</front> </front>
</reference> </reference>
<reference anchor="Cimpanu-2019" target="https://www.zdnet.com/article/rus sia-to-disconnect-from-the-internet-as-part-of-a-planned-test/"> <reference anchor="Cimpanu-2019" target="https://www.zdnet.com/article/rus sia-to-disconnect-from-the-internet-as-part-of-a-planned-test/">
<front> <front>
<title>Russia to disconnect from the internet as part of a planned tes t</title> <title>Russia to disconnect from the internet as part of a planned tes t</title>
<author initials="C." surname="Cimpanu" fullname="Catalin Cimpanu"> <author initials="C." surname="Cimpanu" fullname="Catalin Cimpanu">
<organization/> <organization/>
</author> </author>
<date year="2019"/> <date month="February" year="2019"/>
</front> </front>
</reference> </reference>
<reference anchor="Hertel-2015" target="https://www.sciencesetavenir.fr/hi
gh-tech/comment-les-autorites-peuvent-bloquer-un-site-internet_35828"> <reference anchor="Hertel-2015" quoteTitle="false" target="https://www.sci
encesetavenir.fr/high-tech/comment-les-autorites-peuvent-bloquer-un-site-interne
t_35828">
<front> <front>
<title>Comment les autorités peuvent bloquer un site Internet</title> <title>"Comment les autorités peuvent bloquer un site Internet" [How a uthorities can block a website]</title>
<author initials="O." surname="Hertel" fullname="Olivier Hertel"> <author initials="O." surname="Hertel" fullname="Olivier Hertel">
<organization/> <organization/>
</author> </author>
<date year="2015"/> <date month="March" year="2015"/>
</front> </front>
</reference> </reference>
<reference anchor="Eneman-2010" target="https://www.gu.se/forskning/publik
ation/?publicationId=96592"> <reference anchor="Eneman-2010" target="https://www.tandfonline.com/doi/abs/10.1
080/13552601003760014">
<front> <front>
<title>ISPs filtering of child abusive material: A critical reflection of its effectiveness</title> <title>Internet service provider (ISP) filtering of child-abusive mate rial: A critical reflection of its effectiveness</title>
<author initials="M." surname="Eneman" fullname="Marie Eneman"> <author initials="M." surname="Eneman" fullname="Marie Eneman">
<organization/> <organization/>
</author> </author>
<date year="2010"/> <date month="June" year="2010"/>
</front> </front>
<seriesInfo name="DOI" value="10.1080/13552601003760014"/>
</reference> </reference>
<reference anchor="Gatlan-2019" target="https://www.bleepingcomputer.com/n ews/security/south-korea-is-censoring-the-internet-by-snooping-on-sni-traffic/"> <reference anchor="Gatlan-2019" target="https://www.bleepingcomputer.com/n ews/security/south-korea-is-censoring-the-internet-by-snooping-on-sni-traffic/">
<front> <front>
<title>South Korea is Censoring the Internet by Snooping on SNI Traffi c</title> <title>South Korea is Censoring the Internet by Snooping on SNI Traffi c</title>
<author initials="S." surname="Gatlan" fullname="Sergiu Gatlan"> <author initials="S." surname="Gatlan" fullname="Sergiu Gatlan">
<organization/> <organization/>
</author> </author>
<date year="2019"/> <date month="February" year="2019"/>
</front> </front>
</reference> </reference>
<reference anchor="Lomas-2019" target="https://techcrunch.com/2019/10/30/g ithub-removes-tsunami-democratics-apk-after-a-takedown-order-from-spain/"> <reference anchor="Lomas-2019" target="https://techcrunch.com/2019/10/30/g ithub-removes-tsunami-democratics-apk-after-a-takedown-order-from-spain/">
<front> <front>
<title>Github removes Tsunami Democràtics APK after a takedown order from Spain</title> <title>Github removes Tsunami Democràtic's APK after a takedown order from Spain</title>
<author initials="N." surname="Lomas" fullname="Natasha Lomas"> <author initials="N." surname="Lomas" fullname="Natasha Lomas">
<organization/> <organization/>
</author> </author>
<date year="2019"/> <date month="October" year="2019"/>
</front> </front>
</reference> </reference>
<reference anchor="Victor-2019" target="https://www.nytimes.com/2019/10/09 /world/asia/blizzard-hearthstone-hong-kong.html"> <reference anchor="Victor-2019" target="https://www.nytimes.com/2019/10/09 /world/asia/blizzard-hearthstone-hong-kong.html">
<front> <front>
<title>Blizzard Sets Off Backlash for Penalizing Hearthstone Gamer in Hong Kong</title> <title>Blizzard Sets Off Backlash for Penalizing Hearthstone Gamer in Hong Kong</title>
<author initials="D." surname="Victor" fullname="Daniel Victor"> <author initials="D." surname="Victor" fullname="Daniel Victor">
<organization/> <organization/>
</author> </author>
<date year="2019"/> <date month="October" year="2019"/>
</front> </front>
<refcontent>The New York Times</refcontent>
</reference> </reference>
<reference anchor="Glanville-2008" target="http://www.theguardian.com/comm entisfree/2008/nov/17/censorship-internet"> <reference anchor="Glanville-2008" target="http://www.theguardian.com/comm entisfree/2008/nov/17/censorship-internet">
<front> <front>
<title>The Big Business of Net Censorship</title> <title>The big business of net censorship</title>
<author initials="J." surname="Glanville" fullname="Jo Glanville"> <author initials="J." surname="Glanville" fullname="Jo Glanville">
<organization/> <organization/>
</author> </author>
<date year="2008"/> <date month="November" year="2008"/>
</front> </front>
<refcontent>The Guardian</refcontent>
</reference> </reference>
<reference anchor="EFF2017" target="https://www.eff.org/files/2017/08/02/d
omain_registry_whitepaper.pdf"> <reference anchor="EFF-2017" target="https://www.eff.org/files/2017/08/02/
domain_registry_whitepaper.pdf">
<front> <front>
<title>Which Internet registries offer the best protection for domain owners?</title> <title>Which Internet registries offer the best protection for domain owners?</title>
<author initials="J." surname="Malcom" fullname="Jeremy Malcolm"> <author initials="J." surname="Malcom" fullname="Jeremy Malcolm">
<organization/> <organization/>
</author> </author>
<author initials="M." surname="Stoltz" fullname="Mitch Stoltz">
<organization/>
</author>
<author initials="G." surname="Rossi" fullname="Gus Rossi"> <author initials="G." surname="Rossi" fullname="Gus Rossi">
<organization/> <organization/>
</author> </author>
<author initials="V." surname="Paxson" fullname="Vern Paxson"> <author initials="M." surname="Stoltz" fullname="Mitch Stoltz">
<organization/> <organization/>
</author> </author>
<date year="2017"/> <date month="July" year="2017"/>
</front> </front>
<refcontent>Electronic Frontier Foundation</refcontent>
</reference> </reference>
<reference anchor="Tschantz-2016" target="https://oaklandsok.github.io/pap ers/tschantz2016.pdf"> <reference anchor="Tschantz-2016" target="https://oaklandsok.github.io/pap ers/tschantz2016.pdf">
<front> <front>
<title>SoK: Towards Grounding Censorship Circumvention in Empiricism</ title> <title>SoK: Towards Grounding Censorship Circumvention in Empiricism</ title>
<author initials="M." surname="Tschantz" fullname="Michael Carl Tschan tz"> <author initials="M." surname="Tschantz" fullname="Michael Carl Tschan tz">
<organization/> <organization/>
</author> </author>
<author initials="S." surname="Afroz" fullname="Sadia Afroz"> <author initials="S." surname="Afroz" fullname="Sadia Afroz">
<organization/> <organization/>
</author> </author>
<author initials="A." surname="Anonymous" fullname="Anonymous"> <author fullname="Anonymous">
<organization/> <organization/>
</author> </author>
<author initials="V." surname="Paxson" fullname="Vern Paxson"> <author initials="V." surname="Paxson" fullname="Vern Paxson">
<organization/> <organization/>
</author> </author>
<date year="2016"/> <date month="May" year="2016"/>
</front> </front>
<seriesInfo name="DOI" value="10.1109/SP.2016.59"/>
</reference> </reference>
<reference anchor="Cao-2016" target="https://www.usenix.org/system/files/c onference/usenixsecurity16/sec16_paper_cao.pdf"> <reference anchor="Cao-2016" target="https://www.usenix.org/system/files/c onference/usenixsecurity16/sec16_paper_cao.pdf">
<front> <front>
<title>Off-Path TCP Exploits: Global Rate Limit Considered Dangerous</ title> <title>Off-Path TCP Exploits: Global Rate Limit Considered Dangerous</ title>
<author initials="Y." surname="Cao" fullname="Yue Cao"> <author initials="Y." surname="Cao" fullname="Yue Cao">
<organization/> <organization/>
</author> </author>
<author initials="Z." surname="Qian" fullname="Zhiyun Qian"> <author initials="Z." surname="Qian" fullname="Zhiyun Qian">
<organization/> <organization/>
</author> </author>
<author initials="Z." surname="Wang" fullname="Zhongjie Wang"> <author initials="Z." surname="Wang" fullname="Zhongjie Wang">
skipping to change at line 1549 skipping to change at line 1529
</author> </author>
<author initials="T." surname="Dao" fullname="Tuan Dao"> <author initials="T." surname="Dao" fullname="Tuan Dao">
<organization/> <organization/>
</author> </author>
<author initials="S." surname="Krishnamurthy" fullname="Srikanth V. Kr ishnamurthy"> <author initials="S." surname="Krishnamurthy" fullname="Srikanth V. Kr ishnamurthy">
<organization/> <organization/>
</author> </author>
<author initials="L." surname="Marvel" fullname="Lisa M. Marvel"> <author initials="L." surname="Marvel" fullname="Lisa M. Marvel">
<organization/> <organization/>
</author> </author>
<date year="2016"/> <date month="August" year="2016"/>
</front> </front>
</reference> </reference>
<reference anchor="Leyba-2019" target="https://forrest.biodesign.asu.edu/d
ata/publications/2019-compass-chokepoints.pdf"> <reference anchor="Leyba-2019">
<front> <front>
<title>Borders and Gateways: Measuring and Analyzing National AS Choke points</title> <title>Borders and gateways: measuring and analyzing national as choke points</title>
<author initials="K." surname="Leyba" fullname="Kirtus G. Leyba"> <author initials="K." surname="Leyba" fullname="Kirtus G. Leyba">
<organization/> <organization/>
</author> </author>
<author initials="B." surname="Edwards" fullname="Benjamin Edwards"> <author initials="B." surname="Edwards" fullname="Benjamin Edwards">
<organization/> <organization/>
</author> </author>
<author initials="C." surname="Freeman" fullname="Cynthia Freeman"> <author initials="C." surname="Freeman" fullname="Cynthia Freeman">
<organization/> <organization/>
</author> </author>
<author initials="J." surname="Crandall" fullname="Jedidiah R. Crandal l"> <author initials="J." surname="Crandall" fullname="Jedidiah R. Crandal l">
<organization/> <organization/>
</author> </author>
<author initials="S." surname="Forrest" fullname="Stephanie Forrest"> <author initials="S." surname="Forrest" fullname="Stephanie Forrest">
<organization/> <organization/>
</author> </author>
<date year="2019"/> <date month="July" year="2019"/>
</front> </front>
<seriesInfo name="DOI" value="10.1145/3314344.3332502"/>
<refcontent>COMPASS '19: Proceedings of the 2nd ACM SIGCAS Conference on
Computing and Sustainable Societies, pages 184-194</refcontent>
</reference> </reference>
<reference anchor="Chai-2019" target="https://www.usenix.org/system/files/ foci19-paper_chai_update.pdf"> <reference anchor="Chai-2019" target="https://www.usenix.org/system/files/ foci19-paper_chai_update.pdf">
<front> <front>
<title>On the Importance of Encrypted-SNI (ESNI) to Censorship Circumv ention</title> <title>On the Importance of Encrypted-SNI (ESNI) to Censorship Circumv ention</title>
<author initials="Z." surname="Chai" fullname="Zimo Chai"> <author initials="Z." surname="Chai" fullname="Zimo Chai">
<organization/> <organization/>
</author> </author>
<author initials="A." surname="Ghafari" fullname="Amirhossein Ghafari" > <author initials="A." surname="Ghafari" fullname="Amirhossein Ghafari" >
<organization/> <organization/>
</author> </author>
<author initials="A." surname="Houmansadr" fullname="Amir Houmansadr"> <author initials="A." surname="Houmansadr" fullname="Amir Houmansadr">
skipping to change at line 1588 skipping to change at line 1572
</author> </author>
<author initials="A." surname="Ghafari" fullname="Amirhossein Ghafari" > <author initials="A." surname="Ghafari" fullname="Amirhossein Ghafari" >
<organization/> <organization/>
</author> </author>
<author initials="A." surname="Houmansadr" fullname="Amir Houmansadr"> <author initials="A." surname="Houmansadr" fullname="Amir Houmansadr">
<organization/> <organization/>
</author> </author>
<date year="2019"/> <date year="2019"/>
</front> </front>
</reference> </reference>
<reference anchor="Patil-2019" target="https://irtf.org/anrw/2019/anrw2019 -final44-acmpaginated.pdf"> <reference anchor="Patil-2019" target="https://irtf.org/anrw/2019/anrw2019 -final44-acmpaginated.pdf">
<front> <front>
<title>What Can You Learn from an IP?</title> <title>What can you learn from an IP?</title>
<author initials="S." surname="Patil" fullname="Simran Patil"> <author initials="S." surname="Patil" fullname="Simran Patil">
<organization/> <organization/>
</author> </author>
<author initials="N." surname="Borisov" fullname="Nikita Borisov"> <author initials="N." surname="Borisov" fullname="Nikita Borisov">
<organization/> <organization/>
</author> </author>
<date year="2019"/> <date month="July" year="2019"/>
</front> </front>
<seriesInfo name="DOI" value="10.1145/3340301.3341133"/>
<refcontent>Proceedings of the Applied Networking Research Workshop, Page
s 45-51</refcontent>
</reference> </reference>
<reference anchor="Wright-2013" target="https://policyreview.info/articles /analysis/internet-filtering-trends-liberal-democracies-french-and-german-regula tory-debates"> <reference anchor="Wright-2013" target="https://policyreview.info/articles /analysis/internet-filtering-trends-liberal-democracies-french-and-german-regula tory-debates">
<front> <front>
<title>Internet filtering trends in liberal democracies: French and Ge rman regulatory debates</title> <title>Internet filtering trends in liberal democracies: French and Ge rman regulatory debates</title>
<author initials="J." surname="Wright" fullname="Joss Wright"> <author initials="J." surname="Wright" fullname="Joss Wright">
<organization/> <organization/>
</author> </author>
<author initials="Y." surname="Breindl" fullname="Yana Breindl"> <author initials="Y." surname="Breindl" fullname="Yana Breindl">
<organization/> <organization/>
</author> </author>
<date year="2013"/> <date month="April" year="2013"/>
</front> </front>
<seriesInfo name="DOI" value="10.14763/2013.2.122"/>
</reference> </reference>
<reference anchor="Grover-2019" target="https://cis-india.org/internet-gov ernance/blog/reliance-jio-is-using-sni-inspection-to-block-websites"> <reference anchor="Grover-2019" target="https://cis-india.org/internet-gov ernance/blog/reliance-jio-is-using-sni-inspection-to-block-websites">
<front> <front>
<title>Reliance Jio is using SNI inspection to block websites</title> <title>Reliance Jio is using SNI inspection to block websites</title>
<author initials="G." surname="Grover" fullname="Gurshabad Grover"> <author initials="G." surname="Grover" fullname="Gurshabad Grover">
<organization/> <organization/>
</author> </author>
<author initials="K." surname="Singh" fullname="Kushagra Singh"> <author initials="K." surname="Singh" fullname="Kushagra Singh">
<organization/> <organization/>
</author> </author>
<author initials="E." surname="Hickok" fullname="Elonnai Hickok"> <author initials="E." surname="Hickok" fullname="Elonnai Hickok" role= "editor">
<organization/> <organization/>
</author> </author>
<date year="2019"/> <date month="November" year="2019"/>
</front> </front>
</reference> </reference>
<reference anchor="Singh-2019" target="https://arxiv.org/abs/1912.08590"> <reference anchor="Singh-2019" target="https://arxiv.org/abs/1912.08590">
<front> <front>
<title>How India Censors the Web</title> <title>How India Censors the Web</title>
<author initials="K." surname="Singh" fullname="Kushagra Singh"> <author initials="K." surname="Singh" fullname="Kushagra Singh">
<organization/> <organization/>
</author> </author>
<author initials="G." surname="Grover" fullname="Gurshabad Grover"> <author initials="G." surname="Grover" fullname="Gurshabad Grover">
<organization/> <organization/>
</author> </author>
<author initials="V." surname="Bansal" fullname="Varun Bansal"> <author initials="V." surname="Bansal" fullname="Varun Bansal">
<organization/> <organization/>
</author> </author>
<date year="2019"/> <date month="December" year="2019"/>
</front> </front>
<seriesInfo name="DOI" value="10.48550/arXiv.1912.08590"/>
</reference> </reference>
<reference anchor="NA-SK-2019" target="https://www.newamerica.org/cybersec urity-initiative/c2b/c2b-log/analysis-south-koreas-sni-monitoring/"> <reference anchor="NA-SK-2019" target="https://www.newamerica.org/cybersec urity-initiative/c2b/c2b-log/analysis-south-koreas-sni-monitoring/">
<front> <front>
<title>Analysis: South Korea's New Tool for Filtering Illegal Internet Content</title> <title>Analysis: South Korea's New Tool for Filtering Illegal Internet Content</title>
<author initials="R." surname="Morgus" fullname="Robert Morgus"> <author initials="R." surname="Morgus" fullname="Robert Morgus">
<organization/> <organization/>
</author> </author>
<author initials="J." surname="Sherman" fullname="Justin Sherman"> <author initials="J." surname="Sherman" fullname="Justin Sherman">
<organization/> <organization/>
</author> </author>
<author initials="S." surname="Nam" fullname="Seonghyun Nam"> <author initials="S." surname="Nam" fullname="Seonghyun Nam">
<organization/> <organization/>
</author> </author>
<date year="2019"/> <date month="March" year="2019"/>
</front> </front>
</reference> </reference>
<reference anchor="CitizenLab-2018" target="https://citizenlab.ca/2018/03/ bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria /"> <reference anchor="CitizenLab-2018" target="https://citizenlab.ca/2018/03/ bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria /">
<front> <front>
<title>Bad Traffic: Sandvines PacketLogic Devices Used to Deploy Gove rnment Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads?</title> <title>Bad Traffic: Sandvine's PacketLogic Devices Used to Deploy Gove rnment Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads?</title>
<author initials="B." surname="Marczak" fullname="Bill Marczak"> <author initials="B." surname="Marczak" fullname="Bill Marczak">
<organization/> <organization/>
</author> </author>
<author initials="J." surname="Dalek" fullname="Jakub Dalek"> <author initials="J." surname="Dalek" fullname="Jakub Dalek">
<organization/> <organization/>
</author> </author>
<author initials="S." surname="McKune" fullname="Sarah McKune"> <author initials="S." surname="McKune" fullname="Sarah McKune">
<organization/> <organization/>
</author> </author>
<author initials="A." surname="Senft" fullname="Adam Senft"> <author initials="A." surname="Senft" fullname="Adam Senft">
<organization/> <organization/>
</author> </author>
<author initials="J." surname="Scott-Railton" fullname="John Scott-Rai lton"> <author initials="J." surname="Scott-Railton" fullname="John Scott-Rai lton">
<organization/> <organization/>
</author> </author>
<author initials="R." surname="Deibert" fullname="Ron Deibert"> <author initials="R." surname="Deibert" fullname="Ron Deibert">
<organization/> <organization/>
</author> </author>
<date year="2018"/> <date month="March" year="2018"/>
</front> </front>
</reference> </reference>
<reference anchor="OONI-2019" target="https://ooni.org/post/2019-china-wik ipedia-blocking/"> <reference anchor="OONI-2019" target="https://ooni.org/post/2019-china-wik ipedia-blocking/">
<front> <front>
<title>China is now blocking all language editions of Wikipedia</title > <title>China is now blocking all language editions of Wikipedia</title >
<author initials="S." surname="Singh" fullname="Sukhbir Singh"> <author initials="S." surname="Singh" fullname="Sukhbir Singh">
<organization/> <organization/>
</author> </author>
<author initials="A." surname="Filastò" fullname="Arturo Filastò"> <author initials="A." surname="Filastò" fullname="Arturo Filastò">
<organization/> <organization/>
</author> </author>
<author initials="M." surname="Xynou" fullname="Maria Xynou"> <author initials="M." surname="Xynou" fullname="Maria Xynou">
<organization/> <organization/>
</author> </author>
<date year="2019"/> <date month="May" year="2019"/>
</front> </front>
</reference> </reference>
<reference anchor="OONI-2018" target="https://ooni.org/post/2018-iran-prot ests-pt2/"> <reference anchor="OONI-2018" target="https://ooni.org/post/2018-iran-prot ests-pt2/">
<front> <front>
<title>Iran Protests: DPI blocking of Instagram (Part 2)</title> <title>Iran Protests: DPI blocking of Instagram (Part 2)</title>
<author initials="L." surname="Evdokimov" fullname="Leonid Evdokimov"> <author initials="L." surname="Evdokimov" fullname="Leonid Evdokimov">
<organization/> <organization/>
</author> </author>
<date year="2018"/> <date month="February" year="2018"/>
</front> </front>
</reference> </reference>
<reference anchor="Dada-2017" target="https://www.accessnow.org/keepiton-s hutdown-tracker/"> <reference anchor="Dada-2017" target="https://www.accessnow.org/keepiton-s hutdown-tracker/">
<front> <front>
<title>Launching STOP: the #KeepItOn internet shutdown tracker</title> <title>Launching STOP: the #KeepItOn internet shutdown tracker</title>
<author initials="T." surname="Dada" fullname="Tinuola Dada"> <author initials="T." surname="Dada" fullname="Tinuola Dada">
<organization/> <organization/>
</author> </author>
<author initials="P." surname="Micek" fullname="Peter Micek"> <author initials="P." surname="Micek" fullname="Peter Micek">
<organization/> <organization/>
</author> </author>
<date year="2017"/> <date month="September" year="2017"/>
</front> </front>
</reference> </reference>
<reference anchor="Verkamp-2012" target="https://www.usenix.org/system/fil es/conference/foci12/foci12-final1.pdf"> <reference anchor="Verkamp-2012" target="https://www.usenix.org/system/fil es/conference/foci12/foci12-final1.pdf">
<front> <front>
<title>Inferring Mechanics of Web Censorship Around the World</title> <title>Inferring Mechanics of Web Censorship Around the World</title>
<author initials="J. P." surname="Verkamp" fullname="John-Paul Verkamp "> <author initials="J. P." surname="Verkamp" fullname="John-Paul Verkamp ">
<organization/> <organization/>
</author> </author>
<author initials="M." surname="Gupta" fullname="Minaxi Gupta"> <author initials="M." surname="Gupta" fullname="Minaxi Gupta">
<organization/> <organization/>
</author> </author>
<date year="2012"/> <date month="August" year="2012"/>
</front> </front>
</reference> </reference>
<reference anchor="Nabi-2013" target="http://0b4af6cdc2f0c5998459-c0245c5c 937c5dedcca3f1764ecc9b2f.r43.cf2.rackcdn.com/12387-foci13-nabi.pdf"> <reference anchor="Nabi-2013" target="http://0b4af6cdc2f0c5998459-c0245c5c 937c5dedcca3f1764ecc9b2f.r43.cf2.rackcdn.com/12387-foci13-nabi.pdf">
<front> <front>
<title>The Anatomy of Web Censorship in Pakistan</title> <title>The Anatomy of Web Censorship in Pakistan</title>
<author initials="Z." surname="Nabi" fullname="Zubair Nabi"> <author initials="Z." surname="Nabi" fullname="Zubair Nabi">
<organization/> <organization/>
</author> </author>
<date year="2013"/> <date month="August" year="2013"/>
</front> </front>
</reference> </reference>
<reference anchor="Tang-2016" target="https://www.cs.tufts.edu/comp/116/ar chive/fall2016/ctang.pdf"> <reference anchor="Tang-2016" target="https://www.cs.tufts.edu/comp/116/ar chive/fall2016/ctang.pdf">
<front> <front>
<title>In-depth analysis of the Great Firewall of China</title> <title>In-depth analysis of the Great Firewall of China</title>
<author initials="C." surname="Tang" fullname="Chao Tang"> <author initials="C." surname="Tang" fullname="Chao Tang">
<organization/> <organization/>
</author> </author>
<date year="2016"/> <date month="December" year="2016"/>
</front> </front>
</reference> </reference>
<reference anchor="Aryan-2012" target="https://jhalderm.com/pub/papers/ira
n-foci13.pdf"> <reference anchor="Aryan-2013" target="https://jhalderm.com/pub/papers/ira
n-foci13.pdf">
<front> <front>
<title>Internet Censorship in Iran: A First Look</title> <title>Internet Censorship in Iran: A First Look</title>
<author initials="S." surname="Aryan" fullname="Simurgh Aryan"> <author initials="S." surname="Aryan" fullname="Simurgh Aryan">
<organization/> <organization/>
</author> </author>
<author initials="H." surname="Aryan" fullname="Homa Aryan"> <author initials="H." surname="Aryan" fullname="Homa Aryan">
<organization/> <organization/>
</author> </author>
<author initials="J. A." surname="Halderman" fullname="J. Alex Halderm an"> <author initials="J. A." surname="Halderman" fullname="J. Alex Halderm an">
<organization/> <organization/>
skipping to change at line 1762 skipping to change at line 1763
</author> </author>
<author initials="H." surname="Aryan" fullname="Homa Aryan"> <author initials="H." surname="Aryan" fullname="Homa Aryan">
<organization/> <organization/>
</author> </author>
<author initials="J. A." surname="Halderman" fullname="J. Alex Halderm an"> <author initials="J. A." surname="Halderman" fullname="J. Alex Halderm an">
<organization/> <organization/>
</author> </author>
<date year="2012"/> <date year="2012"/>
</front> </front>
</reference> </reference>
<reference anchor="Husak-2016" target="https://link.springer.com/article/1 0.1186/s13635-016-0030-7"> <reference anchor="Husak-2016" target="https://link.springer.com/article/1 0.1186/s13635-016-0030-7">
<front> <front>
<title>HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting</title> <title>HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting</title>
<author initials="M." surname="Husak" fullname="Martin Husak"> <author initials="M." surname="Husák" fullname="Martin Husák">
<organization/> <organization/>
</author> </author>
<author initials="M." surname="Cermak" fullname="Milan Cermak"> <author initials="M." surname="Čermák" fullname="Milan Čermák">
<organization/> <organization/>
</author> </author>
<author initials="T." surname="Jirsik" fullname="Tomas Jirsik"> <author initials="T." surname="Jirsík" fullname="Tomáš Jirsík">
<organization/> <organization/>
</author> </author>
<author initials="P." surname="Celeda" fullname="Pavel Celeda"> <author initials="P." surname="Čeleda" fullname="Pavel Čeleda">
<organization/> <organization/>
</author> </author>
<date year="2016"/> <date month="February" year="2016"/>
</front> </front>
<seriesInfo name="DOI" value="10.1186/s13635-016-0030-7"/>
</reference> </reference>
<reference anchor="Dalek-2013" target="http://conferences.sigcomm.org/imc/ 2013/papers/imc112s-dalekA.pdf"> <reference anchor="Dalek-2013" target="http://conferences.sigcomm.org/imc/ 2013/papers/imc112s-dalekA.pdf">
<front> <front>
<title>A Method for Identifying and Confirming the Use of URL Filterin g Products for Censorship</title> <title>A Method for Identifying and Confirming the Use of URL Filterin g Products for Censorship</title>
<author initials="J." surname="Dalek" fullname="Jakub Dalek"> <author initials="J." surname="Dalek" fullname="Jakub Dalek">
<organization/> <organization/>
</author> </author>
<date year="2013"/> <author initials="B." surname="Haselton" fullname="Benett Haselton">
<organization/>
</author>
<author initials="H." surname="Noman" fullname="Helmi Noman">
<organization/>
</author>
<author initials="A." surname="Senft" fullname="Adam Senft">
<organization/>
</author>
<author initials="M." surname="Crete-Nishihata" fullname="Masashi Cret
e-Nishihata">
<organization/>
</author>
<author initials="P." surname="Gill" fullname="Phillipa Gill">
<organization/>
</author>
<author initials="R. J." surname="Deibert" fullname="Ronald J. Deibert
">
<organization/>
</author>
<date month="October" year="2013"/>
</front> </front>
<seriesInfo name="DOI" value="10.1145/2504730.2504763"/>
<refcontent>IMC '13: Proceedings of the 2013 conference on Internet measu
rement conference, Pages 23-30</refcontent>
</reference> </reference>
<reference anchor="Jones-2014" target="http://conferences2.sigcomm.org/imc /2014/papers/p299.pdf"> <reference anchor="Jones-2014" target="http://conferences2.sigcomm.org/imc /2014/papers/p299.pdf">
<front> <front>
<title>Automated Detection and Fingerprinting of Censorship Block Page s</title> <title>Automated Detection and Fingerprinting of Censorship Block Page s</title>
<author initials="B." surname="Jones" fullname="Ben Jones"> <author initials="B." surname="Jones" fullname="Ben Jones">
<organization/> <organization/>
</author> </author>
<date year="2014"/> <author initials="T-W." surname="Lee" fullname="Tzu-Wen Lee">
<organization/>
</author>
<author initials="N." surname="Feamster" fullname="Nick Feamster">
<organization/>
</author>
<author initials="P." surname="Gill" fullname="Phillipa Gill">
<organization/>
</author>
<date month="November" year="2014"/>
</front> </front>
<seriesInfo name="DOI" value="10.1145/2663716.2663722"/>
<refcontent>IMC '14: Proceedings of the 2014 Conference on Internet
Measurement Conference, Pages 299-304</refcontent>
</reference> </reference>
<reference anchor="Crandall-2010" target="http://www.cs.unm.edu/~crandall/ icdcs2010.pdf"> <reference anchor="Crandall-2010" target="http://www.cs.unm.edu/~crandall/ icdcs2010.pdf">
<front> <front>
<title>Empirical Study of a National-Scale Distributed Intrusion Detec tion System: Backbone-Level Filtering of HTML Responses in China</title> <title>Empirical Study of a National-Scale Distributed Intrusion Detec tion System: Backbone-Level Filtering of HTML Responses in China</title>
<author initials="J.C." surname="Park" fullname="Jong Chun Park">
<organization/>
</author>
<author initials="J." surname="Crandall" fullname="Jedediah Crandall"> <author initials="J." surname="Crandall" fullname="Jedediah Crandall">
<organization/> <organization/>
</author> </author>
<date year="2010"/> <date month="June" year="2010"/>
</front> </front>
</reference> </reference>
<reference anchor="Senft-2013" target="https://citizenlab.org/2013/11/asia -chats-analyzing-information-controls-privacy-asian-messaging-applications/"> <reference anchor="Senft-2013" target="https://citizenlab.org/2013/11/asia -chats-analyzing-information-controls-privacy-asian-messaging-applications/">
<front> <front>
<title>Asia Chats: Analyzing Information Controls and Privacy in Asian Messaging Applications</title> <title>Asia Chats: Analyzing Information Controls and Privacy in Asian Messaging Applications</title>
<author initials="" surname="" fullname="">
<organization/>
</author>
<author initials="M." surname="Crete-Nishihata" fullname="Masashi Cret
e-Nishihata">
<organization/>
</author>
<author initials="J." surname="Dalek" fullname="Jakub Dalek">
<organization/>
</author>
<author initials="S." surname="Hardy" fullname="Seth Hardy">
<organization/>
</author>
<author initials="A." surname="Hilts" fullname="Andrew Hilts">
<organization/>
</author>
<author initials="K." surname="Kleemola" fullname="Katie Kleemola">
<organization/>
</author>
<author initials="J." surname="Ng" fullname="Jason Ng">
<organization/>
</author>
<author initials="I." surname="Poetranto" fullname="Irene Poetranto">
<organization/>
</author>
<author initials="A." surname="Senft" fullname="Adam Senft"> <author initials="A." surname="Senft" fullname="Adam Senft">
<organization/> <organization/>
</author> </author>
<date year="2013"/> <author initials="A." surname="Sinpeng" fullname="Aim Sinpeng">
<organization/>
</author>
<author initials="B." surname="Sonne" fullname="Byron Sonne">
<organization/>
</author>
<author initials="G." surname="Wiseman" fullname="Greg Wiseman">
<organization/>
</author>
<date month="November" year="2013"/>
</front> </front>
</reference> </reference>
<reference anchor="Rushe-2015" target="http://www.theguardian.com/technolo
gy/2014/feb/11/bing-censors-chinese-language-search-results"> <reference anchor="Rushe-2014" target="http://www.theguardian.com/technolo
gy/2014/feb/11/bing-censors-chinese-language-search-results">
<front> <front>
<title>Bing censoring Chinese language search results for users in the US</title> <title>Bing censoring Chinese language search results for users in the US</title>
<author initials="D." surname="Rushe" fullname="Dominic Rushe"> <author initials="D." surname="Rushe" fullname="Dominic Rushe">
<organization/> <organization/>
</author> </author>
<date year="2013"/> <date month="February" year="2014"/>
</front> </front>
<refcontent>The Guardian</refcontent>
</reference> </reference>
<reference anchor="Cheng-2010" target="http://arstechnica.com/tech-policy/ 2010/06/google-tweaks-china-to-hong-kong-redirect-same-results/"> <reference anchor="Cheng-2010" target="http://arstechnica.com/tech-policy/ 2010/06/google-tweaks-china-to-hong-kong-redirect-same-results/">
<front> <front>
<title>Google stops Hong Kong auto-redirect as China plays hardball</t itle> <title>Google stops Hong Kong auto-redirect as China plays hardball</t itle>
<author initials="J." surname="Cheng" fullname="Jacqui Cheng"> <author initials="J." surname="Cheng" fullname="Jacqui Cheng">
<organization/> <organization/>
</author> </author>
<date year="2010"/> <date month="June" year="2010"/>
</front> </front>
</reference> </reference>
<reference anchor="Boyle-1997" target="https://scholarship.law.duke.edu/fa culty_scholarship/619/"> <reference anchor="Boyle-1997" target="https://scholarship.law.duke.edu/fa culty_scholarship/619/">
<front> <front>
<title>Foucault in Cyberspace: Surveillance, Sovereignty, and Hardwire d Censors</title> <title>Foucault in Cyberspace: Surveillance, Sovereignty, and Hardwire d Censors</title>
<author initials="J." surname="Boyle" fullname="James Boyle"> <author initials="J." surname="Boyle" fullname="James Boyle">
<organization/> <organization/>
</author> </author>
<date year="1997"/> <date year="1997"/>
</front> </front>
<refcontent>66 University of Cincinnati Law Review 177-205</refcontent>
</reference> </reference>
<reference anchor="Whittaker-2013" target="http://www.zdnet.com/1168-keywo rds-skype-uses-to-censor-monitor-its-chinese-users-7000012328/"> <reference anchor="Whittaker-2013" target="http://www.zdnet.com/1168-keywo rds-skype-uses-to-censor-monitor-its-chinese-users-7000012328/">
<front> <front>
<title>1,168 keywords Skype uses to censor, monitor its Chinese users< /title> <title>1,168 keywords Skype uses to censor, monitor its Chinese users< /title>
<author initials="Z." surname="Whittaker" fullname="Zach Whittaker"> <author initials="Z." surname="Whittaker" fullname="Zach Whittaker">
<organization/> <organization/>
</author> </author>
<date year="2013"/> <date month="March" year="2013"/>
</front> </front>
</reference> </reference>
<reference anchor="BBC-2013" target="http://www.bbc.com/news/uk-24980765"> <reference anchor="BBC-2013" target="http://www.bbc.com/news/uk-24980765">
<front> <front>
<title>Google and Microsoft agree steps to block abuse images</title> <title>Google and Microsoft agree steps to block abuse images</title>
<author> <author>
<organization>BBC News</organization> <organization>BBC News</organization>
</author> </author>
<date year="2013"/> <date month="November" year="2013"/>
</front> </front>
</reference> </reference>
<reference anchor="Condliffe-2013" target="http://gizmodo.com/google-annou nces-massive-new-restrictions-on-child-abus-1466539163"> <reference anchor="Condliffe-2013" target="http://gizmodo.com/google-annou nces-massive-new-restrictions-on-child-abus-1466539163">
<front> <front>
<title>Google Announces Massive New Restrictions on Child Abuse Search Terms</title> <title>Google Announces Massive New Restrictions on Child Abuse Search Terms</title>
<author initials="J." surname="Condliffe" fullname="Jamie Condliffe"> <author initials="J." surname="Condliffe" fullname="Jamie Condliffe">
<organization/> <organization/>
</author> </author>
<date year="2013"/> <date month="November" year="2013"/>
</front> </front>
</reference> </reference>
<reference anchor="Zhu-2011" target="http://arxiv.org/ftp/arxiv/papers/110 7/1107.3794.pdf"> <reference anchor="Zhu-2011" target="http://arxiv.org/ftp/arxiv/papers/110 7/1107.3794.pdf">
<front> <front>
<title>An Analysis of Chinese Search Engine Filtering</title> <title>An Analysis of Chinese Search Engine Filtering</title>
<author initials="T." surname="Zhu" fullname="Tao Zhu"> <author initials="T." surname="Zhu" fullname="Tao Zhu">
<organization/> <organization/>
</author> </author>
<date year="2011"/> <author initials="C." surname="Bronk" fullname="Christopher Bronk">
<organization/>
</author>
<author initials="D.S." surname="Wallach" fullname="Dan S. Wallach">
<organization/>
</author>
<date month="July" year="2011"/>
</front> </front>
<seriesInfo name="DOI" value="10.48550/arXiv.1107.3794"/>
</reference> </reference>
<reference anchor="Wagner-2009" target="http://advocacy.globalvoicesonline .org/wp-content/uploads/2009/06/deeppacketinspectionandinternet-censorship2.pdf" > <reference anchor="Wagner-2009" target="http://advocacy.globalvoicesonline .org/wp-content/uploads/2009/06/deeppacketinspectionandinternet-censorship2.pdf" >
<front> <front>
<title>Deep Packet Inspection and Internet Censorship: International C onvergence on an Integrated Technology of Control'</title> <title>Deep Packet Inspection and Internet Censorship: International C onvergence on an 'Integrated Technology of Control'</title>
<author initials="B." surname="Wagner" fullname="Ben Wagner"> <author initials="B." surname="Wagner" fullname="Ben Wagner">
<organization/> <organization/>
</author> </author>
<date year="2009"/> <date year="2009"/>
</front> </front>
<refcontent>Global Voices Advocacy</refcontent>
</reference> </reference>
<reference anchor="Porter-2010" target="http://www.symantec.com/connect/ar
ticles/perils-deep-packet-inspection"> <reference anchor="Porter-2005" target="http://www.symantec.com/connect/ar
ticles/perils-deep-packet-inspection">
<front> <front>
<title>The Perils of Deep Packet Inspection</title> <title>The Perils of Deep Packet Inspection</title>
<author initials="T." surname="Porter" fullname="Thomas Porter"> <author initials="T." surname="Porter" fullname="Thomas Porter">
<organization/> <organization/>
</author> </author>
<date year="2010"/> <date year="2010"/>
</front> </front>
</reference> </reference>
<reference anchor="Clayton-2006" target="http://link.springer.com/chapter/
10.1007/11957454_2"> <reference anchor="Clayton-2006" target="https://link.springer.com/chapter
/10.1007/11957454_2">
<front> <front>
<title>Ignoring the Great Firewall of China</title> <title>Ignoring the Great Firewall of China</title>
<author initials="R." surname="Clayton" fullname="Richard Clayton"> <author initials="R." surname="Clayton" fullname="Richard Clayton">
<organization/> <organization/>
</author> </author>
<author initials="S.J." surname="Murdoch" fullname="Steven J. Murdoch"
>
<organization/>
</author>
<author initials="R.N.M." surname="Watson" fullname="Robert N. M. Wats
on">
<organization/>
</author>
<date year="2006"/> <date year="2006"/>
</front> </front>
<seriesInfo name="DOI" value="10.1007/11957454_2"/>
<refcontent>Lecture Notes in Computer Science, Volume 4258</refcontent>
</reference> </reference>
<reference anchor="Anonymous-2014" target="https://www.usenix.org/system/f iles/conference/foci14/foci14-anonymous.pdf"> <reference anchor="Anonymous-2014" target="https://www.usenix.org/system/f iles/conference/foci14/foci14-anonymous.pdf">
<front> <front>
<title>Towards a Comprehensive Picture of the Great Firewall's DNS Cen sorship</title> <title>Towards a Comprehensive Picture of the Great Firewall's DNS Cen sorship</title>
<author> <author>
<organization>Anonymous</organization> <organization>Anonymous</organization>
</author> </author>
<date year="2014"/> <date month="August" year="2014"/>
</front> </front>
</reference> </reference>
<reference anchor="Khattak-2013" target="http://0b4af6cdc2f0c5998459-c0245 c5c937c5dedcca3f1764ecc9b2f.r43.cf2.rackcdn.com/12389-foci13-khattak.pdf"> <reference anchor="Khattak-2013" target="http://0b4af6cdc2f0c5998459-c0245 c5c937c5dedcca3f1764ecc9b2f.r43.cf2.rackcdn.com/12389-foci13-khattak.pdf">
<front> <front>
<title>Towards Illuminating a Censorship Monitor's Model to Facilitate Evasion</title> <title>Towards Illuminating a Censorship Monitor's Model to Facilitate Evasion</title>
<author initials="S." surname="Khattak" fullname="Sheharbano Khattak"> <author initials="S." surname="Khattak" fullname="Sheharbano Khattak">
<organization/> <organization/>
</author> </author>
<date year="2013"/> <author initials="M." surname="Javed" fullname="Mobin Javed">
<organization/>
</author>
<author initials="P.D." surname="Anderson" fullname="Philip D. Anderso
n">
<organization/>
</author>
<author initials="V." surname="Paxson" fullname="Vern Paxson">
<organization/>
</author>
<date month="August" year="2013"/>
</front> </front>
</reference> </reference>
<reference anchor="Wilde-2012" target="https://blog.torproject.org/blog/kn ock-knock-knockin-bridges-doors"> <reference anchor="Wilde-2012" target="https://blog.torproject.org/blog/kn ock-knock-knockin-bridges-doors">
<front> <front>
<title>Knock Knock Knockin' on Bridges Doors</title> <title>Knock Knock Knockin' on Bridges Doors</title>
<author initials="T." surname="Wilde" fullname="Tim Wilde"> <author initials="T." surname="Wilde" fullname="Tim Wilde">
<organization/> <organization/>
</author> </author>
<date year="2012"/> <date month="July" year="2012"/>
</front> </front>
<refcontent>The Tor Project</refcontent>
</reference> </reference>
<reference anchor="Wagstaff-2013" target="http://www.reuters.com/article/2
013/05/04/uk-malaysia-election-online-idUKBRE94309G20130504"> <reference anchor="Wagstaff-2013" target="https://www.nbcnews.com/tech/tec
h-news/malaysia-online-election-battles-take-nasty-turn-flna6c9783842">
<front> <front>
<title>In Malaysia, online election battles take a nasty turn</title> <title>In Malaysia, online election battles take a nasty turn</title>
<author initials="J." surname="Wagstaff" fullname="Jeremy Wagstaff"> <author initials="J." surname="Wagstaff" fullname="Jeremy Wagstaff">
<organization/> <organization/>
</author> </author>
<date year="2013"/> <date month="May" year="2013"/>
</front> </front>
<refcontent>NBC News</refcontent>
</reference> </reference>
<reference anchor="Hepting-2011" target="https://en.wikipedia.org/wiki/Hep
ting_v._AT%26T"> <reference anchor="Hepting-2011" target="https://en.wikipedia.org/wiki/Hep
ting_v._AT%26T&amp;oldid=1175143505">
<front> <front>
<title>Hepting vs. AT&amp;T</title> <title>Hepting v. AT&amp;T</title>
<author> <author>
<organization>Wikipedia</organization> <organization>Wikipedia</organization>
</author> </author>
<date year="2011"/> <date month="September" year="2023"/>
</front> </front>
</reference> </reference>
<reference anchor="Hjelmvik-2010" target="https://www.iis.se/docs/hjelmvik _breaking.pdf"> <reference anchor="Hjelmvik-2010" target="https://www.iis.se/docs/hjelmvik _breaking.pdf">
<front> <front>
<title>Breaking and Improving Protocol Obfuscation</title> <title>Breaking and Improving Protocol Obfuscation</title>
<author initials="E." surname="Hjelmvik" fullname="Erik Hjelmvik"> <author initials="E." surname="Hjelmvik" fullname="Erik Hjelmvik">
<organization/> <organization/>
</author> </author>
<date year="2010"/> <author initials="W." surname="John" fullname="Wolfgang John">
<organization/>
</author>
<date month="July" year="2010"/>
</front> </front>
<refcontent>Technical Report No. 2010-05, ISSN 1652-926X</refcontent>
</reference> </reference>
<reference anchor="Sandvine-2014" target="https://www.sandvine.com/downloa
ds/general/technology/sandvine-technology-showcases/sandvine-technology-showcase <reference anchor="Sandvine-2015" target="https://www.researchgate.net/pro
-traffic-classification.pdf"> file/Nirmala-Svsg/post/Anybody-working-on-Internet-traffic-classification/attach
ment/59d63a5779197b807799782d/AS%3A405810988503040%401473764287142/download/traf
fic-classification-identifying-and-measuring-internet-traffic.pdf">
<front> <front>
<title>Technology Showcase on Traffic Classification: Why Measurements and Freeform Policy Matter</title> <title>Internet Traffic Classification: A Sandvine Technology Showcase </title>
<author> <author>
<organization>Sandvine</organization> <organization>Sandvine</organization>
</author> </author>
<date year="2014"/> <date year="2015"/>
</front> </front>
</reference> </reference>
<reference anchor="Winter-2012" target="http://arxiv.org/pdf/1204.0447v1.p df"> <reference anchor="Winter-2012" target="http://arxiv.org/pdf/1204.0447v1.p df">
<front> <front>
<title>How China is Blocking Tor</title> <title>How China Is Blocking Tor</title>
<author initials="P." surname="Winter" fullname="Phillip Winter"> <author initials="P." surname="Winter" fullname="Phillip Winter">
<organization/> <organization/>
</author> </author>
<date year="2012"/> <author initials="S." surname="Lindskog" fullname="Stefan Lindskog">
<organization/>
</author>
<date month="April" year="2012"/>
</front> </front>
</reference> </reference>
<reference anchor="Anonymous-2007" target="https://torrentfreak.com/how-to
-bypass-comcast-bittorrent-throttling-071021"> <reference anchor="Van-der-Sar-2007" target="https://torrentfreak.com/how-
to-bypass-comcast-bittorrent-throttling-071021">
<front> <front>
<title>How to Bypass Comcast's Bittorrent Throttling</title> <title>How To Bypass Comcast's BitTorrent Throttling</title>
<author> <author initials="E." surname="Van der Sar" fullname="Ernesto Van der
<organization>Anonymous</organization> Sar">
<organization></organization>
</author> </author>
<date year="2012"/> <date month="October" year="2012"/>
</front> </front>
</reference> </reference>
<reference anchor="Anonymous-2013" target="https://en.greatfire.org/blog/2 013/jan/github-blocked-china-how-it-happened-how-get-around-it-and-where-it-will -take-us"> <reference anchor="Anonymous-2013" target="https://en.greatfire.org/blog/2 013/jan/github-blocked-china-how-it-happened-how-get-around-it-and-where-it-will -take-us">
<front> <front>
<title>GitHub blocked in China - how it happened, how to get around it , and where it will take us</title> <title>GitHub blocked in China - how it happened, how to get around it , and where it will take us</title>
<author> <author>
<organization>Anonymous</organization> <organization>Anonymous</organization>
</author> </author>
<date year="2013"/> <date month="January" year="2013"/>
</front> </front>
</reference> </reference>
<reference anchor="Ensafi-2013" target="http://arxiv.org/pdf/1312.5739v1.p df"> <reference anchor="Ensafi-2013" target="http://arxiv.org/pdf/1312.5739v1.p df">
<front> <front>
<title>Detecting Intentional Packet Drops on the Internet via TCP/IP S ide Channels</title> <title>Detecting Intentional Packet Drops on the Internet via TCP/IP S ide Channels: Extended Version</title>
<author initials="R." surname="Ensafi" fullname="Roya Ensafi"> <author initials="R." surname="Ensafi" fullname="Roya Ensafi">
<organization/> <organization/>
</author> </author>
<date year="2013"/> <author initials="J." surname="Knockel" fullname="Jeffrey Knockel">
<organization/>
</author>
<author initials="G." surname="Alexander" fullname="Geoffrey Alexander
">
<organization/>
</author>
<author initials="J.R." surname="Crandall" fullname="Jedidiah R. Crand
all">
<organization/>
</author>
<date month="December" year="2013"/>
</front> </front>
<seriesInfo name="DOI" value="10.48550/arXiv.1312.5739"/>
</reference> </reference>
<reference anchor="Weaver-2009" target="http://www.icir.org/vern/papers/re set-injection.ndss09.pdf"> <reference anchor="Weaver-2009" target="http://www.icir.org/vern/papers/re set-injection.ndss09.pdf">
<front> <front>
<title>Detecting Forged TCP Packets</title> <title>Detecting Forged TCP Reset Packets</title>
<author initials="N." surname="Weaver" fullname="Nicholas Weaver"> <author initials="N." surname="Weaver" fullname="Nicholas Weaver">
<organization/> <organization/>
</author> </author>
<author initials="R." surname="Sommer" fullname="Robin Sommer"> <author initials="R." surname="Sommer" fullname="Robin Sommer">
<organization/> <organization/>
</author> </author>
<author initials="V." surname="Paxson" fullname="Vern Paxson"> <author initials="V." surname="Paxson" fullname="Vern Paxson">
<organization/> <organization/>
</author> </author>
<date year="2009"/> <date month="September" year="2009"/>
</front> </front>
</reference> </reference>
<reference anchor="Netsec-2011" target="https://nets.ec/TCP-RST_Injection" > <reference anchor="Netsec-2011" target="https://nets.ec/TCP-RST_Injection" >
<front> <front>
<title>TCP-RST Injection</title> <title>TCP-RST Injection</title>
<author> <author>
<organization>n3t2.3c</organization> <organization>n3t2.3c</organization>
</author> </author>
<date year="2011"/> <date month="October" year="2011"/>
</front> </front>
</reference> </reference>
<reference anchor="Schoen-2007" target="https://www.eff.org/deeplinks/2007 /10/eff-tests-agree-ap-comcast-forging-packets-to-interfere"> <reference anchor="Schoen-2007" target="https://www.eff.org/deeplinks/2007 /10/eff-tests-agree-ap-comcast-forging-packets-to-interfere">
<front> <front>
<title>EFF tests agree with AP: Comcast is forging packets to interfer e with user traffic</title> <title>EFF tests agree with AP: Comcast is forging packets to interfer e with user traffic</title>
<author initials="S." surname="Schoen" fullname="Seth Schoen"> <author initials="S." surname="Schoen" fullname="Seth Schoen">
<organization/> <organization/>
</author> </author>
<date year="2007"/> <date month="October" year="2007"/>
</front> </front>
</reference> </reference>
<reference anchor="VonLohmann-2008" target="https://www.eff.org/deeplinks/ 2008/08/fcc-rules-against-comcast-bit-torrent-blocking"> <reference anchor="VonLohmann-2008" target="https://www.eff.org/deeplinks/ 2008/08/fcc-rules-against-comcast-bit-torrent-blocking">
<front> <front>
<title>FCC Rules Against Comcast for BitTorrent Blocking</title> <title>FCC Rules Against Comcast for BitTorrent Blocking</title>
<author initials="F." surname="VonLohmann" fullname="Fred VonLohmann"> <author initials="F." surname="VonLohmann" fullname="Fred VonLohmann">
<organization/> <organization/>
</author> </author>
<date year="2008"/> <date month="August" year="2008"/>
</front> </front>
</reference> </reference>
<reference anchor="Halley-2008" target="https://www.networkworld.com/artic le/2277316/tech-primers/tech-primers-how-dns-cache-poisoning-works.html"> <reference anchor="Halley-2008" target="https://www.networkworld.com/artic le/2277316/tech-primers/tech-primers-how-dns-cache-poisoning-works.html">
<front> <front>
<title>How DNS cache poisoning works</title> <title>How DNS cache poisoning works</title>
<author initials="B." surname="Halley" fullname="Bob Halley"> <author initials="B." surname="Halley" fullname="Bob Halley">
<organization/> <organization/>
</author> </author>
<date year="2014"/> <date month="October" year="2008"/>
</front> </front>
</reference> </reference>
<reference anchor="Zmijewski-2014" target="https://blogs.oracle.com/intern
etintelligence/turkish-internet-censorship-takes-a-new-turn"> <reference anchor="Zmijewski-2014" target="http://web.archive.org/web/2020
0726222723/https://blogs.oracle.com/internetintelligence/turkish-internet-censor
ship-takes-a-new-turn">
<front> <front>
<title>Turkish Internet Censorship Takes a New Turn</title> <title>Turkish Internet Censorship Takes a New Turn</title>
<author initials="E." surname="Zmijewski" fullname="Earl Zmijewski"> <author initials="E." surname="Zmijewski" fullname="Earl Zmijewski">
<organization/> <organization/>
</author> </author>
<date year="2014"/> <date month="March" year="2014"/>
</front> </front>
<refcontent>Wayback Machine archive</refcontent>
</reference> </reference>
<reference anchor="AFP-2014" target="http://www.businessinsider.com/chinas -internet-breakdown-reportedly-caused-by-censoring-tools-2014-1"> <reference anchor="AFP-2014" target="http://www.businessinsider.com/chinas -internet-breakdown-reportedly-caused-by-censoring-tools-2014-1">
<front> <front>
<title>China Has Massive Internet Breakdown Reportedly Caused By Their Own Censoring Tools</title> <title>China Has Massive Internet Breakdown Reportedly Caused By Their Own Censoring Tools</title>
<author> <author>
<organization>AFP</organization> <organization>AFP</organization>
</author> </author>
<date year="2014"/> <date month="January" year="2014"/>
</front> </front>
</reference> </reference>
<reference anchor="Anon-SIGCOMM12" target="http://www.sigcomm.org/sites/de fault/files/ccr/papers/2012/July/2317307-2317311.pdf"> <reference anchor="Anon-SIGCOMM12" target="http://www.sigcomm.org/sites/de fault/files/ccr/papers/2012/July/2317307-2317311.pdf">
<front> <front>
<title>The Collateral Damage of Internet Censorship by DNS Injection</ title> <title>The Collateral Damage of Internet Censorship by DNS Injection</ title>
<author> <author>
<organization>Anonymous</organization> <organization>Anonymous</organization>
</author> </author>
<date year="2012"/> <date month="July" year="2012"/>
</front> </front>
</reference> </reference>
<reference anchor="Albert-2011" target="https://opennet.net/blog/2011/06/d ns-tampering-and-new-icann-gtld-rules"> <reference anchor="Albert-2011" target="https://opennet.net/blog/2011/06/d ns-tampering-and-new-icann-gtld-rules">
<front> <front>
<title>DNS Tampering and the new ICANN gTLD Rules</title> <title>DNS Tampering and the new ICANN gTLD Rules</title>
<author initials="K." surname="Albert" fullname="Kendra Albert"> <author initials="K." surname="Albert" fullname="Kendra Albert">
<organization/> <organization/>
</author> </author>
<date year="2011"/> <date month="June" year="2011"/>
</front> </front>
</reference> </reference>
<reference anchor="Wikip-DoS" target="https://en.wikipedia.org/w/index.php ?title=Denial-of-service_attack&amp;oldid=710558258"> <reference anchor="Wikip-DoS" target="https://en.wikipedia.org/w/index.php ?title=Denial-of-service_attack&amp;oldid=710558258">
<front> <front>
<title>Denial of Service Attacks</title> <title>Denial-of-service attack</title>
<author> <author>
<organization>Wikipedia</organization> <organization>Wikipedia</organization>
</author> </author>
<date year="2016"/> <date month="March" year="2016"/>
</front> </front>
</reference> </reference>
<reference anchor="Schone-2014" target="http://www.nbcnews.com/feature/edw
ard-snowden-interview/exclusive-snowden-docs-show-uk-spies-attacked-anonymous-ha <reference anchor="NBC-2014" target="http://www.nbcnews.com/feature/edward
ckers-n21361"> -snowden-interview/exclusive-snowden-docs-show-uk-spies-attacked-anonymous-hacke
rs-n21361">
<front> <front>
<title>Snowden Docs Show UK Spies Attacked Anonymous, Hackers</title> <title>Exclusive: Snowden Docs Show UK Spies Attacked Anonymous, Hacke
<author initials="M." surname="Schone" fullname="Mark Schone"> rs</title>
<organization/> <author>
</author> <organization>NBC News</organization>
<author initials="R." surname="Esposito" fullname="Richard Esposito">
<organization/>
</author>
<author initials="M." surname="Cole" fullname="Matthew Cole">
<organization/>
</author>
<author initials="G." surname="Greenwald" fullname="Glenn Greenwald">
<organization/>
</author> </author>
<date year="2014"/> <date month="February" year="2014"/>
</front> </front>
</reference> </reference>
<reference anchor="CERT-2000" target="http://www.cert.org/historical/advis
ories/CA-1996-21.cfm"> <reference anchor="CERT-2000" target="https://vuls.cert.org/confluence/dis
play/historical/CERT+Advisory+CA-1996-21+TCP+SYN+Flooding+and+IP+Spoofing+Attack
s">
<front> <front>
<title>TCP SYN Flooding and IP Spoofing Attacks</title> <title>CERT Advisory CA-1996-21 TCP SYN Flooding and IP Spoofing Attac ks</title>
<author> <author>
<organization>CERT</organization> <organization>CERT</organization>
</author> </author>
<date year="2000"/> <date year="2000"/>
</front> </front>
</reference> </reference>
<reference anchor="Kravtsova-2012" target="http://www.themoscowtimes.com/n ews/article/cyberattacks-disrupt-oppositions-election/470119.html"> <reference anchor="Kravtsova-2012" target="http://www.themoscowtimes.com/n ews/article/cyberattacks-disrupt-oppositions-election/470119.html">
<front> <front>
<title>Cyberattacks Disrupt Opposition's Election</title> <title>Cyberattacks Disrupt Opposition's Election</title>
<author initials="Y." surname="Kravtsova" fullname="Yekaterina Kravtso va"> <author initials="Y." surname="Kravtsova" fullname="Yekaterina Kravtso va">
<organization/> <organization/>
</author> </author>
<date year="2012"/> <date month="October" year="2012"/>
</front> </front>
<refcontent>The Moscow Times</refcontent>
</reference> </reference>
<reference anchor="Villeneuve-2011" target="http://access.opennet.net/wp-c ontent/uploads/2011/12/accesscontested-chapter-08.pdf"> <reference anchor="Villeneuve-2011" target="http://access.opennet.net/wp-c ontent/uploads/2011/12/accesscontested-chapter-08.pdf">
<front> <front>
<title>Open Access: Chapter 8, Control and Resistance, Attacks on Burm ese Opposition Media</title> <title>Open Access: Chapter 8, Control and Resistance, Attacks on Burm ese Opposition Media</title>
<author initials="N." surname="Villeneuve" fullname="Nart Villeneuve"> <author initials="N." surname="Villeneuve" fullname="Nart Villeneuve">
<organization/> <organization/>
</author> </author>
<date year="2011"/> <author initials="M." surname="Crete-Nishihata" fullname="Masashi Cret
e-Nishihata">
<organization/>
</author>
<date month="January" year="2011"/>
</front> </front>
</reference> </reference>
<reference anchor="Orion-2013" target="http://www.theinquirer.net/inquirer
/news/2287433/zimbabwe-election-hit-by-hacking-and-ddos-attacks"> <reference anchor="Orion-2013" target="https://web.archive.org/web/2013082
5010947/http://www.theinquirer.net/inquirer/news/2287433/zimbabwe-election-hit-b
y-hacking-and-ddos-attacks">
<front> <front>
<title>Zimbabwe election hit by hacking and DDoS attacks</title> <title>Zimbabwe election hit by hacking and DDoS attacks</title>
<author initials="E." surname="Orion" fullname="Egan Orion"> <author initials="E." surname="Orion" fullname="Egan Orion">
<organization/> <organization/>
</author> </author>
<date year="2013"/> <date month="August" year="2013"/>
</front> </front>
<refcontent>Wayback Machine archive</refcontent>
</reference> </reference>
<reference anchor="Muncaster-2013" target="http://www.theregister.co.uk/20 13/05/09/malaysia_fraud_elections_ddos_web_blocking/"> <reference anchor="Muncaster-2013" target="http://www.theregister.co.uk/20 13/05/09/malaysia_fraud_elections_ddos_web_blocking/">
<front> <front>
<title>Malaysian election sparks web blocking/DDoS claims</title> <title>Malaysian election sparks web blocking/DDoS claims</title>
<author initials="P." surname="Muncaster" fullname="Phil Muncaster"> <author initials="P." surname="Muncaster" fullname="Phil Muncaster">
<organization/> <organization/>
</author> </author>
<date year="2013"/> <date month="May" year="2013"/>
</front> </front>
<refcontent>The Register</refcontent>
</reference> </reference>
<reference anchor="Dobie-2007" target="http://news.bbc.co.uk/2/hi/asia-pac ific/7016238.stm"> <reference anchor="Dobie-2007" target="http://news.bbc.co.uk/2/hi/asia-pac ific/7016238.stm">
<front> <front>
<title>Junta tightens media screw</title> <title>Junta tightens media screw</title>
<author initials="M." surname="Dobie" fullname="Michael Dobie"> <author initials="M." surname="Dobie" fullname="Michael Dobie">
<organization/> <organization/>
</author> </author>
<date year="2007"/> <date month="September" year="2007"/>
</front> </front>
<refcontent>BBC News</refcontent>
</reference> </reference>
<reference anchor="Heacock-2009" target="https://opennet.net/blog/2009/07/ china-shuts-down-internet-xinjiang-region-after-riots"> <reference anchor="Heacock-2009" target="https://opennet.net/blog/2009/07/ china-shuts-down-internet-xinjiang-region-after-riots">
<front> <front>
<title>China Shuts Down Internet in Xinjiang Region After Riots</title > <title>China shuts down Internet in Xinjiang region after riots</title >
<author initials="R." surname="Heacock" fullname="Rebekah Heacock"> <author initials="R." surname="Heacock" fullname="Rebekah Heacock">
<organization/> <organization/>
</author> </author>
<date year="2009"/> <date month="July" year="2009"/>
</front> </front>
<refcontent>OpenNet Initiative</refcontent>
</reference> </reference>
<reference anchor="Cowie-2011" target="https://archive.nanog.org/meetings/ nanog51/presentations/Tuesday/LT-Cowie-Egypt%20Leaves%20The%20Internet.pdf"> <reference anchor="Cowie-2011" target="https://archive.nanog.org/meetings/ nanog51/presentations/Tuesday/LT-Cowie-Egypt%20Leaves%20The%20Internet.pdf">
<front> <front>
<title>Egypt Leaves the Internet</title> <title>Egypt Leaves The Internet</title>
<author initials="J." surname="Cowie" fullname="Jim Cowie"> <author initials="J." surname="Cowie" fullname="Jim Cowie">
<organization/> <organization/>
</author> </author>
<date year="2011"/> <date month="February" year="2011"/>
</front> </front>
<refcontent>NANOG 51</refcontent>
</reference> </reference>
<reference anchor="Thomson-2012" target="http://www.theregister.co.uk/2012 /11/29/syria_internet_blackout/"> <reference anchor="Thomson-2012" target="http://www.theregister.co.uk/2012 /11/29/syria_internet_blackout/">
<front> <front>
<title>Syria Cuts off Internet and Mobile Communication</title> <title>Syria cuts off internet and mobile communication</title>
<author initials="I." surname="Thomson" fullname="Iain Thomson"> <author initials="I." surname="Thomson" fullname="Iain Thomson">
<organization/> <organization/>
</author> </author>
<date year="2012"/> <date month="November" year="2012"/>
</front> </front>
<refcontent>The Register</refcontent>
</reference> </reference>
<reference anchor="BBC-2013b" target="http://www.bbc.com/news/world-asia-c
hina-2439695"> <reference anchor="BBC-2013b" target="https://www.bbc.com/news/world-asia-
china-24396957">
<front> <front>
<title>China employs two million microblog monitors state media say</t itle> <title>China employs two million microblog monitors state media say</t itle>
<author> <author>
<organization>BBC</organization> <organization>BBC</organization>
</author> </author>
<date year="2013"/> <date year="2013"/>
</front> </front>
</reference> </reference>
<reference anchor="Calamur-2013" target="http://www.npr.org/blogs/thetwo-w
ay/2013/11/29/247820503/prominent-egyptian-blogger-arrested"> <reference anchor="Murdoch-2008" quoteTitle="false">
<front>
<title>Prominent Egyptian Blogger Arrested</title>
<author initials="K." surname="Calamur" fullname="Krishnadev Calamur">
<organization/>
</author>
<date year="2013"/>
</front>
</reference>
<reference anchor="AP-2012" target="http://www.huffingtonpost.com/2012/12/
03/sattar-beheshit-iran_n_2233125.html">
<front>
<title>Sattar Beheshit, Iranian Blogger, Was Beaten In Prison Accordin
g To Prosecutor</title>
<author>
<organization>Associated Press</organization>
</author>
<date year="2012"/>
</front>
</reference>
<reference anchor="Hopkins-2011" target="http://readwrite.com/2011/03/03/c
ommunications_blocked_in_libya_this_week_in_onlin">
<front>
<title>Communications Blocked in Libya, Qatari Blogger Arrested: This
Week in Online Tyranny</title>
<author initials="C." surname="Hopkins" fullname="Curt Hopkins">
<organization/>
</author>
<date year="2011"/>
</front>
</reference>
<reference anchor="Guardian-2014" target="http://www.theguardian.com/world
/2014/apr/17/chinese-blogger-jailed-crackdown-internet-rumours-qin-zhihui">
<front>
<title>Chinese blogger jailed under crackdown on 'internet rumours'</t
itle>
<author>
<organization>The Gaurdian</organization>
</author>
<date year="2014"/>
</front>
</reference>
<reference anchor="Bristow-2013" target="http://news.bbc.co.uk/2/hi/asia-p
acific/7783640.stm">
<front>
<title>China's internet 'spin doctors‘</title>
<author initials="M." surname="Bristow" fullname="Michael Bristow">
<organization/>
</author>
<date year="2013"/>
</front>
</reference>
<reference anchor="Fareed-2008" target="http://www.theguardian.com/media/2
008/sep/22/chinathemedia.marketingandpr">
<front>
<title>China joins a turf war</title>
<author initials="M." surname="Fareed" fullname="Malik Fareed">
<organization/>
</author>
<date year="2008"/>
</front>
</reference>
<reference anchor="Gao-2014" target="http://www.nytimes.com/2014/06/04/opi
nion/tiananmen-forgotten.html">
<front>
<title>Tiananmen, Forgotten</title>
<author initials="H." surname="Gao" fullname="Helen Gao">
<organization/>
</author>
<date year="2014"/>
</front>
</reference>
<reference anchor="Murdoch-2011" target="http://access.opennet.net/wp-cont
ent/uploads/2011/12/accessdenied-chapter-3.pdf">
<front> <front>
<title>Access Denied: Tools and Technology of Internet Filtering</titl e> <title>"Tools and Technology of Internet Filtering" in "Access Denied: The Practice and Policy of Global Internet Filtering"</title>
<author initials="S. J." surname="Murdoch" fullname="Steven J. Murdoch "> <author initials="S. J." surname="Murdoch" fullname="Steven J. Murdoch ">
<organization/> <organization/>
</author> </author>
<author initials="R." surname="Anderson" fullname="Ross Anderson"> <author initials="R." surname="Anderson" fullname="Ross Anderson">
<organization/> <organization/>
</author> </author>
<date year="2011"/> <date year="2008"/>
</front> </front>
<seriesInfo name="DOI" value="10.7551/mitpress/7617.003.0006"/>
</reference> </reference>
<reference anchor="AFNIC-2013" target="http://www.afnic.fr/medias/document s/conseilscientifique/SC-consequences-of-DNS-based-Internet-filtering.pdf"> <reference anchor="AFNIC-2013" target="http://www.afnic.fr/medias/document s/conseilscientifique/SC-consequences-of-DNS-based-Internet-filtering.pdf">
<front> <front>
<title>Report of the AFNIC Scientific Council: Consequences of DNS-bas ed Internet filtering</title> <title>Report of the AFNIC Scientific Council: Consequences of DNS-bas ed Internet filtering</title>
<author> <author>
<organization>AFNIC</organization> <organization>AFNIC</organization>
</author> </author>
<date year="2013"/> <date month="January" year="2013"/>
</front> </front>
</reference> </reference>
<reference anchor="ICANN-SSAC-2012" target="https://www.icann.org/en/syste m/files/files/sac-056-en.pdf"> <reference anchor="ICANN-SSAC-2012" target="https://www.icann.org/en/syste m/files/files/sac-056-en.pdf">
<front> <front>
<title>SAC 056: SSAC Advisory on Impacts of Content Blocking via the D omain Name System</title> <title>SAC 056: SSAC Advisory on Impacts of Content Blocking via the D omain Name System</title>
<author> <author>
<organization>ICANN Security and Stability Advisory Committee (SSAC) </organization> <organization>ICANN Security and Stability Advisory Committee (SSAC) </organization>
</author> </author>
<date year="2012"/> <date month="October" year="2012"/>
</front> </front>
</reference> </reference>
<reference anchor="Ding-1999" target="http://citeseerx.ist.psu.edu/viewdoc /download?doi=10.1.1.132.3302&amp;rep=rep1&amp;type=pdf"> <reference anchor="Ding-1999" target="http://citeseerx.ist.psu.edu/viewdoc /download?doi=10.1.1.132.3302&amp;rep=rep1&amp;type=pdf">
<front> <front>
<title>Centralized Content-Based Web Filtering and Blocking: How Far C an It Go?</title> <title>Centralized Content-Based Web Filtering and Blocking: How Far C an It Go?</title>
<author initials="C." surname="Ding" fullname="Chen Ding"> <author initials="C." surname="Ding" fullname="Chen Ding">
<organization/> <organization/>
</author> </author>
<author initials="C. H." surname="Chi" fullname="Chi-Hung Chi"> <author initials="C. H." surname="Chi" fullname="Chi-Hung Chi">
<organization/> <organization/>
</author> </author>
<author initials="J." surname="Deng" fullname="Jing Deng"> <author initials="J." surname="Deng" fullname="Jing Deng">
<organization/> <organization/>
</author> </author>
<author initials="C. L." surname="Dong" fullname="Chun-Lei Dong"> <author initials="C. L." surname="Dong" fullname="Chun-Lei Dong">
<organization/> <organization/>
</author> </author>
<date year="1999"/> <date month="October" year="1999"/>
</front> </front>
<seriesInfo name="DOI" value="10.1109/ICSMC.1999.825218"/>
<refcontent>IEEE SMC'99 Conference Proceedings</refcontent>
</reference> </reference>
<reference anchor="Trustwave-2015" target="https://www3.trustwave.com/soft ware/8e6/hlp/r3000/files/1system_filter.html"> <reference anchor="Trustwave-2015" target="https://www3.trustwave.com/soft ware/8e6/hlp/r3000/files/1system_filter.html">
<front> <front>
<title>Filter: SNI extension feature and HTTPS blocking</title> <title>Filter : SNI extension feature and HTTPS blocking</title>
<author> <author>
<organization>Trustwave</organization> <organization>Trustwave</organization>
</author> </author>
<date year="2015"/> <date year="2015"/>
</front> </front>
</reference> </reference>
<reference anchor="Sophos-2015" target="https://www.sophos.com/en-us/suppo
rt/knowledgebase/115865.aspx"> <reference anchor="Sophos-2023" target="https://support.sophos.com/support
/s/article/KB-000036518?language=en_US">
<front> <front>
<title>Understanding Sophos Web Filtering</title> <title>Sophos Firewall: Web filtering basics</title>
<author> <author>
<organization>Sophos</organization> <organization>Sophos</organization>
</author> </author>
<date year="2015"/> <date year="2023"/>
</front> </front>
</reference> </reference>
<reference anchor="Shbair-2015" target="https://hal.inria.fr/hal-01202712/ document"> <reference anchor="Shbair-2015" target="https://hal.inria.fr/hal-01202712/ document">
<front> <front>
<title>Efficiently Bypassing SNI-based HTTPS Filtering</title> <title>Efficiently Bypassing SNI-based HTTPS Filtering</title>
<author initials="W. M." surname="Shbair" fullname="Wazen M. Shbair"> <author initials="W. M." surname="Shbair" fullname="Wazen M. Shbair">
<organization/> <organization/>
</author> </author>
<author initials="T." surname="Cholez" fullname="Thibault Cholez"> <author initials="T." surname="Cholez" fullname="Thibault Cholez">
<organization/> <organization/>
</author> </author>
<author initials="A." surname="Goichot" fullname="Antoine Goichot"> <author initials="A." surname="Goichot" fullname="Antoine Goichot">
<organization/> <organization/>
</author> </author>
<author initials="I." surname="Chrisment" fullname="Isabelle Chrisment "> <author initials="I." surname="Chrisment" fullname="Isabelle Chrisment ">
<organization/> <organization/>
</author> </author>
<date year="2015"/> <date month="May" year="2015"/>
</front>
</reference>
<reference anchor="RSF-2005" target="http://archives.rsf.org/print-blogs.p
hp3?id_article=15013">
<front>
<title>Technical ways to get around censorship</title>
<author>
<organization>Reporters Sans Frontieres</organization>
</author>
<date year="2005"/>
</front> </front>
</reference> </reference>
<reference anchor="Marczak-2015" target="https://www.usenix.org/system/fil es/conference/foci15/foci15-paper-marczak.pdf"> <reference anchor="Marczak-2015" target="https://www.usenix.org/system/fil es/conference/foci15/foci15-paper-marczak.pdf">
<front> <front>
<title>An Analysis of China’s “Great Cannon”</title> <title>An Analysis of China's "Great Cannon"</title>
<author initials="B." surname="Marczak" fullname="Bill Marczak"> <author initials="B." surname="Marczak" fullname="Bill Marczak">
<organization/> <organization/>
</author> </author>
<author initials="N." surname="Weaver" fullname="Nicholas Weaver"> <author initials="N." surname="Weaver" fullname="Nicholas Weaver">
<organization/> <organization/>
</author> </author>
<author initials="J." surname="Dalek" fullname="Jakub Dalek"> <author initials="J." surname="Dalek" fullname="Jakub Dalek">
<organization/> <organization/>
</author> </author>
<author initials="R." surname="Ensafi" fullname="Roya Ensafi"> <author initials="R." surname="Ensafi" fullname="Roya Ensafi">
skipping to change at line 2398 skipping to change at line 2502
</author> </author>
<author initials="J." surname="Scott-Railton" fullname="John Scott-Rai lton"> <author initials="J." surname="Scott-Railton" fullname="John Scott-Rai lton">
<organization/> <organization/>
</author> </author>
<author initials="R." surname="Deibert" fullname="Ron Deibert"> <author initials="R." surname="Deibert" fullname="Ron Deibert">
<organization/> <organization/>
</author> </author>
<author initials="V." surname="Paxson" fullname="Vern Paxson"> <author initials="V." surname="Paxson" fullname="Vern Paxson">
<organization/> <organization/>
</author> </author>
<date year="2015"/> <date month="August" year="2015"/>
</front> </front>
</reference> </reference>
<reference anchor="Fifield-2015" target="https://petsymposium.org/2015/pap ers/03_Fifield.pdf"> <reference anchor="Fifield-2015" target="https://petsymposium.org/2015/pap ers/03_Fifield.pdf">
<front> <front>
<title>Blocking-resistant communication through domain fronting</title > <title>Blocking-resistant communication through domain fronting</title >
<author initials="D." surname="Fifield" fullname="David Fifield"> <author initials="D." surname="Fifield" fullname="David Fifield">
<organization/> <organization/>
</author> </author>
<author initials="C." surname="Lan" fullname="Chang Lan"> <author initials="C." surname="Lan" fullname="Chang Lan">
<organization/> <organization/>
</author> </author>
<author initials="R." surname="Hynes" fullname="Rod Hynes"> <author initials="R." surname="Hynes" fullname="Rod Hynes">
<organization/> <organization/>
</author> </author>
<author initials="P." surname="Wegmann" fullname="Percy Wegmann"> <author initials="P." surname="Wegmann" fullname="Percy Wegmann">
<organization/> <organization/>
</author> </author>
<author initials="V." surname="Paxson" fullname="Vern Paxson"> <author initials="V." surname="Paxson" fullname="Vern Paxson">
<organization/> <organization/>
</author> </author>
<date year="2015"/> <date month="May" year="2015"/>
</front> </front>
<seriesInfo name="DOI" value="10.1515/popets-2015-0009"/>
</reference> </reference>
<reference anchor="Google-RTBF" target="https://support.google.com/legal/c ontact/lr_eudpa?product=websearch"> <reference anchor="Google-RTBF" target="https://support.google.com/legal/c ontact/lr_eudpa?product=websearch">
<front> <front>
<title>Search removal request under data protection law in Europe</tit le> <title>Search removal request under data protection law in Europe</tit le>
<author> <author>
<organization>Google, Inc.</organization> <organization>Google, Inc.</organization>
</author> </author>
<date year="2015"/> <date year="2015"/>
</front> </front>
</reference> </reference>
<reference anchor="DMLP-512" target="http://www.dmlp.org/legal-guide/prote
cting-yourself-against-copyright-claims-based-user-content"> <reference anchor="DMLP-512" target="https://www.dmlp.org/legal-guide/protecting
-yourself-against-copyright-claims-based-user-content">
<front> <front>
<title>Protecting Yourself Against Copyright Claims Based on User Cont ent</title> <title>Protecting Yourself Against Copyright Claims Based on User Cont ent</title>
<author> <author>
<organization>Digital Media Law Project</organization> <organization>Digital Media Law Project</organization>
</author> </author>
<date year="2012"/> <date month ="May" year="2012"/>
</front>
</reference>
<reference anchor="Kopel-2013" target="http://dx.doi.org/doi:10.15779/Z384
Q3M">
<front>
<title>Operation Seizing Our Sites: How the Federal Government is Taki
ng Domain Names Without Prior Notice</title>
<author initials="K." surname="Kopel" fullname="Karen Kopel">
<organization/>
</author>
<date year="2013"/>
</front> </front>
</reference> </reference>
<reference anchor="Bortzmeyer-2015" target="https://labs.ripe.net/Members/ stephane_bortzmeyer/dns-censorship-dns-lies-seen-by-atlas-probes"> <reference anchor="Bortzmeyer-2015" target="https://labs.ripe.net/Members/ stephane_bortzmeyer/dns-censorship-dns-lies-seen-by-atlas-probes">
<front> <front>
<title>DNS Censorship (DNS Lies) As Seen By RIPE Atlas</title> <title>DNS Censorship (DNS Lies) As Seen By RIPE Atlas</title>
<author initials="S." surname="Bortzmeyer" fullname="Stephane Bortzmey er"> <author initials="S." surname="Bortzmeyer" fullname="Stéphane Bortzmey er">
<organization/> <organization/>
</author> </author>
<date year="2015"/> <date month="December" year="2015"/>
</front> </front>
</reference> </reference>
<reference anchor="Wang-2017" target="https://www.cs.ucr.edu/~zhiyunq/pub/ imc17_censorship_tcp.pdf"> <reference anchor="Wang-2017" target="https://www.cs.ucr.edu/~zhiyunq/pub/ imc17_censorship_tcp.pdf">
<front> <front>
<title>Your State is Not Mine: A Closer Look at Evading Stateful Inter net Censorship</title> <title>Your State is Not Mine: A Closer Look at Evading Stateful Inter net Censorship</title>
<author initials="Z." surname="Wang" fullname="Zhongjie Wang"> <author initials="Z." surname="Wang" fullname="Zhongjie Wang">
<organization/> <organization/>
</author> </author>
<author initials="Y." surname="Cao" fullname="Yue Cao"> <author initials="Y." surname="Cao" fullname="Yue Cao">
<organization/> <organization/>
</author> </author>
<author initials="Z." surname="Qian" fullname="Zhiyun Qian"> <author initials="Z." surname="Qian" fullname="Zhiyun Qian">
<organization/> <organization/>
</author> </author>
<author initials="C." surname="Song" fullname="Chengyu Song"> <author initials="C." surname="Song" fullname="Chengyu Song">
<organization/> <organization/>
</author> </author>
<author initials="S." surname="Krishnamurthy" fullname="Srikanth V. Kr ishnamurthy"> <author initials="S.V." surname="Krishnamurthy" fullname="Srikanth V. Krishnamurthy">
<organization/> <organization/>
</author> </author>
<date year="2017"/> <date month="November" year="2017"/>
</front> </front>
<seriesInfo name="DOI" value="10.1145/3131365.3131374"/>
</reference> </reference>
<reference anchor="Wang-2020" target="https://www.cs.ucr.edu/~zhiyunq/pub/ ndss20_symtcp.pdf"> <reference anchor="Wang-2020" target="https://www.cs.ucr.edu/~zhiyunq/pub/ ndss20_symtcp.pdf">
<front> <front>
<title>SYMTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery</title> <title>SYMTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery</title>
<author initials="Z." surname="Wang" fullname="Zhongjie Wang"> <author initials="Z." surname="Wang" fullname="Zhongjie Wang">
<organization/> <organization/>
</author> </author>
<author initials="S." surname="Zhu" fullname="Shitong Zhu"> <author initials="S." surname="Zhu" fullname="Shitong Zhu">
<organization/> <organization/>
</author> </author>
<author initials="Y." surname="Cao" fullname="Yue Cao"> <author initials="Y." surname="Cao" fullname="Yue Cao">
<organization/> <organization/>
</author> </author>
<author initials="Z." surname="Qian" fullname="Zhiyun Qian"> <author initials="Z." surname="Qian" fullname="Zhiyun Qian">
<organization/> <organization/>
</author> </author>
<author initials="C." surname="Song" fullname="Chengyu Song"> <author initials="C." surname="Song" fullname="Chengyu Song">
<organization/> <organization/>
</author> </author>
<author initials="S." surname="Krishnamurthy" fullname="Srikanth V. Kr ishnamurthy"> <author initials="S.V." surname="Krishnamurthy" fullname="Srikanth V. Krishnamurthy">
<organization/> <organization/>
</author> </author>
<author initials="K." surname="Chan" fullname="Kevin S. Chan"> <author initials="K.S." surname="Chan" fullname="Kevin S. Chan">
<organization/> <organization/>
</author> </author>
<author initials="T." surname="Braun" fullname="Tracy D. Braun"> <author initials="T.D." surname="Braun" fullname="Tracy D. Braun">
<organization/> <organization/>
</author> </author>
<date year="2020"/> <date month="February" year="2020"/>
</front> </front>
<seriesInfo name="DOI" value="10.14722/ndss.2020.24083"/>
</reference> </reference>
<reference anchor="Li-2017" target="https://david.choffnes.com/pubs/libera te-imc17.pdf"> <reference anchor="Li-2017" target="https://david.choffnes.com/pubs/libera te-imc17.pdf">
<front> <front>
<title>lib•erate, (n) : A library for exposing (traffic-classification ) rules and avoiding them efficiently</title> <title>lib•erate, (n): a library for exposing (traffic-classification) rules and avoiding them efficiently</title>
<author initials="F." surname="Li" fullname="Fangfan Li"> <author initials="F." surname="Li" fullname="Fangfan Li">
<organization/> <organization/>
</author> </author>
<author initials="A." surname="Razaghpanah" fullname="Abbas Razaghpana h"> <author initials="A." surname="Razaghpanah" fullname="Abbas Razaghpana h">
<organization/> <organization/>
</author> </author>
<author initials="A." surname="Kakhki" fullname="Arash Molavi Kakhki"> <author initials="A." surname="Molavi Kakhki" fullname="Arash Molavi K akhki">
<organization/> <organization/>
</author> </author>
<author initials="A." surname="Niaki" fullname="Arian Akhavan Niaki"> <author initials="A." surname="Akhavan Niaki" fullname="Arian Akhavan Niaki">
<organization/> <organization/>
</author> </author>
<author initials="D." surname="Choffnes" fullname="David Choffnes"> <author initials="D." surname="Choffnes" fullname="David Choffnes">
<organization/> <organization/>
</author> </author>
<author initials="P." surname="Gill" fullname="Phillipa Gill"> <author initials="P." surname="Gill" fullname="Phillipa Gill">
<organization/> <organization/>
</author> </author>
<author initials="A." surname="Mislove" fullname="Alan Mislove"> <author initials="A." surname="Mislove" fullname="Alan Mislove">
<organization/> <organization/>
</author> </author>
<date year="2017"/> <date month="November" year="2017"/>
</front> </front>
<seriesInfo name="DOI" value="10.1145/3131365.3131376"/>
</reference> </reference>
<reference anchor="Bock-2019" target="https://geneva.cs.umd.edu/papers/gen eva_ccs19.pdf"> <reference anchor="Bock-2019" target="https://geneva.cs.umd.edu/papers/gen eva_ccs19.pdf">
<front> <front>
<title>Geneva: Evolving Censorship Evasion Strategies</title> <title>Geneva: Evolving Censorship Evasion Strategies</title>
<author initials="K." surname="Bock" fullname="Kevin Bock"> <author initials="K." surname="Bock" fullname="Kevin Bock">
<organization/> <organization/>
</author> </author>
<author initials="G." surname="Hughey" fullname="George Hughey"> <author initials="G." surname="Hughey" fullname="George Hughey">
<organization/> <organization/>
</author> </author>
<author initials="X." surname="Qiang" fullname="Xiao Qiang"> <author initials="X." surname="Qiang" fullname="Xiao Qiang">
<organization/> <organization/>
</author> </author>
<author initials="D." surname="Levin" fullname="Dave Levin"> <author initials="D." surname="Levin" fullname="Dave Levin">
<organization/> <organization/>
</author> </author>
<date year="2019"/> <date month="November" year="2019"/>
</front> </front>
<seriesInfo name="DOI" value="10.1145/3319535.3363189"/>
</reference> </reference>
<reference anchor="Bock-2020" target="https://geneva.cs.umd.edu/papers/eva ding-censorship-in-depth.pdf"> <reference anchor="Bock-2020" target="https://geneva.cs.umd.edu/papers/eva ding-censorship-in-depth.pdf">
<front> <front>
<title>Detecting and Evading Censorship-in-Depth: A Case Study of Iran s Protocol Filter</title> <title>Detecting and Evading Censorship-in-Depth: A Case Study of Iran 's Protocol Filter</title>
<author initials="K." surname="Bock" fullname="Kevin Bock"> <author initials="K." surname="Bock" fullname="Kevin Bock">
<organization/> <organization/>
</author> </author>
<author initials="Y." surname="Fax" fullname="Yair Fax"> <author initials="Y." surname="Fax" fullname="Yair Fax">
<organization/> <organization/>
</author> </author>
<author initials="K." surname="Reese" fullname="Kyle Reese"> <author initials="K." surname="Reese" fullname="Kyle Reese">
<organization/> <organization/>
</author> </author>
<author initials="J." surname="Singh" fullname="Jasraj Singh"> <author initials="J." surname="Singh" fullname="Jasraj Singh">
<organization/> <organization/>
</author> </author>
<author initials="D." surname="Levin" fullname="Dave Levin"> <author initials="D." surname="Levin" fullname="Dave Levin">
<organization/> <organization/>
</author> </author>
<date year="2020"/> <date month="January" year="2020"/>
</front> </front>
</reference> </reference>
<reference anchor="Bock-2020b" target="https://geneva.cs.umd.edu/posts/chi na-censors-esni/esni/"> <reference anchor="Bock-2020b" target="https://geneva.cs.umd.edu/posts/chi na-censors-esni/esni/">
<front> <front>
<title>Exposing and Circumventing China's Censorship of ESNI</title> <title>Exposing and Circumventing China's Censorship of ESNI</title>
<author initials="K." surname="Bock" fullname="Kevin Bock"> <author initials="K." surname="Bock" fullname="Kevin Bock">
<organization/> <organization/>
</author> </author>
<author initials="" surname="iyouport" fullname="iyouport"> <author>
<organization/> <organization>iyouport</organization>
</author> </author>
<author initials="" surname="Anonymous" fullname="Anonymous"> <author>
<organization/> <organization>Anonymous</organization>
</author> </author>
<author initials="L." surname="Merino" fullname="Louis-Henri Merino"> <author initials="L-H." surname="Merino" fullname="Louis-Henri Merino" >
<organization/> <organization/>
</author> </author>
<author initials="D." surname="Fifield" fullname="David Fifield"> <author initials="D." surname="Fifield" fullname="David Fifield">
<organization/> <organization/>
</author> </author>
<author initials="A." surname="Houmansadr" fullname="Amir Houmansadr"> <author initials="A." surname="Houmansadr" fullname="Amir Houmansadr">
<organization/> <organization/>
</author> </author>
<author initials="D." surname="Levin" fullname="Dave Levin"> <author initials="D." surname="Levin" fullname="Dave Levin">
<organization/> <organization/>
</author> </author>
<date year="2020"/> <date month="August" year="2020"/>
</front> </front>
</reference> </reference>
<reference anchor="Rambert-2021" target="https://www.andrew.cmu.edu/user/n icolasc/publications/Rambert-WWW21.pdf"> <reference anchor="Rambert-2021" target="https://www.andrew.cmu.edu/user/n icolasc/publications/Rambert-WWW21.pdf">
<front> <front>
<title>Chinese Wall or Swiss Cheese? Keyword filtering in the Great Fi rewall of China</title> <title>Chinese Wall or Swiss Cheese? Keyword filtering in the Great Fi rewall of China</title>
<author initials="R." surname="Rampert" fullname="Raymond Rampert"> <author initials="R." surname="Rampert" fullname="Raymond Rampert">
<organization/> <organization/>
</author> </author>
<author initials="Z." surname="Weinberg" fullname="Zachary Weinberg"> <author initials="Z." surname="Weinberg" fullname="Zachary Weinberg">
<organization/> <organization/>
</author> </author>
<author initials="D." surname="Barradas" fullname="Diogo Barradas"> <author initials="D." surname="Barradas" fullname="Diogo Barradas">
<organization/> <organization/>
</author> </author>
<author initials="N." surname="Christin" fullname="Nicolas Christin"> <author initials="N." surname="Christin" fullname="Nicolas Christin">
<organization/> <organization/>
</author> </author>
<date year="2021"/> <date month="April" year="2021"/>
</front> </front>
<seriesInfo name="DOI" value="10.1145/3442381.3450076"/>
</reference> </reference>
<reference anchor="Knockel-2021" target="https://dl.acm.org/doi/10.1145/34 73604.3474560"> <reference anchor="Knockel-2021" target="https://dl.acm.org/doi/10.1145/34 73604.3474560">
<front> <front>
<title>Measuring QQMail's automated email censorship in China</title> <title>Measuring QQMail's automated email censorship in China</title>
<author initials="J." surname="Knockel" fullname="Jeffery Knockel"> <author initials="J." surname="Knockel" fullname="Jeffery Knockel">
<organization/> <organization/>
</author> </author>
<author initials="L." surname="Ruan" fullname="Lotus Ruan"> <author initials="L." surname="Ruan" fullname="Lotus Ruan">
<organization/> <organization/>
</author> </author>
<date year="2021"/> <date month="April" year="2021"/>
</front> </front>
<refcontent>FOCI '21: Proceedings of the ACM SIGCOMM 2021 Workshop on Fre
e and Open Communications on the Internet, Pages 8-15</refcontent>
<seriesInfo name="DOI" value="10.1145/3473604.3474560"/>
</reference> </reference>
<reference anchor="Bock-2021" target="https://geneva.cs.umd.edu/papers/woo t21-weaponizing-availability.pdf"> <reference anchor="Bock-2021" target="https://geneva.cs.umd.edu/papers/woo t21-weaponizing-availability.pdf">
<front> <front>
<title>Your Censor is My Censor: Weaponizing Censorship Infrastructure for Availability Attacks</title> <title>Your Censor is My Censor: Weaponizing Censorship Infrastructure for Availability Attacks</title>
<author initials="K." surname="Bock" fullname="Kevin Bock"> <author initials="K." surname="Bock" fullname="Kevin Bock">
<organization/> <organization/>
</author> </author>
<author initials="P." surname="Bharadwaj" fullname="Pranav Bharadwaj"> <author initials="P." surname="Bharadwaj" fullname="Pranav Bharadwaj">
<organization/> <organization/>
</author> </author>
<author initials="J." surname="Singh" fullname="Jasraj Singh"> <author initials="J." surname="Singh" fullname="Jasraj Singh">
<organization/> <organization/>
</author> </author>
<author initials="D." surname="Levin" fullname="Dave Levin"> <author initials="D." surname="Levin" fullname="Dave Levin">
<organization/> <organization/>
</author> </author>
<date year="2021"/> <date month="May" year="2021"/>
</front> </front>
<seriesInfo name="DOI" value="10.1109/SPW53761.2021.00059"/>
</reference> </reference>
<reference anchor="Bock-2021b" target="https://geneva.cs.umd.edu/papers/fo ci21.pdf"> <reference anchor="Bock-2021b" target="https://geneva.cs.umd.edu/papers/fo ci21.pdf">
<front> <front>
<title>Even Censors Have a Backup: Examining Chinas Double HTTPS Cens orship Middleboxes</title> <title>Even Censors Have a Backup: Examining China's Double HTTPS Cens orship Middleboxes</title>
<author initials="K." surname="Bock" fullname="Kevin Bock"> <author initials="K." surname="Bock" fullname="Kevin Bock">
<organization/> <organization/>
</author> </author>
<author initials="G." surname="Naval" fullname="Gabriel Naval"> <author initials="G." surname="Naval" fullname="Gabriel Naval">
<organization/> <organization/>
</author> </author>
<author initials="K." surname="Reese" fullname="Kyle Reese"> <author initials="K." surname="Reese" fullname="Kyle Reese">
<organization/> <organization/>
</author> </author>
<author initials="D." surname="Levin" fullname="Dave Levin"> <author initials="D." surname="Levin" fullname="Dave Levin">
<organization/> <organization/>
</author> </author>
<date year="2021"/> <date month="August" year="2021"/>
</front> </front>
<seriesInfo name="DOI" value="10.1145/3473604.3474559"/>
<refcontent>FOCI '21: Proceedings of the ACM SIGCOMM 2021 Workshop on Fre
e and Open Communications on the Internet, Pages 1-7</refcontent>
</reference> </reference>
<reference anchor="Satija-2021" target="https://sambhav.info/files/blindtl s-foci21.pdf"> <reference anchor="Satija-2021" target="https://sambhav.info/files/blindtl s-foci21.pdf">
<front> <front>
<title>BlindTLS: Circumventing TLS-based HTTPS censorship</title> <title>BlindTLS: Circumventing TLS-based HTTPS censorship</title>
<author initials="S." surname="Satija" fullname="Sambhav Satija"> <author initials="S." surname="Satija" fullname="Sambhav Satija">
<organization/> <organization/>
</author> </author>
<author initials="R." surname="Chatterjee" fullname="Rahul Chatterjee" > <author initials="R." surname="Chatterjee" fullname="Rahul Chatterjee" >
<organization/> <organization/>
</author> </author>
<date year="2021"/> <date month="August" year="2021"/>
</front> </front>
<seriesInfo name="DOI" value="10.1145/3473604.3474564"/>
<refcontent>FOCI '21: Proceedings of the ACM SIGCOMM 2021 Workshop on Fre
e and Open Communications on the Internet, Pages 43-49</refcontent>
</reference> </reference>
<reference anchor="Elmenhorst-2021" target="https://dl.acm.org/doi/pdf/10. 1145/3487552.3487836"> <reference anchor="Elmenhorst-2021" target="https://dl.acm.org/doi/pdf/10. 1145/3487552.3487836">
<front> <front>
<title>Web Censorship Measurements of HTTP/3 over QUIC</title> <title>Web Censorship Measurements of HTTP/3 over QUIC</title>
<author initials="K." surname="Elmenhorst" fullname="Kathrin Elmenhors t"> <author initials="K." surname="Elmenhorst" fullname="Kathrin Elmenhors t">
<organization/> <organization/>
</author> </author>
<author initials="B." surname="Schuetz" fullname="Bertram Schuetz"> <author initials="B." surname="Schuetz" fullname="Bertram Schuetz">
<organization/> <organization/>
</author> </author>
<author initials="S." surname="Basso" fullname="Simone Basso"> <author initials="N." surname="Aschenbruck" fullname="Nils Aschenbruck ">
<organization/> <organization/>
</author> </author>
<author initials="N." surname="Aschenbruck" fullname="Nils Aschenbruck "> <author initials="S." surname="Basso" fullname="Simone Basso">
<organization/> <organization/>
</author> </author>
<date year="2021"/> <date month="November" year="2021"/>
</front> </front>
<seriesInfo name="DOI" value="10.1145/3487552.3487836"/>
<refcontent>IMC '21: Proceedings of the 21st ACM Internet Measurement Con
ference, Pages 276-282</refcontent>
</reference> </reference>
<reference anchor="Elmenhorst-2022" target="https://www.opentech.fund/news /a-quick-look-at-quic/"> <reference anchor="Elmenhorst-2022" target="https://www.opentech.fund/news /a-quick-look-at-quic/">
<front> <front>
<title>A Quick Look at QUIC Censorship</title> <title>A Quick Look at QUIC Censorship</title>
<author initials="K." surname="Elmenhorst" fullname="Kathrin Elmenhors t"> <author initials="K." surname="Elmenhorst" fullname="Kathrin Elmenhors t">
<organization/> <organization/>
</author> </author>
<date year="2022"/> <date month="April" year="2022"/>
</front> </front>
</reference> </reference>
<reference anchor="Gilad" target="https://doi.org/10.1145/2597173"> <reference anchor="Gilad" target="https://doi.org/10.1145/2597173">
<front> <front>
<title>Off-Path TCP Injection Attacks</title> <title>Off-Path TCP Injection Attacks</title>
<author initials="Y." surname="Gilad" fullname="Yossi Gilad"> <author initials="Y." surname="Gilad" fullname="Yossi Gilad">
<organization/> <organization/>
</author> </author>
<author initials="A." surname="Herzberg" fullname="Amir Herzberg"> <author initials="A." surname="Herzberg" fullname="Amir Herzberg">
<organization/> <organization/>
</author> </author>
<date year="2014"/> <date month="April" year="2014"/>
</front> </front>
<seriesInfo name="DOI" value="10.1145/2597173"/>
<refcontent>ACM Transactions on Information and System Security, Volume 1
6, Issue 4, Article No.: 13, pp. 1-32</refcontent>
</reference> </reference>
<reference anchor="MANRS" target="https://www.manrs.org/2022/03/lesson-lea
rned-twitter-shored-up-its-routing-security/"> <reference anchor="Siddiqui-2022" target="https://www.manrs.org/2022/03/le
sson-learned-twitter-shored-up-its-routing-security/">
<front> <front>
<title>Lesson Learned: Twitter Shored Up Its Routing Security</title> <title>Lesson Learned: Twitter Shored Up Its Routing Security</title>
<author initials="A." surname="Siddiqui" fullname="Aftab Siddiqui"> <author initials="A." surname="Siddiqui" fullname="Aftab Siddiqui">
<organization/> <organization/>
</author> </author>
<date year="2022"/> <date month="March" year="2022"/>
</front> </front>
</reference> </reference>
<reference anchor="Google-2018" target="https://status.cloud.google.com/in cident/cloud-networking/18018"> <reference anchor="Google-2018" target="https://status.cloud.google.com/in cident/cloud-networking/18018">
<front> <front>
<title>Google Cloud Networking Incident #18018</title> <title>Google Cloud Networking Incident #18018</title>
<author> <author>
<organization/> <organization/>
</author> </author>
<date year="2018"/> <date month="November" year="2018"/>
</front> </front>
</reference> </reference>
<reference anchor="ekr-2021" target="https://educatedguesswork.org/posts/a pple-csam-intro/"> <reference anchor="ekr-2021" target="https://educatedguesswork.org/posts/a pple-csam-intro/">
<front> <front>
<title>Overview of Apple's Client-side CSAM Scanning</title> <title>Overview of Apple's Client-side CSAM Scanning</title>
<author initials="E." surname="Rescorla" fullname="Eric Rescorla"> <author initials="E." surname="Rescorla" fullname="Eric Rescorla">
<organization/> <organization/>
</author> </author>
<date year="2021"/> <date month="August" year="2021"/>
</front> </front>
</reference> </reference>
</references> </references>
</back>
<!-- ##markdown-source:
H4sIAAAAAAAAA9y96Y4bWZYm+N+ewqBAVUhdXHyV5CoEsnyT5CGX5Cl6pDKz
0RCMxkvS5EYzpi3uooQY5GP0AN3AYP7133mFepN8kjnfOXc1ku6KzGwMMNld
EeGXZtfucva13+9HTdbk6kV8HI/a6lat4nIafyyrfHKXTVR8qoq6rOp5toyv
VTovsr+0qo6S8bhSty/iSZVMm35WNdP+UiXVrJ/ax6NJmRbJQt37UH/neZQm
jZqV1epFnBXTMoqyZfUibqq2bvZ2do529qKkUsmL+JUqVJXk0V1Z3cyqsl2+
iHm26EataGzyIr4oGlUVqumf4YNRVDdJMfmU5GVBi1jRqpfZi/i/NmXai+nz
TaWmNf3XaoH/+G9RlLTNvKxeRHE/iul/WVG/iH8eXA7i10me85Bs5+eyVst5
fFlWqvhaul/LapYU2dekycrCLSYelWmmmhU/ohZJlr+I5/TKf2R1mQ7oneB7
bwdng/g4qcrC++DbLJ0nKo+Dn8Kvnf4Sn5RtPlGV/52FvDiYVOpukODV/5jh
l0FaLoLPHtPMBb1cT8qm0XPIt48XKs+S9V+Dz/vfTPiFAW15+h+J99YgTYNP
ngzoIAu6FPetE1V4Y+EG/U+MVTH4jOcGgKktW3o3iF+qZFGH23mXpTfhePiZ
X+LTeZYms9L/3lQ//x9tKj8O1KTtXFv8pignygeTt3TJBNX+D507UwCReFpW
8ZlalGmVpKv4XwXLyrycBSCzuOFp/iOdNAw0UVSU1YJmulUvCGUIcdxf8YeX
pzvPjvZf8H89e3Z4oP/r6Z7+r6c7T5/Kfz0/eG5+fX74nP7ron/Gl9dv8rpf
F1lfFWm1Wup7Dn5V9LM/9pc2S/tNlRT1ktCLF/LxZG9nb0cApCFkVQ1Bf9Ms
6xfDYVVPsZWhKoZ4qH8HmtNfVqqu+9NKqUm56GcEQV/6fFBZMetPVJrVtEn8
RzJR/c9lWxVJntWLvvqSpKoaEy2Z9NOSQD25zYiGyJeFwD3CZ4S0xVf4TPxS
PkPISp95EZ/r78RJbL4Uy5f4ltzXerH3uXi8ir0vPuJPWmIS64t/EX9QOBZC
iPhjRj+2DaFsBQThhyY01YsYK6Rze3189v7qor/97O7u7gbzZFIus8G0wgkC
Oob7T58+DzZ8Vf3n/6rp9Bjiti7sNY2p+Lhtyipr/vN/xUvaZ5wn8Vk2nbY1
vUmHUMelam/p0GIiafTbVVU2Km3Mj2dVmTV1XNOLhvCt72o0Oj7t7+4cPbAv
QrGiMJBRrwjzFsNplqta/7NOUp6FqMByMg32Sx+gX17E13MVXyyWOU2FJdZg
aWfvRnF5Swj3+vr6ahQTbXJD15ejradzcXr87l08UmlLp7Pi90ZNMs5y/HU8
uSU6Tlh+Wi4WGdE5tb5tnmBvZ3fv79/yrM0mSZES3JdEDop+rbKvLV1Gf+fZ
Iql29zadxSv9DoMugfsyYdA+4xnid0Sj4vcMfj3anEwH6pPcEEbcFdvB+B85
j909Oo/rsroHAuihowHOhKBxWZWfCcj4YEiaqIfLvJ3NknGuHJmpB/NmkQ9U
EWyevvEivjJPx9f26a3bAshc80nxN9ev8eNV/0xN71k53cFddpMt1YT4H5Z8
N2TyNVjOl7/jhf3khKl/LfNJNvnp6GD/aP/54dFhsHr32NblfjRfItJTNFU2
BvZuoCTnp/1ZshjnoJ7bYVC1VT+nldK/y2VC/xrmapbkfcxN5GN4/m54/cfr
4e/oyn86Pb88/+OLQ0w2Ot3ZPwiX/r6gT6nYfJPYY9wAGZkoJDlxxepGNVu3
dY4FqKQQ+KlBfNYBqLOnoy17Sr3tkMB418yHZj/qNslbJg39Ss3aPKHDW/Wb
sgRXAy9NMXfJe3HfqlrCxT4BfJ/EqqJQeS48aYGhprxLqknd3/3UAcVz+y1Q
Ife5mD/H2Gk/GZed4+NPMo7pT2JQvhjrLwoAlHlOnKicTgmh//7TPZLTvQdQ
/EO1UkdZfKpFyh0W6q6uynIxzBbJTAFr2wVOnKZ81j/ABdRt3uh32gVRr9Wn
ihkjndsnemrn08HezrOdddIuD+MMAVBErWie2vx51dJ5pbQvNz2dJf80bRui
bXhQ5YTYxKfpQZIWF6oi4rgZPvnEMZ4RE1ELw0HN186yCryPpAMa2zTrY9Jc
dob7u8Pz0yf/GKyTTNzMk0V/99nR7nb+MSvLWa4gAw/HZXlTD4kyYMHDT8Pz
9OD6mP73++Pjn383z3/qQOdVUpQk3NG9EDfQR1EvNWd/Xba12rR+rQipSi1W
Zon6J602BaOyI2wB8JXnbd7fPXq2v30/S1UQyyuIahPDm2MV3t4Onu7tHwyX
gEISpydJf7zqf05S6KV9hcmHHRnIPChE/qWBWdzmW1X8WMfHDT3ckhxzz17l
A7L6zlbdmN4o7Q3Cr6K1Ae437/NzS3pSRc8AlfDYcHeXCHH/To3rrFH9cV6m
N4Tu4W7eqbv4/BeSwO5iSMopUX5alX4nNu8YsMbasc0fGe8INuklI7f9eM9m
sTRef2endsjC6DPa6Jsim80b2urO4fYrBWEgElE0Wd3wZSYVgV1OJKJ4dvj8
qJ/RZWdJ0Yf+7tkHluUdQdkEd9zW/cbqRuGpXMjLMfRt93KsX4aA/ssodi9v
3/nHLM/1fvytfxz4g2bzO4cQai/O3m2XCfJkXA8q4tS0/2b4Vi3GRJ+Hs6y8
TQr1aUGCdjKcKL4RYiXMR5Ib5iokg5EWlLQT4gBFw1AxL5fEfpp+0k/TJp8E
J3BmJmHSdc2TkKx3V5COYyaJP+pJ4qRh8BgUeZym15dn2w/klSw1foul+kfy
auCNBSLHKRHNpGjvYc2Ah68TOpEAEEh3qrOEGGl/ktUEsAVtiI6AtEBaK2mC
2riT1H0SZZt+OaWDWObginRqqm5CkPjAsxGTjN1sMWYTum6sM0kdYzYgSRLr
2WLMtv1ITpOGlMDC7NM/lNNBMBrw1deKlL8cp3IPljCKpKpWTXKriqyCdjcn
wGPIHzJ/IWBgMUTUNfqvJSlmGCXkJxJV9VvSD0BAzB4/7R8+3wv1wlOZKGbh
wuh9dBIyU6xnitsiZrJiVLrtZ/I+z24z6Fa8Sf9I3g/8QXsiQJ3zAoIMTuQe
bXDWDmo1JEGjvilADZfg9DdMwIe/4z9Ex7sgYfrp4dFeSBdGVyRhZblW6+mS
03lG2n8yblm5J0ZAvyQ5jJ9ESgkOSQSo1DTXDJBegFqrSKxifl+o+h4eQbJD
pvSu/CN4O/AH7REAV14lTS5HcA+qkAajlrR+uv5ly6Y0whrQ02GttbBhXdJ6
+jdlpZJ+VmsCCjoSoA4R0booy6UIt2zdIT1qOs3SEHdGmC1+g9nirNYmYByg
E5UIdYiqjvRskING7y6gZ2G27Uc0UtUsa/W2/TMaDfzBAHEuSWOt7zkioEZa
tUU654PBg8Ndkr52iM4283ZMIv6CtHziHnVLq8ggscPaRrdNaLS86SdT2hER
k0brvn02ywjpqZekLYen84pnjfWs8bXMqm14//l/0bR/++v/SULF1ZuYZybC
YmaOeWYhQyPMvP2k3hGVqeeJ7N4/qXcDbyw4qD9kacO69X3AVKyabKHq4Kh2
joZsfBsmRDKHhFJfv5Jm0Z8roozzuilJCZqXBDM39A9Wt4PzONHP0+USrryf
TuOTJL3JafVielCwmX0FlLx2E9JtQxzJIGTSL2/oH9vP4oy4u8r1/vyzOBv4
g8FhvCJYuiVuriCXPF8/D30cBNGzlhZP0gMfiSaxWQ0L5BCvDovydkjSmSeU
ZL6JSx8DRMuTbBafEGUBmQDteEdY4nT57eJW6VbbEbjCcSt4PAf1fPlyu3CJ
rRHVYjOEmJBYwqTd7OwNxYhEateMZDHSv+7mROSXyZIoS1fr+jjP0rlDef1K
BnMgVE0mCCSANp5cyZcun4gJ5Ene+d36zfY3KRJvkzwt864iwaOLDW+9zRpa
26gp8+Zrh9x6g+E7r9o6/lCSZNARZdxY+PwfaN/xVfKlLgNq9YeBPxgIw9c1
NPXmK9Dw6ebLKRPCjmJSlzcDoVCDrBzy+dfDRr+Ot9d14PINAZpW+19VZVtM
gFaei+40q0jhBhPHTdANnC+WWZWlWb146BKMl+k0qXK7i865BsPh66MExqhj
Im3BS0TX3Vj4xnFRFisSgQPqxp4of/wfuY+nkEaT8p6rAJ6QdllkXxhVAtMr
CY0E4hDHhvKI4ba7T8F4d59+4jv7lCbl2k0RFexfJcREr0+v4vMvyxzmcYK0
vByThPGBFhhfZousYYtFNmEthajcTNGlbpAwwkP4U6uwLf8A/jSwI+Gzf55n
KxLjfp+F7PbPAzfUfYFI8WeSYz7Scjqv2KHwleuWVK+zcEHXAzvSgZOKpLeC
Tobu7E2V1XMabokrrDpQs/5bOM9lVicASRK6bkOJM74MRgNouFSrcXIPhyTa
RVp1Mxhn5UTV2awYJHULd9+QpkmGnrzJFPWoD5ksqUnimpc3alkSZ6jXgEG7
eVgzIyFH3SUroJOiqSujsR0Tk1wxk3zH0xOUHI/iUzfrQ0DxJqsaIm5Ey3iP
/oG88cfCt05U8ZmEF6ITE6Yq/msng2A0fPF0RXdICA8PWkfcJSXIH+2S+klG
hGIefyCIhX3HeM8dwQ+GO8BDfGoOYQBWHFxUB2j80UAaOJ0n2QOC0TYyMC3T
jC5a4zrN86ldYu51nNemxAWsmex5IRHgXLynpKJCPn58Tv98AqV0G81+6Jr/
nC1K3k0HNe1Qh8YusmpOvE3RFb+aJ1PSUDrU1h9dfxcmQLrIOplUnfc6PwSn
TZQvy+85brjt+aCToroTKRT/xQg1zQj2Dw76SUqINaM/6Ow2iCUJkU6iOn8q
W4LthJgCy9Q0cnH1oLgxyhYEYrLKDgC5sfCVd9lN1iRw2GZ1edsRx/3R4Bw+
VtowtrvF1rksiZysKkW6890A5nRjDKnpQIgg1Fk9tNqb1WNJaVMkPvTzbIyI
GKPPpCSWwXFOihBbkoiZQL32HBwTBYd16BO3sp1Tk2V6SA/6C7H3hRdAbvqE
UDP+hO/U0J94UOIjmNTH08F+b7DD9ehE4pOKIHkS3BqxPn/UXgBMsCQj3ar7
NCISjBBjoB129qhneK0ADpM2VM6GFWJa4H/9nJXQryHjz1h/zqy1HIYrtr8a
C254zh/0FPHPWQmlmqdgpdlNAcLAUxiD7oPn+KolGpKMk4neakes9QY73KKl
12ZVQrhQzOYdZuHGwpfO87Iokix+naU35Y3/0vnAHwxwgCe75waS6kt2K8Rg
XA93j3b3BjvPD492gsN7Xd4hRoP4jaabTGk/qvGDXPHv2effe6h/SCoStU5A
FQMIJUnHGwxO591xf/TmIY2dBAbSlUnu4GNKV7Aha1GU4C9rMg78GaZ7Y/xf
HwBrqEffMwxJOM+ipDfYmhNaNY71G0QGnfXnxzqGw+G6LHNW615aGnGRs4fY
qYan4lp96EI+lLT6Jn5LOwkF/w8Df7BDLdq6IWo0mjO56RAMf7RD5xWJsnOI
v+9C9xQR+neBa8pICXSWX1VxmYxxJRuMBkIy+KE8GQ/SBMyLdOr9IUGLsaX1
ayKNtzACkNCQ3qiGLoRGJ0TlUxqbKNIGVprEsDm3Xq5IzFL9pq1u1Kpfr6os
CS/nhGBR29agacn0bGW64i9c4gvxmXwh/qWGDbukv/Gl+JX9UjySL4G0X/PH
mIp/IJkMDs34fIZALyLoNANwrCTdjdhCBnXlePKwHn8C7wmJ3unXJCAPJ4Ng
tHO5yU07JmUhVzedm3VjXVWzIgHybfqmLVTnWr3BjjAzSRYEEMU04Dckx7ix
LoeaE8SlZdP0PyQE9uUa3K391oV0UooUGGjTgXN/1MIfTDrv37+7uIcYlIS6
TAKWZd1o9WNOElLfhp1scRqe4ikwnYLoqPURkogd56TRtclMxdphzGYrG1vy
oCDV3szHJCSuEdfRduJ6TGpKVYKSJHXzn/9P5zaC4Y59gqTUJP7jqigDlwup
gG4swGZzmlvweO00n7MPss+WrLoh5G321r2MEvhWQ5k/u7pwh0nHdlHUDXjN
In58BZfS3kbXv9ZeiTRlk/j8dlLekEQfSJSkvobjAYycJfd6lcEwkpSoQE13
zdu7gfOggbl/3jZs3iY6RUSjCjd3mcCCzjLJ9furF8xgf3hD71407wvnLzOT
xHqSh0DkOivaErGESehMZvvAZJNKeqVgM39LlCygB1cDbyywuP1BVTfJYnlP
1Mp3WnlY09vT/xJFZLerelzgaeaAbxVsYVkqKKPGvkp3zLY5EVJgWH9QGp4X
/aukzc1eQlJDW/fHu2a7IvmSkcyybJIOXrixIKTkXTLOtugkdFY744Nk+jSd
pHvTnfTw6Oj5wSGRmZ29g8P0MD3af5YeTtQkTZP96e6zpwcqTY/Ge9NBdbA/
SKd7AwBFOhFT+u7e/vNnfT7N/X5BH+2eJUzmJHY05WK14QwzaGg3GYL4t6LR
n9txQvQHO/L3/ueBGwr0getEQsbusQam9aBpp03NRh9Yd4a7u09JSiXcIBlr
SkQT7w9TWtZsHTjA3RvoRiJMmYChVyRLNUTcKhLliOrSKJPkrfsibb7kxfq7
Oh24ocCodVytxIe4Bfw/zxNkBiz4Vpbt2NiamdzJ/axp2E6uC24EJBDOUtpK
3cSXZXnzHcp2W83mssgOj3Bj4Tuvy0Wy/sLr7S8QOz7O1RfkYkw2yIjHg84v
AT68buvk5h6oyLPiZlAvgfTa92oiFnZ3Bru7z58O6939p/uHfZqhv7Ozv9N/
5h+lhBtr2dBBBsf05QiIibMJbD9TbVjUmiGsinBRj0aXw+vLEann+DxWgSiP
Bw79LVZYyM46RMGNdelIjlA0nFH3FW+wQ9zhhySFtqqz4B0i7t5gh7wnt3Ay
qLwTXXQ18AcD+GY5cDvFchS8HtQZvOQL0eYXKdj6vgX3Rbq7u0cCOKY77kL8
MRF0Os4J6zkXciMrY50l5WaaVQvjAifxGDj8y4dLTyMiwWDSpo1EdH6P1+87
5N6AeHFqDI7h4KFj2Nt0DgfmHJZ7R0dru2+JCnMygw4kIjjExl8GUMeEy9GD
EzZVXJH4WG/dZZjTsyn3x+7xABqYtv1uCQpxNLotFkyh/49UvzHMiGfVeG2N
lmkfGGmro6adrCTWx5jZ+yP6ASGdtURR0xEQ7ask78Edxohlhhfs2h7DIX6p
AMcv/diS19dvL0mZqpckRyu2nzGVvy+AcqLYGP49lvAgboS1lnsMi56SChBg
NNjdZf8+gpcbhDFrh0PfC+Pt61hiEn6r7DZJV328UfQXJE/CGDvrJ0uXVdEx
ICDc6hRzv/C8GRducjYRYHKGrCv5AE4JbxaEfvob8bH3je2H9x0aXYA+H9p6
rraEX20JBvDCDRmBpmqMUxzjIHQ4AGtgqlZ9o0n1awVhoa8DlP0jOsHmbGgO
Awe96XQwedOGNoOOtKyI62jOX0ZbD+OsJOJE7IU36Z/H2cAbC87jdK5EGNqM
ZwkxeM73TBN7Fn2xV+MwdoY7T4cSdtxv7lRyU2tdtCldrAgdglgW+jWt0hxJ
ADaveIq4bhCWaENBOCjNvo0gPVFhl3myquM5XdHYoMXWYN1MdthFKTsW4NNJ
uaKN7B4dbVGr6nROWgyTvUGe3A0m7Y1i+jNNUtrT6pP3wPDp7lGIGi/LNiXp
vmGSwOa7ZZKy/lzdqizPYRfuxSPYaVQ2K5pVj1HkNe3zLoNrWBPd+8KTCUVl
F50NuzETnHwEpenjPGsQlVRt56thlCZJwc/7OtW27tc3q6XqE3TWuHCBaWNa
7GeNQwsG4P6zHfof6QN7z4OD2e3RpLGZNB5hUoA8m55k0l6sZ+VAPIMyPOt2
rSAhLLIb7CgG4XiAEScnp/efxnicuti7lkSSg6PnO8+eHm4AaNwf6atVWZdT
AuBZpQDkalk7Gz+CEJFhsIV/co4ALQkW2HoD+pbFJM+mU7V9ybPs66KclLxk
japJUZBmCjPkQuTLPu0FiEnMjxldjcBADpLsY3393YOnTw/3j3af7m/Y5LGZ
jQROkVZhLf7gzYbAwFMOuTzm3Y6ExF2TRLn9/giYM+U22MXgYDw4kz/POep4
Q6JE4GiYNkv5y0hEu7s7z/gfg/1nRwdrslERH3v6nIFBvZXzYoaMHSsIbN3V
Nal0tMCOnGxG7D6QIvExmRWMmTsbLIHYyuS2TIl5DmYcT3JbwuwrqUOSeLa0
mVvtMi+TCYIVdo5AsidKLcUq7dxOCcKItOfLRbntrclRZ/SuNjj7WSIA9Q3q
okmBN+EMdG9E32aKHeN4K/7bX/87HplVLHi6vGc+ZZEV7klSgGQpB9URLb1B
GzDHXmnOvr1fsqxXpCISq9OxgBw17nyyBCxZDgu+WmrTvuf/61o2rvhhzjzd
eG7bAWXOapUstwMu3mDAv06JMcLGR1vdoMVuVGJJDFzSXKzE7jD8Hx0+Ozg8
+BSEUF/MChf6+1vNGB8QUlZNzOr8vSD8wxu1F8X2DBMAtkXZ+a0mvQP9L6J+
euI1S5SOqUuQi7WsFAkJTM6uiIzp5LH1/f9YcwLxvaoeE/EwoC3Qd96QvNwk
9yi3/1xz3JExx93Id7edw0WetwvEXkgyvKfzvRVuTHt/i3oE4GYvkxTJv3AS
nd8m9X2gPZorAogx3YPZecci5I8GpP0j8RB1j40LbvpuyjC77m8KuOS9f2ZF
f1xlkxlccaXJmdX7f4MH/H9mxY8gVifyAonZ5T1yx3W2kHV2kNaNBXYnolN1
k0yn98sclULIfx3YnVid2zkc7hxAClkkkIpJsVM6bcEkrmaTX96cfDg/Otjf
OXqFd3YOdw4C5C4QXcsv90zqqZkkHtNNID8EwhLBQJHUzSombNh+uzqM1+yr
w7eD4eBuX6tlo3N5t+Q4rqdW019D/d6n28Gn4+t/2Xt6HZjd5Mf4th7Ex9f/
er0NOa2za50Nv/6s8sVtdvNAhkqW1UhR4QT1uX7l05hIBRxDXQw70ePCNYnW
lLfaeNSUaZnH78fTthbdd+s5n1fZjV2cf8oIw/CHQ5OBdhs/QFSN85oBDp4e
kR9mUn3HV4nNk15WXr+el3dpUnOVhu2/Wk95mkNuNJbPNYHDEwlG+lVgo/aE
g4F4b9NVzlc6qpJTdsXOgFBEmCCIdUJ3JYBHNZqtSbnmlNZJ9UeWkbaQoEC+
pG0Qtd05GOwcHDy7XXMhIZjFemRPjAPxWicxbLrwK5KgcyK+soSO1dQbDMiL
z0V3tqi1DeIli2YKoOQLp1PmOKaVBLWWCzrzpj8mlUme7DdzgtSGE993nu3u
7O12d0YM4YTfBivF28QqTuz7JNyY938jt+xuaZvli0jFDGx6SlzacQGmmJ+T
wqQEsQaGSjFss8Cus6ZPAtFSIZsQf8+QashuPPyEeLq7OdE3/HFHt8HJQv2w
vsyrrHndjmM9t7X/xf2YJiT9NTYf6PEAndQMGYjiK8waUfr5K3gYXxHi225V
D7ec1T4n19XJ9B4/Xwdc93f3BofP9o/WwdVlll6wSiHSvBZnzyrYbcoizAy7
zRIEvg8vruIR1xCT2gXbOeeHcpXoFXeERG8wlAdUcnufiiRVVbKKd4j4F6Pr
VUiuJLH9s7C5QTGp6501e7jb9EuaANrJ6ZXe8/ouuqGibAqq9RL9/bwb+INr
gVEIceIKAp0z8Ab/gWwI1oHe0fpVeg+npeurByod0n77H0bXny7MQQViovwY
hz9ugM9iv9kb7KfrrHVEZ6SKeyiTn8AEfQv6C2uxz5CwRr/0JUiDLSv9ZGlp
FdF6NlSLfsbmKSaQ0AgC5nL+8iUn+tbaOnNHlCE+vnph6Baos54s1pMBZe1k
8gIsUca5d1/aIz0qe+4IvN6gvSgOaiiLy3JOymixJX/t3kN6jkyvaZqakiWz
hL7X+PS8bwi6iWDxz+bl6Wn8gSuPHMub9kxgkyZqfq2p+Yn/8qaNv4T10u3F
3/zLQfeHIL0NZfXU6oHNE7SiHCAnL4YS8t6zZ/u7T7XVusoWnFvl/cE0flIQ
j0vSueovy4zwBXCD+eq1JEdwNih7/HRsn4756e0minKs99ExUXiDgYzx50X2
Wd3VN9k9Qhr4WU1XnqS64oex3eDfJCawhWWIWMKsnvc3GHaYdRFQsOnPCvQG
teW9TQYdrg0FHZlDQu9TBM6RQmb30pFQw/Fg+8cvr7b7N9kAq5MrM0ma0nYM
4rG1l+QMYYbjnKSujJrkK7plQlSuIuGlRnO5H3yvH0gxwrRfJ86qaQ/jxMxt
irnR3PEpz01SD8w+WRW/vyu8lGnEzm7n3y+vNpwCMfX+6OLV6fu3b7fImiyo
ey5ejhUnEjCFl8FYQdLK8DyIT8Of23w13Nvffba/86zP/95d4/WwW52WeY60
eGLyZwmM0xLbtg4O4xWjxINM4D6BLkcg5D3sqCR5CR4IVM8wgtwu2zEJdZtk
sZSECIhngGauo9afNflEKF/A0mmt1+YNW+CH3tIVzWbXl2dC9bbC9RtVTKpE
r9oH6zcDfzC05UK/7J+Vo+/VbNeKhp2pIkty1LsgXoMI30+wkaQ3/0qb+Xcp
I0aS+OHh873DoMqDvIfbG8l7qHND722Fxi2q8FPNr7eqjoYYj1M4RhgppySB
kxo2VJxAhqoDdxPi94ykSHYZqi9pzjUY7G/Qn1lD7Lc3/XqJZBbZJ+GtNdyR
jI6ow7pf7O3uPw3QdiTzxGc0D6uL8S9v4hHm0ftWEweKPcJvnugBYQ7loPTm
/ft+O/AHO4KcNnqe18uS8DLIioRA6w93P9YQSN4BA7tfs0OdTIWc0ANmSVXc
JTrM0E9U8MfDOIvzD9fgrffEWBA0M0DOsxr5Aikp/4lU96MjHZ4ew1v6tL+3
O0ini45wGI/+9C5+mZflxFo6aGxZllN2798PhVhaKA7AevGmSm6burxNtivg
2oO/KOu0vHNFDthZZ+QCTp4QsKpRZqZql02/XPKVsPfLmL+GB88If4/WBIFT
bwIEjWCC+L2d4EdUiHrAvv8ndcNlR4jJ2F35N/enQWc8IJl/QDWAAoVa7nF1
cQDwwCeeG11CREqJMcjT/GvN1VPFMdDfeb6e4kgzxsf8PAcp4rn4ec94a3Q2
Qc1Bm3Bp66tmE2pbLeA2c2cVv90cY+4qYFSNt92OItX5IaC576uMfSH3mFUJ
ULLiL21WkRSB8zF/CLjs7T1/drC/P/yaLcbJ+E450+o84zIqIEOG8UwmpSFV
AcP5s37ZmVTpZXBN/bKUICXOECdbMULLU7OkkE11ZCk3FijHb9sC0vpDzv0G
pgYUdGBJatDeOMPy0dBYlT9xEapPZg/1J2z3050af9qYa2DsyYXbdb0kIso1
ymy4/JC3neZJdo8bGFYvt5WO1SscD3Z/Rpq02qJasoZLPEo8+bxlInASF0VK
HoyJQ0L8p3v7zwd1E9C1n9uiSeiP2ZywqI4XXHyzTit1t3UHtnA3VtSh6G4s
0PteqySFq2KzYWOLSATX7jMRhDnKv5byYVYk/pIVn7OE43FmAGIpeEOwE8Yn
ieA7wgRSOsxKfVkR/1HPQfiNOeJjLm3zwc6x0ayjxkTr5mZTHU7ojwZGitPy
LttG3SRlkIOxBwWJBTPmUQsF9WdWD3nocHeI2nimamM9vG5VPUlWw8vrvszN
iU7/srdzCWtMTf9Bgi/90+y3S/f48VgeDixdW3f+c7aQbfh75uCFu2wDwYLL
ty63xXDfh657CEjbOxpy0tgnW/JrnBNBKduwJtoIz8SnLZfN9GR6jlUhcMwV
l6Jsi+wBB8QFarvoNfsbvBgEo2EhSx1cM/6+6BopBq7jFQHXewf7R0/DOrkC
r2qBLDe6l7syXsBOTsC5QOQNkMNED9VxzQ5KjbXJapv0QctcpyinRNQW7QPU
tFhW1t5cD+myaEH9u2Rlgy/plvYOnj3f2znc2Uf5ygWpskXTVzrpDpaY2QyF
qLiGgQrq+12Zx12O3ok8Hh/7j2/UWqSSxkTdmo10VBd/NNj38dX9EDlvp5Do
mrJADpUpKbUHoYK2WIOtVf2xmqsabBPpBp+KT3t7+/u7e4drktWIH49P9OO9
2BR11BvtxR9JJT8hxUKBMiGAtC5ZGimriWjaOCZkxjYbfSmijNaoVMsBJ1wC
fh1QX5dLYlH1dumqUsnkDqX3zIZ3sVv6/6mPPPUn7QcgpPyUZ+NV8qkhUZo4
p7rBELtbA+EqwD3tGRI3wiVe78W/T2gl2drFQ23PYG5WN3hYV2C+XtHxFfeU
ujxtSbzSm/UB4nQQjAZ06pWOjr1fEeyG0UptMY6gTZYV19LS0YEG5D8nRHxI
8kS8Qsi6qhZFMuv+X7Ki/3WezdusSwEgVOp5YpknbtF3IrazQfz80Waw6Rl/
3AYhsIG8Slpe/rridFJBHbrbTgoeFi+ePd9/erDTFS+YmP1Yu0y7H0kHLmLS
ikG+/vbX//6glKGX1pEz/NEAuV8maH7w26qjMfkUA3OtliQmi9ABrYsNGAuu
nkzISCxlWa3T6s8lLQv18NpqGt8l2z2eJEZmN3qJnQ15g4HB+JUUerrHPhFW
vjuAGWnnYIgChlD4QFQTpEmzCwE9S4o1GnVtnumxX4gf2rqH1yQBF1iWv4HX
AzsSwNVbArgynf9zdbqJKjJPoVvP8hJVji1FTEdKE50fBuNZScFGOT6Y9dWo
W2R+DMzG/DMYDTrjXU8YLUkazqzFjAXDAWk6fvnu4oHw3WRK1BUVVRlYa1uc
nCPGapXlukDxFD2OhqPTPg/Tf3PAbDntn70b9ccJDMm21ZCtmrJ2tmIhNqFj
vLx4ZD6AUuWkwaCzy6n3Ed2nQj7ijn26/ditIZmmX8dxtmz2ue/G/dmx39Nz
Y+fw6ZaeGzH99ILbe7gGEERzLxZE86RGu64O4cId4CLmUupeOwrJsflnNZ6I
H2NBT9YZ/BkU992jo82O4xSmdKWqLwMUql7q6l+wWRK42ICY303K7CdETuL/
7e8N9vd39tgeW6nlT/R/u/xHs1qqn7rnhbY/FSpiqok5lv4J3zcSYF1CEfZn
jkscUET5uOjRRRO/Kh8sxoBMB95rh7nboe7jWf91K2kp4RuvB3ask3XJNabX
cyzsUPcLbdG/VBndeXdRlwM3aNMUoApeow3YXXK7LXFHw+/+oDEPMnlH0D0K
XQyfq6fDeb4cVvsoyC+wvCvw/Umwar2eqVzBC67No75A2eeqlmLRlsQMTuk0
xoztLUXMmkIY5Krh5XJe1g8Vg+aHeEPElVrCwnYJmoKYxjuSc2YKdIJUi8Pn
Tw8HSb384u/jFyaVTSI1IuWDIYhtW7c8u2HRc2Rb37PoeZIPsoKUTC5bneR9
QridvWe7e5bUBlo1fOagh/lKhwzpikia/Mkpb19tCF0fk68E7zDM8yp9+Po4
CIc7SazzbMzJOafzMldf/RevB/5gt3plU0LOflUi3qObg+aPhu9d1MlY5VC1
5ySZ2TNxGnQ4HlzAh9HLLVX2nVWkHpi+Wpy12Rd38XK+3P9dNvmk7eA/7R6C
QXiXca1zvfIY1Qk7sUnpgyHOrrfVKCnQV4sIW6aqToonF8zXlWAegP3vje0+
1P+S+nz9hUz+HSkcCZfP+dtf/4cEdZ8iM6b421//5wNg9neVuPk7Q4J+e2Wc
74qjCl85S24z5PlOMxU6kM4Gweg/oQRPBbd5EApxPLAj/59U3/lHissClvUB
3QPLS9XUqwVcHu3CpOIeGr/8zv4nPcNamLDmLUjNYm9KEwfWhRhxmO1sbgot
TxnhHiSSf99lI3xvFl+uVfm83FiL4UNJpHvVyfiGudeOdeu9VOmKkGDWDRBC
bKs3+o/eleSs9T9cn7zckuMp3NVvpsM1zrhrFAmyw7z6pNrJMvndUlL9f0KV
Ps4C869uZLJ4F+UtdxNA35hG2yRQRdavlY0+Lqi+yq2AthFXWXmP9IF0sL6v
s7eXV/3De6x0k0W+ZNCTnl7oJaeGZg0EYiuYQ1Q+9cLEliupXCkeGq3zINTN
KJz+hq/sVCjHyVN5cWN6KgRr01SxSLqllBgz8u+2jZ9ls6xBUya22l7SWW3q
zsZC/Rs6v3y7+jf5MiCJXTeSy15Acj989uxo+Of95we/338byH/vl/DwctK/
krr171vUuGpQ/JJDnNFFSE04RMYrrka8xfZdsUqNa/Z4VWVlFb8riQHf01Pp
DUmthezGh+s3A28sTFolkP26UCt1n2C2uQ1NLdV01aexnYPjarxQMfyZIxSD
VKICjk/0aEB1gHLcqW8ZpkLFj/H3Jb35JD4moYDeRoDUh4ur8/gYU9wTK6lX
5e2sw2E6PwTY8FFX+LknrBTVI9JKqkd85fLYf+GqOKgP8uyT2/ynJl2uabuA
cKidjcJ9022iABOYGwF4CZBGTRz01zm/TUTwxrPTNt8UQvVgsd/vqsUdB+/8
s4uDh7Nz+vyqJRVhTa+0Q51X/v6C30GVL32x9zUO3XaxCPHe2/lEfHjTjY7+
9Pb69ArVTdvwwraku0qcsKuXksEHvEwKYmL4b9CDDVb3f/xiR3NUcZt1c4hH
Lof4/7+Q0JnojbpFrDxXvQ7W+8Yb6rxzze2Vz2AQT9rgpWt/LOhkdZndQ0om
kKUGJNhPp4W2KhOw1UOpmYz+S6Ana+BGP//tr/83P9GLHxdPYtAOGqzQ3JCb
QX6BtEgX/XhzltQTrylkcltmE52du0CbIqNQPwSALwnIpgk8S/5JvByYgc7h
HY9JBIg/JF+T2ZxAPQnMuRDiO790BX/0gnlLGtBtRgzuZn7TLULuDXa/XMEF
eHwzT27p3+8yYrBx52Ue3PSuSLun+oY64m4w3HlR51sl8assrMlDIqkd6i4U
5bPeZnVehqFKx4NgNKBpJxLpsa3eJ3LubhMma4sJkzWtN8gPn9K03l3LXHn0
in8kenZb5red9iA6P5doHOBvlj1cYFpQ7aQTvfFm4IY65/BKIWEmfk3KSajr
vRr4g523/pglJZOagJb8ceCNrV+uii+xus7FurGgGqg+6238Y+tZK+Hj/aD9
j5T521AgwW/CZySA0+DNM7zJ8gKyGW1BKji7paCvyQQVw9c//X7+hIKJL5Mv
HbZgRjqzr3JFGrqqVWd2N9aZ/uekrpLP6xVhfw4qwv7dV0lkOfbuckMwyZbL
LGu4eTiSxFRuQvv6If8juMRzQ3+58JvrzaArNsFH62EUWjyM3l38068pI60M
2qj/eDD2Pb10wkY64Qcuyzar+69VUWWkX1VZEQgKaKHiBjfS1e+wInQo5G/p
J7Fmt/gNEBIRP1roxIK9e7rm0gVXisTGhfh4oN8OiyyFpS4NW72Y+T5+/Li3
ljTxyEQhfOSiGKQe3GVIf50DR35HV8/ljbz+Crqc15ZqGg9WUE/oThFny7kM
XeuWP9o5f5RFgpDxUWUF7WZN7vSHO8eflbOSVPeqSiZJl5EGw51PvpPTFJt2
E97eu0E4bC9wl1vKIvglv+cCJ/kgSRdGo5dSnAeHw/2DZ/tPdw4G9O+Dw6dh
FwHXcef3v3+bZCjgkVg5XpHKnvvNY7eX7+t2tEEntJVZcofo+aNrGIiGPR/a
UIS9HLih4EgM0dtyHlsZ2F1ZNnu7/TuVLMuC7Rl9kqWyXHtON2u4QuGg4r5d
6T9ewFBtpvBJ4EUxJQGvqVqplQIZ9tj7gAkC/6eTyCtimcltfEJAnUzuks8d
QS0c71rW//dyqeC+vp9JyYXBobGBypwjoMK0v3iNxSRcjbJdkqz3BU2cLIti
QeKsJAqmtBfNr+CSTSa5Gpdf/ncIf8m4QqfGdwRhASa8Gnhj/6iM8VtvYkRU
/HNyD+7URN5JwZAOPOJnIuJfTJq87m+5jRP8fn05etEREWgocF+m323sGcki
9Gr9nSFN2A12DuNDMm9zrrtJ3OWzCg7xw6D7Q3Au5/lCFbSa+j5G2aGzXCzA
0trnzw4P9wb49/P9p8H5dIp5B2U5uFTq9dVwP4axJP79LxenD0Ji0hCvKLwl
d4Cl80PnkE6IJaIw/yidtyrsangyCEa7JotsgWalJ6SAl50rcWNdZ19ex8d1
OlfFmGhigDrE87q/3HMj98TrIAwM6cyDaVtMdIpT/y9tRiQnL8sbdAnHX50K
rfHv8YQ1UeLgf4M18rfegd0Z7POkNieTLRCmDfMGrPYOj57tPgu802E/RZtx
+r2s5U/o7ilL8Jf8p4E3tqn3maq+dgWl40E4HAbxHb/7sCXPE5dG8m1Vayfg
HodIE6VB2H+ODmboYn6HyKUKWZDoed8uuZRmVbbsp7HNnoOTueQppAkax/DJ
HMiARO79L8SfG/Q85Tls9NRDJ3Y8bZIxindMsr+0XWtNMBzesvjY9rY23UAU
flsP0rxsJ76jLStSroI+5F/6Oq8fmUK7z9H3wt+xLj55iidR0EI/CfcYzxH/
wO88sEVvT+FFyseiWN1UHllcT9ydtCkEx1lLF4Al2F4ihIrLJZ1CSmwFgcxV
OdRTyAbe30oOLOggSh0raJRcCb5fc7WU0fFboklJUdjgrcBPYrbhqkGlSLpL
yyo3bMMmiIXjPq3p9/txMq7RxqOJIo4gN0E68YTeqrIxkl1sWMhC2l3Ui1pn
XEhour4pX3Bu0JwPmSrwfkkESQR9h8PAUTCDRUTXOYXEzMUyySpTYoadJNr2
OUCwG2eJNWW8QDEcactJclIPr+XMUvgvqOtSLtmPWF1qcwqtBAFhkQ7HXMLf
WjVIDlbSnZW2gxm8bXJWP5ZqSwZEqhA3aCzxtVIPxBa4HsRxeI4LLphQlHHd
zmaqNhVRI3ScIxW6pWM164tT3QhWNE7ZDs21JK6Zr/yvJHkvQpB4McGSEU1d
KR0SM+h8H20GYu2sNoGopu72eTFHjiY/xw1I65p2xH8S0IgPGy2Gl/Hjq/Pj
D6+eGLX14sP1y4HAz4JFySiKUDGdvwKi/O0HBvpfo5+8/0WR30ii1mWOkCZI
clPDZcBpqSYzlNa6LO/onOkjdYtmg7STyLXM6sE/TNf0lU+kxzDkzpRfWiIF
DKWEg7iJiIEza+xx032MNTdJxnCyk9awmLZ5L64R+IfGar0YZa8bYEG+oqNP
UfwEB4qPpqhqWnAbh2/fPl71z9SULVO//oqSAPD8zuYGOQQzVDFDUQXasBdW
tWhrQjsClNJGdrC3voeUpoxozwqbjErkgBGMJoCQJrhrklO5cnIOOpVz/K1F
3qgL1QS3STrP1K3agMCD30gOeFce/mvUjxLXBOfvQ324jaNv3z68PH327PDg
11/55SSeZDVttdZwYl9zfa2K0NgSNag2jGdBMGx+Dfd5sClwCJ6D8ZbQrRdX
CZ8zbQzwKSgfOZTXMRD8IV2SoQbqceEuAtScbjGJZ1V5hwWwPYy+ThMkE7Ug
Yl0bo693aGnQuPtxrRQfnLQGjXXYHmb59i3oMP7rr096rmI8eqDeccv2O5ST
VzexIZtERUjbpEVjlRH2bimPpahCczyiOgiwNlwi7zLTEd5YakqszxwyT5AY
VE78jS5EE5BaZ0CDNG8nSMwrbP8xAoCJKqdTLnxPC09Mb0wmBfgO/0LX8Lkt
PKesQt1vH0S5n4fprkJgP1Z5ebcG3nMiLghvMMG+hBQeiGGd+hY8AvgPkFGZ
UCeomqMrQG1a3S+I0GmGV5j5cde2hjvbntN3DTXX7IF/ijnKN6kmEh0Uobp2
prM3vv3A0B8Q4yj6qCxSg94ozlG3ypnFCndtL2IsmF5YMsGNwpY1mluZylia
Eyl3xBxBhdQf+dgi+UzErNYZ5T25OCar6J0hDs0yhuIlTKt26xtw2p5ZCB1B
pNk5I+d4pcHfUNwJmokhc5LG6VgRkM9bXHAFBgKSBg4pkrfbfGIrzqvBbNCL
tdeVe8Asy6ooZ1WypMltb1YwJUR11VkF1jGILsI+Plkd37s284EYoQV4LTJN
gkpbUsxBr/RjHCtbXtAST9QT5CVHE5pHu4Nps7TOJWrLm9PHD49q9eURM9uC
dfD48esVBCECfXjIi5pzVowP6glytBG2VjIxbJgGLi2FtqyKm1N8uIw5aF19
GagvCYhAjFaTeXYDdsRrj/zjigXONMA8eFoMXamaqIhR34+FBPAReN4yDjoq
zS/SQZm75kltuTP9YMCCNC4WApgGECxBk2LIjqvWZd7yAtJkiS0x9fM6B/EB
z/kE+UN0REJjgevmg6sIp4SOywqLvZuXObg30WcQfYgctHVZbMZQRuTLkrgA
F4DqXOBMxkL5y0P+DgIFx047mGYzWRyC1u483k5cHFiCC6XzjaSJwbdvr/Kk
uEUxDk4lhNzzSmrF5iSzmFeT2YzEAo6a8hrCPDLTMEjyf+UZUfcex0nCjKbZ
NgQmItNECeiDRjH79VcW/CBVVCrJ+8juo+Nu2aeQEnZaSgxWqyMNv32z6T9Y
6qikd2yJei0L1Qy4mi2ysLQgQMJjLW8rAtNXQP9lmWmaqRvn0PIu1WrMVWr4
AyIVYD5hmETdtAAioqiuumzOCZtBcB3bznkbi4STZWO2ETDM8O0jqBSygGlo
h29dEAyBGKDSRlold7mRhu6bIxExnNg4GF9leBYNJ4bhqekUVAHKjoZuKwLR
BxdqEtFR0BElGnJTrleZCvBqeVrkJsK0AjoXP0RIsNDdbWq6hugzbm5iGkd8
+za6OHunRWmwbHOORMNFFCdcnBJXtjTdwo9lFi+M862n46QjqMw9K/ow/Fhu
Zz3vjy+uiE1PJlAgBtZ/h4PU0daYJbLyJtdoXeYJETGwGDowr0kSnfmtyg0p
AUX4dyd5WWJUTpHUXqZpW5nO4KjnqOtOQpv3OoTbS0ggw45JB6N3zZz/Hl1c
OVG44Ubu9I63RpmentI7lE5VF1e3B0P6x1NDsAYR44ZFYEAvoFOoBYSXVIkM
W4G5uC4u9DXFuhRjTcSYL2X0HILT7fouWhLtwWGYvTGqLcG05SVIdpEBt2/f
fMcgYJ4hw9dGWMFos5z5YLvU4oP36VtSpgbWkZIS7JOOTa/XJBZDfubOV0yo
JqSUVav4kfm6xvFHsUkv60XCo3LUBjUnJaqH5ZE857gqE5IvEHPD5bOY8G+i
pz2r7s7ofHKtJDnxY8VHwLHZSKcRrNd75LrbvUj+MLsw+glqDKnFkrHYrOMr
oTaiFemhRdbnMHWtBkdaxmFFMSehmY+VBOqk3yQzC18wBZJ+mlQg9bylpi08
amzvzVFlSeapRS/h28kqj1TDPOKtkBE7CjR0Q3qgm5B+2ejjTBomDgw9LCpw
aQRRIIzwY+Qsp8+bK40cUZnDuQRnWi1Tl1Vga9DfAhlgsHeANWAv3BL1A41S
A1x5K1PpPGoNUtIyxTFCL93auJ17/pvRKel3Rmu6qPMEauSrNpskLDpJX06R
wu0mmeCa6Ht65GXFD3/79vr47P3VhbZSRBxGiD5FIgic/yImL02du7kKhLdK
9x9msmwSWPNkRQ9P/W540tiI13RLJKvkTAiSVkFuCBSaVut7a+dbohtYZRm+
m4oe5Zm6kjDKJBh5oWfExoTRosBzzHdYTGY1EcyGyCsX/YV+UeaqknJlnm4v
diIohrA2VSpVRIxY6ObFTTQZTV0yb8/ZBbz+dYGRIBBeQkmuoztoWS6bbJHi
WJCLrqz4YQqwffthWaa/wjgX/o9NdF2ljrlCrdkCdII8Z6nTtq3V8lDUlEsG
TlZIF8kKh+rsBBMjJxhTUtZwDshj4Xl0SbS/vCyXEUgzcbR50uZPeqZquD0c
Nn6zKOUL93oWyDRzaP69iF0EMXdOMJK1E0fyjCmakeToM3pxCbLtiVSJ9MYf
VGnZF3pkvuLxd02peHZYivlqiJ2xJT5rOLMBsKtFpGLS191ceRt6PlG0rNV4
ovDhyFo043pBx71EIUk6p2RJ54w5SfK80f9pOE2svqCujaTO4P1I5qqfkB51
XOA2SESDfSdhUYEtqLTPhHmos4loLSpQnkndAYNuWEmrtO3QfpgWgXKW/N+m
/LUogXNLi3ma1IaMBPTXF4GJ9WZlWxMwzHg1rLjNVzVrUyJLo8yCkaUNRwXE
GdthsAHH9nua5hJOghOxVgrbSE78qWEZnhkUTQFuhoz6KPovXl1f3dXzRXzh
zFWGOdSbjSMGOeBs8QNgHAvHB7OgBxY0IM6vzcDlkljqscVcrshOrL5gVzOl
tQveD9j7vLxRWuEAdRsra8sVuktzePq1p6QLJaO/SRIVkyg+TmcPDU+jul7J
GNG5Wuqsi4zLO8k1QQNYZFXFjhACOs8wCHuV3Rg0AXYAIyxKlIrEik650bKn
kClA2T0mOKYDhRnOHAvNYar0AprMSs059UjMawTcgk95GjjNYOm53b35DOYS
fxG4Qua+a1gIi2c0BUsEwnFIDy9hQybGNMG3OlfFBIFNxw44jOaLHcpTW7RO
rXDWTs+MjZ5J07Bg4/bpA4NczwOKaADuph7wlaGhL+75DZhLC5hyIiMn6zuP
2dpnGdtX9tDoiMeKrifj2xsrnL8imoRJCsgXDKnjlcO5fj9mZQhfTAReJHMS
c/kaYsKhlqXJ1XOynG9xZuQECYbeXS/bhr9HgIrvsDDArGEyyfQcpsqDCJQk
V41QoBvoZrUuhy2agoUortGO3sI68lyLuAxpYhWVpf0omoLONPQUGI3bzJUB
ftIrjxbCNVOcDwwWbph9Gwg95R0M+ISMrNLeljmKVVarYVpCEb9ls0vONWY0
JDgJ7IXYslnj8eQyQ8TSsiLc115JWg4anRJN7IVt/9JkqmTpTKg3bQzG6WvW
TbzNModJU85KEJ2+0QcsWbM4Q3rP7doaaYH8+B4rph15hJB1rvKl8XExFNit
gQyXCXZgtjgta1NzRaxuaUuCglg0QCMRURMzPcqzKYOrHIL0yaxQDQo1u5ew
4Ym1ifU9BfadZqpZCYH3NsEL4JswhXFs/2kcmg5qiB+fnr178iKmf9bWm5Oi
PPuyVh6JMeIZYJ1UcKVVaQ4DgfTVWEYdp5KkCIuAE71+BIGxAEoUtUJwgzYc
a+JZ1KyQsxpAY+nKOIuITNCTf2kTxHoK1OtpBdpp8e47VmCIhbbBby8rnJCa
jbU9MmtjgYmpst5oHy4S4q6CH2BT8BDDtLRO/JzXHt4FVonEkioshD8pHAay
M60QrQJQlZtVPqfxglapKvRs8K05iRCpgEYipAs7JrEQb15x+Hj/DenEYXws
PXT15qJ+gmAO/1XNpuuWLqtakSio3Q2aEaQtlA56vWyrVFkqAeQA1+DF0E3x
UQT0mFYUzO1WzmqUtosRwS5zpvZY/PXlaCjhi49xXIjlozWzvPtBU77hJYv1
XiHUD1yblA/w8YeLD3QO3mcRf6RQrniWCaU0ezda3+MP7+noGJjjk1dXmrAb
C82Yhb9UUFtmrMrZ2nZEMwcUyhWCWaNwJsAmGygSyMFqtAToK0JW2mXjlfbP
g2yEWlnXy+WaNUFEhbzJbG8M8WJZisGe/qKlK7kIszghWW5Llbolfh7sRqMi
Js5VIi77CTAmgS8DB6XlOx0eFsu9hQKycFzeMRRUuM8LkVDuMo6tZesAcKjk
q9HaR2MuyYKTtWbRTLWethVTUaxNu1pnE01SQyxYLSOMlioQP+bZRjVd8HQ5
w/xgMgTE91iEY8cPL5+DIgghtC1h4hw9zvBhqFapyy3wmsF9Rmufc6LWVHRg
6PPZrdL2qS+kPXxVwsGZ4HD/K4gabd2UMI/A5tDTEpj50ewKlZhRL6y2C2cO
YsLiJ61yq2coFDu73DmR+0W8aNm4WLP1rhITPc4bcQn2eyyQad3H7L0n5Nz4
R4xCz7uw1NnciQAt7b0CuStmOfT7FCLqlHHcklfchVut85FDGEB9bxJ2tNbD
wSj4qPcQu13BUoFXC5Hb9ElDZvDNEhAwcGEef6yl/ML7wGaw2WRA+mUGH3Ox
ghDVQMEQ2oArBFmupW1TX3oagvf4ER0atGIbNWI+JqI/G9FYdIRw5/iZCT9j
HaEtJETBcmNO1BXc5OKD1cqDhGkp4q21cQxYHXROs5628MJuSQIFzjt11qWK
i28qEaZQGqwQuU22tChNUBlmPV0b1U3p6O1xqUV2ayABvfBdGTDyseTFQLhB
lIPhvXEaKYlYUBuxSPEW+udserg38xYgf2PTmHV2Su6jh6t3k3HslSEQxv5i
zN0STcYk54oLRaKLjdKkx7f5a9F5IxMYG4kRXZom5hNicBF/jibOiBxhOCMw
J+JMDJjtlLA46QbnAB/CIX3TiHSoFZs4/FgaISBalYGdmi1PoM4Cijrw4fF7
ADoKrPQgyCQw8MgO9dJYyVcM0Ow1ibfsDvworhPdpZ7DyOyvCIyB2p+2fJG8
CNTcglNY6Zgz0Ccx9BVEN2+hhk21kQJSqg7fMKb12Ffye6i9LeKZlZ0RDqXY
0GHIqhAuHWZKrPCJqA40YhuIg5ZwxXJtB+O7UF+Iildj3KuA5xQUTc4eyI+a
4GphWKvds69GaLiYQFIIlYaEC/EC0yXFl8ACjZp8hYwop31ftAeP0BFQHjdM
NBiEukbWmFSVCq7XlbZUbVQOYfGJHM/bZO9ha2FdW+bAGM2RwlYrVhkbKQSX
IBabIJMgoMViq5i62ZrlolEiE0Ckw6qMraYQhpMEUX41ERn8p92J0b3YclgW
HIaL+/bitABDJqrDRmno+A6GD60jake6+LBZwtGGXqNJGI3RmV1DatGL6I64
RawGGh1UViNEJRQA6co2HTkBUMTO2w0O4J5oT7Cf8arNdYvHxNi0rqIamQzO
LykeYc1HC2YN+ms9CRL1QvpsjHMEf682VQkFFuM8HSOsJsb4UUt84bdviGXv
0zH++ituL7ID9fLXX58MUOI41qE8PYh07RjyJ1sTOCJjwa4lDi8kEXiJ/oBJ
dBOkuyKv9w5ORiZZ3FdMAIknALHhAAL/VOlTkQZvEBpx4ljXvg5WYfmNhQJS
Kp0vGz4VX8C85EP+9gPdh7ioNrpGrn3DMLZpItNckJwXL85wbiMUtfBBuqS2
63bClrQ3WFDIAwvtMQuix8+TdB65z5vYSA64z7gDk7kOuzKNmLUyqxgrkuay
UityU5RQUZUXIR5FP/zwg0QmfdA2Fh3jteaBstBBZ1r4wUwunC8hVZr1A8J5
aBG+OXfqotg64YJeZPQjyDuPTBRSWfiivQTOuli1yBiF9Coe4wucSLY72OVr
Yfh60rPBbToCVE9Ua08HfECs+dJzK1h+Z5EsH8lZTCV68SN59RFPqxfJ+iGt
Eo0meEpNjhcS+Cr4Slc9Rm5MAz+HF1MdH1uvAq2OTeuOYhPueUEdVpHxvVGP
sYYnWnBqdfgLwvv0z6/Or6Mh/n5iZHHN5ToqrI38wXmYmSSKUIQGS63MMXcm
0KSDYBT9DCZEKHRYNluoicMSD4/k9BC2YxDlhQW39ShJL6YOtg5aAQc40LRo
HtcBHnOpEnUu6qI2KfsmQE2IjWMHrkeYUK30ppxXq1BqojM9tCwkZbuz7kKj
lI5kKRF8Sb1Ca9kkZWDtGQE242h5zR7umHS1k5nusVKnKPLHAVdAIRJVCBW0
neX1CiXat8RhStoWXS33hCY8hoEo5AEGN0QhQBgt4lkYSplhmBBHMXrbLzx8
ubRtizaxwbiRc/V7FJ4d66z8QMvhMG8WtgmmslsRRiYKFnYi3BwfKqqZTge9
nx4NooAbAQfT0onMxPe0moq0poJFt6rVsADmKeZGjnbQflp6MOUAHHOexnkD
00hcjqdtnWpJ0lAAgxFFlJgD7wWKeDO/g/04iLAzZqkG0ocuixjOd5vkLcuH
55bOm1CSF1whxqYpVR27lScZshI/5WQrBe6opWSPbA85RjcoQ8HKS2rCaHqx
daJGJ0kxy+mtmojhSTInlCRJRgemXBSkwfZ0zIlp+NWLrwgFEIneiz9A5U96
0SihyVD+aYzfR2VLsPeGyAT9cT2HkldMRPdB11m1IgHkD6q6oZ1ztXqSSr59
e0fvcllH/uu4WknzkT1EPp3aOEM5bhjBjR4s9NhEdkGcjwxL/vaNy+fqWQfG
K5FumQ3GCZJIysXYWMW6AHuxbiV0OCzQ3I0Ntyqyo/aIDtaVfWMQDCJTmOln
kY6bCANeLoO2kbsIeZ0ZUJuAB6IVEOn8vdLWeTrukyERKJ40IERjizjg5AES
DqPo4zzTtQUeECOIQHEUVaG94VY+iLQQ4cJHeDZDxzhsTmMqIoIYfXuOtHUI
VythjE76qDn/rbAvQJ8ztg02yURucst7Nyg/IQ87Fmfxd2xclDgvztb46u3H
eA5faQPT7rP9hjRhcJqepuY5K5D5KgLX4TkMo/OIL4ffcQgcrQbnkeswel2s
XnEL5Ej+0iSvNs51OSI2b9OgjQBlydj+rGUeG8vMH4CfDZIfx2Z4se9eHFVh
BTfDj0hCeTTii3hkaLBw8LHyQVyEZhb9Ome9Kf3k0R+yhCVJ0qIVy5HCGgnB
9RR6H5vpZwHQAQ3PVaMV8Io+WJje75GxQN0x6OMJCYdQE5esYUzjOpxeTf7d
WUzYCh9pHmkOR6Y0YQ5sP9TxVcYANuGaYsJE6JnIhdmIPZjzA8QlYfn7Zjje
xF0uCm661wOZmREFrxztkVP4pchY6Ws4gPGduoveqi9ZinWRulE3Yj81q9tW
04jk05cfn7CNRvBgjtgjK4p++3ZawW6ScwVfzp20cL22sKnOKtTnQROzlZnr
X7d6broAnA6xwEnrZXbAdmZUbk7CI3rLVngxQ9D38oQL/2hSZAHf78lxs1bP
CVJT9F//2+Mfbu64H8wTRJ1xaIpJfmEJAGqC4UEmzEpPFnmRkyBPqHJQw5a3
kGhJOIAM11lflqHjjumI3mtbpTy+vhw9QUxhXhPt1jG7AC5M6JI0WISYKJ3c
nXC4lpKL98WZElJ5Hdms6Ie++5jtvyuvlwYToSeD+K1oTjpk2fsG0zxlDDhC
KqRHzIVNoIgfj95dPBGa4oV/uWxttJLoxedC6mhD/CeEPO4Pw3+HceCgaga/
dPUWjaiIvNCcI/TRRe/KRkeLwPm2O9iPOSFSovvMOcBzUBY6NgBVN/SN/XD/
1r79QHrirwjdNARbXBWFMU8IgaQPM/mvVKRph/aty7ogasaLNm8yiNyPbrOq
abWXip55BERP4lmG6kImpEBbU3qWMGleyeoH1CVmySy4rDT3jqSCAZpe5SXR
VdIXZkrbQnw9lvACNmKTR1swbSsJhUpx0Xg8GleiMwK9WJ0lTDEVOvjxiXvX
8cQZKqN7zxXvOWDkBOOnO085hYY53satQF0u3DWwm/z0Stf6oRnp3Y9i/eQC
Y3TJIgJsm8xNxWFsBDMR29knokxwTrzkd9qoL2jqEo7NNlJm6FqsytjzqOfE
rmCHM3lMFYcuaxOUaBs2KvA2Ey91aYRGuKpHcIRy/xsi0yJJG3lKoEER+Xic
1NYkglsw8kFX8nrSs5J3mJkd2N+xFYKNx77+6k/7JGKUouPO6iCJvOdm7Dk7
MUfZEM2ZELDA8hz5aGPDHgLdjI52no0z3x0oUbzROJkMpmVp0xo1ltkEQ5EI
ZmUZPibX94RkcK9xTpgTRryt5KPQCbw6HMJ6gjVuAWA/6ionkkzMcQqituKa
vn276J8NiFhP+6hZRWSj72Dh11+jzu8oeik2X45sZ/OBzvuq53DwS9QEPmdS
y5FG7zQO5RNVAxbsQqcfXQcfezO0gFNS+HQwosn4cpon0cOzsJEFywocSIE0
4GW55JAsRO45b2qoAgQant+Yg49860s2TigKwvZ1ElZnUcu24QIEUzanNiFl
k7sKu0axq97oN0SIX2jh2sSYsqhiUXol4rnYpwxmYkLJFNLJg5yv1xYm+0HW
0HNyaRT+Av8ww/pcMsVMUp+9Qt/FK6vTuV/uEaFbDKnGN8yKHTtHu4dkE8Ai
CX1kc30tBm135dq9lwUtnzyrEivlLlZfi42AmVtVGRcAyxUGl0EV5FRdKQiR
EfUK2finzxLR074np8Tx6FAPkudb5WcM1qGe5SUyImrKyJcs4BlINYuCTBXV
TE89R+pEf8iPOzK+rkB+hQvKpFxENqTIK99Ra2HO4KnArQtGmbYcz1ouDemL
PLoRKreS78fsCtURmPfUSksAIVg/Niny/LDNZF3FuodKzDqDDvoYjS6Z1GA+
CIQ9ne0s5wbtiC26kR/HrQ2RENWYVj3hPDcTqKv90E6BsKlFXtZk5GVNPj67
Ir7ftclp6zFus210/G6+EnO8H7OnY2yWUhwiCChkEy8jkAhFXFJNosLok25d
xI1xfJXEbUguqbLMWqskgajgR49UHAAmtzBAW0X2RsUGnFyhjcLhks7P1kIU
vPmgul6oIPDIMVGdZcPbQWUGErr6gi8GeZCmqKFbhnxGRzoegtMaDhA3BMjk
JnJm4hrb6LkgDufQRoAcW6ensnOJpncBnqzq2rAJF6Pswkp8amYDvbZov44R
syHUOtc46EfL7tPMhg+VIPubqJWzvX37FnYsZJub1+yPeXEgDjgh20USuCZl
Pen3bYyt3AG6F4WWVLadyr/pZW2CNZP+cnzOMQeEz3d0FPWSYYn24KucXkme
b9/ev393wRXceO3mryOxxh73R2/0n+DphI1fVXGZjN0Lr9AhpnCv+HyffkW4
cOVm4GqrNlkeRMbRbm0rZ5QyFpY7hGuzYaYcs5rA1kOxN+O/3rIQg2p09LFO
NUVr8PwhVArjx+da3VKib300ygaHD5KwewOZXVdscaoIXhXtE0HKEknoZNeM
5UxLbdHQ3LJ8CHfzFB3d2QpvNEee2S3NJwfR4/PT18j1ki5CNDP9Lcxo414c
qYahyAuoihyb6eyP1QlmqIycslhrKGTqHux6EP0Ce2vT0taVX+uBUy+5Wl6g
rDLJNRrLecBPImMEl1BMF7zNnlN2Y6INNVEtBez0CJeNndNBHpFJCxhz0Sl9
U1yaKJNK7UarWqmGMYKdUtrkoROB2MzGcsqKTnzzhcR8IcZxzYFJviAfmwpL
0g8gEomrQVwhbtufSecxNfcsjNPcHaO+NluydBOf3ggHcGc6mk+keZ7NbGkr
PMdpaCZCRkdveo7qooxzUlLwBt9o5BlPrQ3AuqpFw+tcVd9li5tU9UhS1f2P
sQHfWOH6roBBKcY9wq2Z8nwekQAQn2i+us+4ubej/VYEErOk8A4MZNEEx9rD
k4kNRfjmOg2AUnNPa8lCLMq0ZRe/g3CWWaNN1mV+xzQP4A8EcbRgK7p4F2lf
kazWYJNjN96neraioCn2U6g7XY6PKztHd6rybHkBfnE5CEZPWYq/A0Mg34uN
rM/K5Q9GDIsiU9NKGXOhJcO8itoXIfHWuuwY2UsTxC69L7FxB7WgOG3TJFA6
p44lZJEHtuhZc6NDcs+ZdPmECIk6taTvmQjUgCJF/ipt6qiIlyVJXll9swbG
a8ho121ruhn4WiOAwaFIqwSfurEQ6T5nF/Q98+gqVmPluYzYGeJ7BLH6LbjC
oVVJzenu227ZVWPSTNeVQfmOJXYQqmsFtR4aL70mis6cBR+kkzBqUs8Rc5ZM
TTTZOkn1zIhstNR2xMgy747tUAOjNyI+Lq9wmdUIPYMoR9yuNKEyoYmIo9dN
YER8pRMsjMlNH2BkbF5Q/HT04RrPc/qNGF6JOZiwWy0yWJId+Svnp8ee/h7q
eacWQsemGaNvdfUmsuoLdJkt2hOH/XRUqMgqS7b2ghPmRdsjWnNs0y51+ZDg
21kdsbglMYMagrHt1xYA/Lk7AhlSawzf1RwGD5H+daMlAgOsmr9tYSH30TtU
rdf5AD9nZYTwIlTiQHCErQ7hn2XoRnU6j4c4kIhdsXrnob+w4SyYdi1nkG1e
xvtEVPottBlfnbCaltGUXAqMWwftaFGr/JbzSatIP8Ib5ewV4lDJQjEEakFJ
hzqa4gv+cpA0bNJpuNU9Ih44xtKcf6PtjvROqrU1E6XILJkYPmwLYBwVJ9aW
wZve15isrHKFql4oS6KdeizHuZqOldIUWqpIWmRDbQnEJXEZLp3O4U8Ou3Ox
slkgDPv6bOq4bSSFQ5JYqiCEhmvrcHyhLsyJMKRM592higiLNKUUyMhXXsYB
TT+js+aQcR3YSUjF4rmOfmNV2IeJjZfARW5rUSeNp7EbD2g9zOYqcFeS+lJo
K5XNohl47U5rdjb5QGLf4gM2blJdG+c410nSt8piuz5sG86r7eogHqlO4+U0
pHZplS5aDfJbMOmAw1KDtCU5qu8/IxyAf0aoOCPeACN7ytGwMs0sRyAValWn
uk2tM28k+No7Sx1rPw4QshfkWofVjOtYqzQ+EDrc7NaQOXbm6OjvBg4h9Myz
AtgX8RuNDtJMOIupnxNUaDLJwyMlbJPIWMF9bqV0m2M9J6vvWZkXJRN5J+nl
9a2RsUCXAGeasV1e3UWB/GiqlkhmuVcGKllyo2ErHjgLb9ZEnKfJ10LESVQR
XqTkimdLnfTo8+8wWNGFbdil0TFw9HwyRhEOn7AFdjJj94Bzg1P5EeLh0xEb
TrR+UAiQ069soGu1GBZnLXvaNfHacKteWSOSn9b5B5DWHosuqMFRlps4jfrC
LraI2037JDgp/CoMNpfKtwW44NR8KkNsFob8bcPxI1HOHoQwCMXQhEXHNnn7
RvMPF+4VIeEYJK66Lk3ZYZ8/NgUJTUivlNXRoCaKlpq48ngMBGunLJ5UUji4
ckCP9Y5IYonsKEzTYmmWTF6ELsNE33J5NF3Vm/50XUAjCcfW7NvU+FwaE5LQ
U8lYKqtVYDrlwyZAfi41p89PddTlk+8QlCa6Da7bdsftFo1XG+ADIoDN1yR1
aGY5J3NGZC0aN1ToqyOhSRXTxgQ5crgg2wEV5mCSScrKXDkLLDev1bFGqNs+
Jx2U6Hvl4iRPTk7dHyRwTXJQWRszel1GXgCUqE6Vuk1yE3crGuRqqTzeuxa2
dqciri3RXXFYjH205Sc/BKve8g0hHN2TZvwU8d1WMoHzDFXaYXqC1yms4o04
AL9Mh60wItYrGzwnZiyrV+TJnclRZULDMq72dmgLG8fJ+BuETcDGdev6UXZ3
rtxeJOX+AN0SZGVK8okNUzQaf16z/YE2B9GWLMs2Ob+b32DS9chsOctXj+zH
Iv0GZB+/yCSrgzKnxIypJVdxsfVSOncSPb44vXpCW8H1ckCcB6HiBIR6yoEX
TbeiZcKRP/7uWdTdvJmO0peDC0WI9NLIlJlIXV1GANYjwWzg0Z/nLRa1y1jU
RRu5ql8KjqF4Q9c3gUXL+PGXhILiQfZxM2LYt9zAcWBUCk+YG4JJ6wJKUr9j
ZbyT9K+MQ4a0bPRCN6DhM3+boaphOdVFGRLU+5s4QxDrrRyduruz09vZ2YmJ
ujNN1ifwy+DNwFaSQfg3AqXGLd+Oow7RJuoQn7fw0NGF02EIGgQp8r+MZMjo
19GinARJhuHVuRgMp0WCmYpkaYs89iLmg4ukupECyn7xRi7sME20IKRZFW7U
UnbEYDAv1MmtbIxtG9Lre531bCE12kvt0oelgMrKCdJsAdbiIxuAtSOVFUT2
QiXFTWS2a3SLJNb5I6ZmVJgUKxSIr5NYYZMHJlhN5fyUZn8tL9W4apHYAs7Q
cyDzY623HMmWe/EJe0nhfkrSlDWxwNZnWoBaIa5tdG0Cbc4NWZCN3jqRGJum
RfMmL7DEdnQgRdzGGYmCpQuEKh2wfU6aT1bP/URLphUuWABWTu9INPnlPiFE
PcfaN2vm1FetZT/thBxn7FLGan+s7eJ0zJ4OfqhcmI4HsDr8F4JVW9id6Aee
xGymZktbMIGxl/OCCJFukHDszlRmBcA65cRE82wS9ySZQBcqDmvLivQFIiV1
EHRon0gcUhZztOT4Gt1qh13ploUVUyLZTeTXlDslzMul5JgWLVMcz63rEcG2
KqgXte7yAqdc3S5sMEAStwU3fYE/qQHBuSwXSW39pOd9CbdlT16klUdrouLj
9NW2ia8+8lmguuSSM1DRiaeEvY5LQU88nahcZoXhCH4TDqweCyGAI9h9Q/+I
mM5IWec/ZEjCdh5drRHSLxKkzXQGJi2YFNdSTidLOBnw0+PN9a+fBKmCmZhm
brKC0VHHfSQkoqxqjsVfIXbUpQe7SoZESMZatBcGBUND1I0EkfIBuZK7D6J4
NyYRRHxUHFC3IjTCeXxM0FoFxZr5PH4pOI6CLaEuAJ4QTaJFUAh5MUYIgkkT
l4I7rDol3MeiCdPLo0eg9I/i2vQsSCA+EfJrkyvctjqfw/aU4lhhLgIhpfZs
o6vNhH3Ai9NQ5fmqZBOb8ktN6pShcplYixFPwlqip+rZO5tITUi0KE5SBCag
XHRtAlNMSUoCc52BncF7XuuQFb/mo9V+r11MFZKqoUGAiehSZX5ll8e/L0dP
TDMbvovISrQMTfxV5rRc1Aa81aWBSOkkuxcJR0EuQqSNQah9NaH1mBrTOjfI
JY3UdJ2mzILm6onOLolqkohgt0R15THni+Xc4E9uU6+O5TlaYN6ikp00OOGS
/3VUtdxHDqJn1XJEgO5ST/810sW4H1+c0f696LSOCz6w4QAYIKPb7iwihTuT
/1q+rkUPo3cImRIWFNPZ66MndLki5BR5UuReHVKtO511iguYIGxBEsEhU1+c
fX8MfMJduONMEDngqoFcWpSMuyiJHA4QDkkQj0xMijPQABaslw5vBIDuR4yb
IrKRBGqFU/AWDLA3D+U8wDESBcHYumobGwZQpp3nFNtS8C3/Mxr1GKdMvIcg
uCkILnW7Gd3UF84a0CftG55Mu65oJOYZDi3mcvFSi90zv/F6wvipDWUio/d8
FaDqdbdGrJbnaEhVleg64gUy7hZw+I2nbkq1TkxKUOBMFJu8jqUU2VlizpjS
iZ6oS+8NpH2UidCE0YyN9pgP5XJVtaT5G5YXOedLN+Hzenp0MAS9wdiYuPqx
XisD1IPx564GwoflmHpOk0vMIdQ2mDDyyqHZzFU+TqxTh2fS2rMlTDZtxlVE
uV6e0q3Vlto2rRq6Wz/8XzytYUKDd3qIN0mk0qGkanVuxNC9b99et3VyY7qX
QPuol5kt3WPQ0+KhF2Kr6z5uLAwQaSanQ2iYdnAJFBNQe/1QmpoYbI187JdQ
korgxpsOa0lPIkjYP/qA1RrozAlcWODZu5HgFQI9Yb5jOvZhdC3cbZzwI5FR
92rJfDVpID0p4ex73NdS6DBCEl5TIhZv56mkTxdlsVqUrZcAvDHlnMlXzily
mfJTy2M/tdy4soVv4QiCZplBVKaUdIv1inQqH6kXsmbzd2QXKNztDZpXJzf2
cdyV5MFrByyS/9Z2Hn3PzjtzS2gPYE5mjqYGNkwEEq6v09pugs4SuWT5IXJH
6vWJyI48JzQKwM3oTxnzAOcYXUt8GF99mqPDqehSJsWewz3Pm3lGYniiC4Q1
bF3lVpF8JVx9RIOeGDVYHBlP6z3XY4ZE0CyfKJs0bxP2IfhGbJnxNFqdQWWs
1jR5z68OEp+dlaOQ/MMrwDVrTHXohHsyYwF9FkQzbRzQDddYJKYzmk6dueQC
2e11yUUPw6TJ0DHG5u4SmFch3lr4iW2iY+CNhXDTD0rSiyEH6IOyFemMHmgq
rLK6P+POjx6V0gfiS7Um6hgOBFLEYFXS4qm2sEvCy2vU4BQbnun20MmT/PaD
LcSxVpdIlKTRXAqZXsn8Fy6ifVORgXV9yhbyIKYqspopwV/rmdc7DOn4jN6D
NQwCmmx6DfQ4MUTXcZK+bLb0FMzh0VphFRRg6NScsS3rdIunrEDSGs+xzFCM
JOqIBZLGBcQYK13dJGE7ileESLtm6fZwR8Q/2D8C0fxFUPOUK7Uwq9+kOdJq
z8KHEY1tHkbMXdmOhe9wF9lEoJb1sEnJ/kRdnDZxgSk6Vn9T7TVknpqOTiw9
QKyAwUu6jGr5InIxLkGdcnpTy+g6tdxUWQzqxciTJuvTvOGfiXiikMXTcBsV
CWQudE4z92nTZZltmYNiqoOzdP5AMAUkfZo5t3aCKy5GY+VsriiEvektW9HO
9/tw+xnINlnQz6onGr4AnyaCYV0qLZRoJSyAvN49iOE3XfBL1vuHbqUusHO0
/Du7crVpBsGfLtLdpbp5Me3WJfzFZg37UfphbPuuc7THoqVtLt7EdkGdoCQx
MgizrKUvLpfC0yGWulwlu27Yh1hIdbWN9RckDE5MtH51CtuhIagoaX/GLse6
PlOs6zMxQsJD1XDdTLVus/BaNfn1noQ7XV0M4hMPVdjncsXptn9pM3bPyRok
1EYSYu2d8cdFnpZ1xI9dzcDh/p5+gBsHX90eRK6BGqvi8XB373n4zFPXZO2J
Z6GVs49McxI2fAiJJLqVmjKb6ABf6nMwtizd8o7UzZrr71+RUi2lBQax3/jN
tCH2IkHTqoVn78LUKkNVaU4IC7RiraKzd0WZiAg22dtUPBZ31iIKAAe2fyIX
ro9d+rkVBelvwj7iCTrKRfbB9NzvSDeIQ2WAT0r3IOjuE2lVBAWIOrTpY35y
NFM+JK1LzEZVfllpz3enjWlk4jV9ygcx29ZqDb26XTYWBRlq3VW6FiXahsDd
llx3eq6+e3FllPMIBASXocsFgED2/Qlnpskm8xddf8/sm9OZbGNEc1dE2nS+
NuqBOjLZcRg4KT5MDmVg0f1OdGAYM8Qg1oU5QlDaZlbqRAD54POdXlT7hTkt
uBnnB0caGYu6p0kxkkkpc8TAWHmvLnPT8JwmlQxxju7B4qSOQ2cNBwf70gss
Mkord2D+SyvBh2FOCapro98Rs3DdlNXZWJCwVhD6omKLX7fYva+ZW8DOsELP
nc5cs6fzBi1f0UHwYTssOJaX3HRB5BHXxiJ6vmPrs7laoZp8ionOwuCdNauF
fbQlPlqwYKsZb60wqI1jRb8cp4jA3wiaL1cgBVDd8TNBH69MpK6sULwxBGbo
/cLMwVQp4QKKUlqu7+UdSjQmJt07jB+P3l5fSZUZBPWKcmPbJTMsmfIKzGws
ueIIALS8ENEoq29gk0HadA6KrF2Mk9JmrDJtNQUD6rWJbR1j6ShpTLAuflFP
LSU4tEPEFvtbk+JBJbgVnOnGzgQZ6k3tJA+dXeQoShP0yNPVHyK/poupXhua
3EnCDe4XqqiuqsBs2FTLTbwKcyMP4JzUpUNl2QRfm1qk1j3T00UMgsgxKGhi
8LbVaboTIgCAw+e17XutLNyxKS/oxL8w+shmgPO9p+UM3jOmxyC6tgm3Ty4g
A/BGnbeZqNhyzkeWCHXSXidbX4g+Vosrzasey26qVY52oKAfzvFhCrf2XIJ6
2PNJpx8x6tplSc6YSN2kcn5W+eI2u3EmoBHNf5sVyhl8LqzhhgVaHeEa1CMX
a40uKcZSr8HpBYo82jILLAiI4Uxa1GlGHDaAC8qCMfxYEA3dDJsWwV5636Um
slEEHJ+o2zIXaZn7mbH5ktBCayzCP/zSI+vzo4ueynE5NRd/BXm30VvedCaF
zDw+Yav6BsFjC8h5qRwMw36CDWTZKLGvj3VGrh6pwR2lxtOF7dKsHwuCXm2n
e3h0FVNw7iXAV2MoECmKwRm4TsQrL5FFysk0qsN6XHWdzZMM0DwPK2KRz5YO
0t05fLW7ULNSvpB4RkzeThFIBiWC6WuRX2GEr13AAT6C1Cm7tQ3Xa0K9bN2x
zqGC08zYFCw36Axp15xV8JEB2cXH+ArW1ZabFjHB5AfoMN+IQZStxskq0Eb9
xnw9Wyah6SS+SUdNiIFbvmpVZ8YpQWojzjsD2SYkZyS+LsW90O0ZGChumt7q
V/5QXrCGOxpd9gJ524t0Tmo0kTV3hrhYPb9LVbOlArwCG6L72LY3QfZdZPwC
ngzDQovRay11Gbh2Y2zQ4jA5r4rDmMScTbUf4MRBDXnx1E5sKonJPPUJu+Nl
XkilX8fCvZ6x+ZhIGRrviINk4Bi6C9zgHW0jI5nL0pPC2NGPVq780atHkCak
R7IGbxTY8Uog03Y/MlpvD8En/VvFJdG60oMgjQdDHG/RFpZrTjxq7iX36VjA
2iOIXhE9nS2pXNU1c9dRmP2r23UZoT836QrumzpNs16wG6dCyhG6tCj0TPFS
waVwc2ibML07bMr2j/o7P8bepkA9tTjh23msYQBCwbaY6G3I6qpWe7FxtNlI
FDHU3mhT270aRhVYstkFUOi637ZJnYOU2pTdkJ2zzm5VwC0ApXFZdxYyZLEn
JTGwQxZBNkbPbdlcZI1Zxk7G8mPHY8Aqd9OgutHotW+g1c0EorZoa1alQtfN
zjNdtormFdLendiS7wimj1W9RsW33goWrruAmNUj+s4sjmCFxFQBHb/BKxYl
BU5EfTstF6lGz8ZGw0ajhoO0edYPo2vt9GOPvvtPjvzSfkBnf9TUR8pBPhH+
TPupWtJJT7KGtsqW7mtdan9tvzYLni/ClXcsnEraxVLT195RDPaKoWH2Rgrx
+OwdCcYcf4A7YJyIvbIOoqkKjbSGBa48bbMwESLEPAHsz95oh6REspc9U2Ga
HUZib7YOse0imIv8JcmB+wbsd1yoWwqGILkhmyD8wWt6++2HSo86CZY7JYj2
bBqJIsoImMgNl4p1bzKTMDNTkJWYREtEAWa3Uie9E3R2p9VnSYK2OvgkqwEY
MFjSS2Ou+BV1RCy/vTHClGqvIoDz5IXlBlj10NHXkaSUmwoI7o5ghXZn1YnC
5fw5Jric4MGKjxgiwxLRhlvboqO2bbVpuucaz9i+41+QUpRqM1wU9MNGVbpG
ctzWF8ZxHMySuZaTyQ+TLjnB+QjoyGmHE+jii/BYVtlsBu+hX+KP0SbSmYmm
DFdgKuLcJ+nst3oR7/WbFtzmsU4xh0lQp2ZfXD3pRfv3/f5v2PUTFuUO1p77
NzHB6Er45uFB/FJKhK3l70tZRPaS8ExrPjd7UhAHkNtkEs81FKpJBzi4fsRG
6HAGjW60dkDd8agAjTRj4woBQSgmdx3g0tihuA6fu44y2w4LYh/moHPXGdoa
LlwhEvZeSCBtJ/vfYZ1rxaeDw2yFl0hCthAw4LQi/TNyDGyPaWNu2iJedHQb
Axgb97bByicyKVsLvSehPkjsqq7EGaa/o09qJTkh7M/T9tNo00dtswijhol7
X1KlOcDxC+7CrBvf00C7dTpZcxjMLvYnW/5Dd9d2feOSJlqvsMB+Vc1iTY1Q
DVl0/gxzoYvpvqV5Sd/CZDl2Jfma3MwhXK4hQXRtCduFT9i+/QCK1/eJ3a/R
Txv+t6HJ0XpfIxNDgFCjzmcmRd1foMEDrfjXiMu8a2oVFH32qqP7tStir3aF
kEUiAToiU2OBBCexdZ47rmrJ34YzaeQhnESUE8l4L99dePl2F6fH7971R6Nj
k5vin7CrDTR3VRV6dC/LnHFRejMWsUL4rAlQ0w3DuAiI/xD0hQpd0IwzbxC7
is6NPRZY+IMINnEaiwULB6xzhxCUSX/2WY0RwOTyws8Pnh9oydX+jDg8/vHZ
80OUTjNFNaKF5DupTqtZdnC6TwV97OumHRuLCyAUdrFKyK3ZMSeHmvdX6wdg
Ix1MZ2EpMKlLppRFf5k086C7bA+kVYZTqHMImazLwhoy5DrGKy7CwWU0mfPQ
sh5hHQYAH0kLINPlWYoOOnsZweGmjxtnib8DL4aBhSqdVdNJm/JPwSsjRDv1
/H6aipgcFOMp6ElXaGMan5RirXh8J219ILsmd9J+hAVckQURitgXN66pN2U2
T+z3Pa6wrFW0/jGuIMHLNeEakHgAfcItdE4ACeCSQEISxQq5tSZ5wAte2BjB
xFUxuQkLiXaZ5vjKxZN41WVJniTlyCtjwpKPJB4P4nPTz1OYuVJxp8J/Vpja
CeieDqq64tqiHDno9ieJk2xiYJ7m36jNJcL0xgXEnQKfsOXRVVBzV8pg14sE
kY10UpR2F96L5pWeiM4z5fVRMm8akOp4wFx/RIh5CSpnIlNjks28+iCRQByX
7tV7i9f2RpCxe7Q32BnsDfasGxJ7iB7d3d0NXAaVqb35KHZVcNihyc+tP/XY
6V06MR0mBfrcHdqPExxyFRRuVBXp3Xvre7R79HxwuDvY3dkZ7DyymVB8OC+i
KKb//Qtv99/q/7eyq+tu28iS7/0reJSHSGdJJZlMJjPjl5Wt2PGM5WgtJZnZ
N5AEKUQQwCEIKYzO7m/frrof3QCp7O6TLYoCGo3uvl91q+5Qmfi3po0mJnrk
k39Pj3MxOf4I/PNXr/JgEINboofuFV6WsdkvEr0Vjpvl/+/GR2+bP1cIWIij
k8zVcf2oE7dopcWqIiN5G5Vv/fTuEuuU757OTGPcFyoCT5wGNwPppF2ohnO9
6Cm86Gc7/jYzZ0zT/KuvFvcCnBSrMLxydtVwQK3PbIAztOTv/vn5e+Db98i+
/Bnuy5vRDFH4MsZzzsaVeBJUnzG7M2NdPMEYhBaKXYyGNyIeLMJvCtDqORyr
BWd/hpuL+usr426QDaoYHJ1wqREJCsgnEngYLiLvlsbE6+xI9tvDOh1OOWCB
AMlQYjBeFEIZYxQL1Spwoyc8n7dWdankuJweG+OJTG25PAnS4TN+M6dxcX38
x+UPVxfvP4qXczawd/liCL4Y+o1kkCa+hLJFMGWvjJRRfPv70SuZHp2v04HY
OXV20px2rTJyZEOOkWZSGlT5Zq7qBjsBm0ERglQRjDPNVQUpw/MwYg2Cc10V
gywKtmex1dAtMZsOKlehbGZcElP7jjxpouSCN1pyW0lUg8uMysoDL5nUcIXa
8ictlixAbxXnnQ+qTSH0dOgInSi+I/gBoVLBWU1LLKH5yM5xPpvpUSG9IdRb
DtmpkF6pw9UyqgF1yb3/H1eTLm1pNeYKeTIJ3ZeODK1K61UCQprt7reHcl+6
rsFBwN1lCn94tIE/6zLrOUObUO2g/7UrjbENp4YWCqEnjVnFxVwumfvBeKFR
ITLvpzWCsrwMiW91OkUXUqO5Nuzy5ILQ9XgCiF/+pz/8UehEtiXM5Oj9nLmB
TiaAOyWVg4m2sxKEF9/k0NHtlm1tvTrfZBcS9LDZG6aA6vWL4RfPLFmznxA0
k3VJ40T8JZ5S3VIY1oSjBpPoDcxK/Bof5CfVhblWbeSPOounP11/PAvuPkIy
KXPeNSsztAjcHuLjyaEkXwy5py5nOag59eDXGMXMQ5FrKyiQVNJEQh57AFFW
8rC8PVhWPjBtr1L7DV34kHMzJdktqcI1OU8h4485sMfm4yXbaEwmPOXV3HFC
RhJeugOrnRW0+EXoiWZ6ADxjc9iU7jvk50uZQcUf5nLHt5K2HUCJUxGjsC4q
aQvOCVzEW9fFEgbLgR3+a8ZYns/bKsOQCpYlYwkcJxynmewRjMH2Hzb45kFT
ybZ1M+B0MjpiusUXgP0vKtVoLZWcYFC5Hnak7IzLQDiTEtxxMsC07oYTNZVK
08GpVARF+E1TFlKjWVpCynkQGJtsUPD9Dzq2A1JLQXZmuRTT/oo3v/nuDSMW
MTtWmwmSVMAvH4u6WsoCT99TFIPlYCW/y/zGgZt42mg/Me0UDkNSX9G7akli
h0hF1J8UjhxkGA/a6K4D4RQoXlnvaFoPKx9uSMM9yxMpeYab8k+62R9KzoUk
kThm4oiDBJFbHgN6f0kxy+XQR9F8vrPJgbXfipL9VCAHkswLKvjm5lXG/cUR
u2lX6gixiD5l23d8f4nzlEwV3imf02ALoEfVUMIgmlU1wKIzqCUyvwLpd3TZ
N1+D9RO5rq++/IuXuhIH/eBtpCQU7qP6RC9nnM4UP+0DsmTWgDZRxhfaDFeW
4UBH+L7WyVhN1SHPaIU8o5XIw9MM7LxlmXG8ckNkgsMvJLvHO1Ub/wVZN+wF
mOJodalMKx8MaY8QLQoBf1LIlo4yWG2Vo00SNwfnBDlCCM4lidUMKR5Lhq6A
Tu6kozaxgd4+sW2fG+mfbX/bz0vJJhU1oa9PcVskBYN4ESD2BqfgCL8jVCSl
KaTrG3WyZ8XDKNOB3j3E0VY1nw/kI+9voms+UM1uBs1GYrxEaAZndGKwBARa
3FeQQj1Uv5RP3X3lzZWTH+sYw6suQH43oGdYP7irfin0dCY9c0r/ZBROH5gL
/PrzTia/UZxOGDhARwfwwnJxDyRGRoMVA7uZTyhrtiOmnJPsyCe9CjpVTtC+
2Ez+VjTGI/RHAwvao4r1HD9qwJ4Q47dVzvG8L3nyszafxutgl1qUNA3LuKWi
P/IUPbDzuIQdoiQoXdsPmWuBuXDnzOJsFSaNE8LlL1hqjGOXuSL25BZLzLQH
BFQ8lLFrJkDAgjsQOfxrnX4Fbcxu3r9788PVlYk1m/CT4dUHra6mYuK6JcIi
prgJUaasukXPc8TBYKVJKlx2xq8lviKRC6zF0CNSea3MJYiT+77bFnGHh9Pz
qj5zBYM49npebnfWt8njLW+8MD7eBKWomuCEX0nfilgZ66A50tqXydfcQapZ
uMVceu4jsg5xQoZ0atPJ67JeV338z2XZCNXX26qhknZ4uy241N+VQGczXi5F
Y/t93LB7anULWwXd+zvInTbo9Lxu5WtkOmLW4eapRA3z+flnUoul0sx3Tfkg
QXE0U6g0N8x1rouHOeOBUxtfeN3Xa9DKxe3wWzSjk0+lhC/x5/1mixZvf4Lv
4hpq8E1/gm1Zxn/D932zJsmgPsCHYveI732Ic9oX/BMbO5os+jUct0/xTTaU
H6/bx+Ke0uPxfyW/zkcU23Oj2cY/nX99/oe42f8qbGj2KFZ6Cgef/iU++dk0
Ea+hLI5ckBQKT7G2fD18F19otDOLyUXc2ml1nE1DdBtKtg8vJKkocGJEkacy
DUi9QVKp1gD7TJk4kPGJX/P+l5e+fqTl+FiV0AuF1xmu/7Jcbwvx5IKpfWtb
SG4GM/8oHgl1UvMGqY31E0frFo/bVRs3L2yp7yV2wKd0zLhyODXaIERSTYax
zjE0JL9c75OioMSGQg9YqtKE3DKkO5jeaR4/anKAjB4SbYrsLrfxmomNI80P
kr8ToWkPfFImWzCoalnwlAi7CEKNi8D8iELiwTQAnhbbSX6rZXof1mmLIK9Q
j1ijOUmfSnU9JXhw9Wl6uDYLbcMgTya/K/Y6eWs94oco8EI61ySSlXxYaNo8
kdFJR7cCfYuNN9Bn4gF4bTPGE5zVeVzZ0YVCIjpHxljXr8MYM84kNI1aFQjV
tvDCdI3SUrKU3fZLIvClmTbZhVDUT8ASlhhxY4Sv2iVLeGXZbgaxfqFJAbop
aA/HaiZjumS40Eth78rSDUWj3Xr5dEtRIfM8Tgmmj7FRHBsGfCbtXdvSNNQT
foTCD0fFPswwMkvgLKh4WfJox99HGIQCo/adjOFl0P53kEblUSPIi0tTZ41R
1wiLwZqwAm8H+TXL8mYW1TCa4i1b+cW8+m4o9KjDYt6K2jB2XAT3naz+gMyb
cXqJbjG8DCfVS1SlkqTEgxy7VSbgLQoIsuiEYYy1CsW1axfFrQHg5+Ug05En
Aj1GTWi4kKUYOom8RoJO1kFhGS/wJWipRMGjLkifp2ykF3rc/jB8g95jmCGa
6HFLCTubIQXdYPXlRA05sizakXtJib3oNokacM7E8P4apXS4yU8NE6DjEYIY
27nrpKM8NCUzhLKJB86hGdfEdPdUdQpF53DQep0RMKmT3vVzPugj/zsTp/IV
Lr0eyqdSKAtezBzIFbCkCCUlAnQoCbsYoYGnVsWDvnA8UMlWWLuCLVJJSAOm
u8RxdTg8v9We/TPjFWsPPeLLEZKWWyItjd2BwAJ5uyG93YRajkG+6i5lCHZh
YgPb1vgAgPFmDWIB+oUy4/4uSBCHDi2lP3oJbH+4IIsJF59iLw1E6xniMMz8
MccHyjFpttHDvCe/99Ip88Rx4B6iPdNWDtuYeM4ZWGk8oq1Av148Cq8wUgZP
cQIyFqpwyEJ1yAfR55PrZ2ThLHwV6XJjxI234eCyoxyV9OG7YlX5m01hkvWf
hPFk6jkyFDRTDD9+f3PzfRi3YUoBCOsZ7lT0jAb6msWkn8f5i2ux73Lzlni6
PragRNhPDx57mQShkhiU0JePhKiMoobh2nHHNc0xHmmgNQnPDy9fxW5N28ci
VoWgY938uEYu5BgrxxFM+ZmJ+gDl78Q+1gPw/Bm+Kcia/0p20ZsEpqnxfzrE
IcSpr5pZfNyZ6MBNTq/e316dhQQGOvr8otu2adtVl4wdM0px+cYXQD8iNW6x
hnyedShYTlHpMo3/pQboukGpQ2pRbGzIkOg0RvJy6P7we1iEMRTk8WbooMww
MDuQtBXQFlqx6indZHri3JUDB/zoLFddyHg/jNBhM5pro7KybrjEbaP9F2E4
Szo7hDjp6PN5Ql4FPWcdOwOPzMkr7DOCEfzRIB9032XzxMZXtQA7UasYYPs7
pe+jfNhWvFW4gVzZio967GssocRU0GWdQuOnxxkjDmv+9vyI6spdvzlXt1pu
Yr41PTjkb1g6AZR4l7N2B0l/6C8qlRiF/7zZWaEoRsdbK5rp25EjWmpb7gSF
qut6gBNG90O7zH3ZJOXVAbR83RPwmSvM+YEylYcZdnMO+3xlKpwTNCGEtIrc
Gf3NcL4PJ3i+D+lvhDQF+a7oGUk/C+Q6dBGdh1Oh2Xw/uzyvyt1qBqDHLPGI
ZdSbSk93fjb03C5qA6Q3h6QkSNuhAym1+ZxiHkBnclMuzqbHtxONB5lpXLnF
ewiknyv1hlufJv8kHUOiBn9QXfmd/dsg5TBrV7M5OS7y0y1bZd7vyIjtsa2W
eege4FvM2YkWV/Y9T6yFEKYK14R43pUkubIg1lJ3MrJghtI0LbOBae//PnGB
ZrRR6kYJtbBVYQcnngFnhA1Y94U0ksDEJzZg5faqeChJiRLBA/0oFOhA4dy8
2B2FtjF4KcZUDcZ2eFDdvllEM9/ASitpqJxcsC3ctNKNIWiXAspzs1as0A1O
9NOrH25vzqLJO/oa6XDcqXORRH8I+QU7m6tSZWTDdCSMUcsi7o1YBJqxRMfH
9r2BOdDcth/gIo14l7ecGAXAC+tO7oExnZQNttFJMFDDoDkGg6TiHvMUzXIm
nF8yWKJPsia/ogt1GX15lkw0M5/4fcjOpQTUBp+YKp8KaQCjETHyGiU2B/H6
4APzhFD51Sq76DPzgiibSuXuy2//gjyvmsbSB6ozkfq2o6vh9xTUi53c2HMu
o1pO4kWNigqOOI9v35TxKvHfpdOtdYjrTiT+kdnVHZW+6Jfxxnfv9XolMOZQ
daNy4M4232rARDB5XYM5Hs/3fnwox+n4GMdTLrwOIFzUaSD6+BZrSJekqS8o
HVqQdCbaeePrO3K7v2Y84tSQOUGWeXmSrESw15/1W1kBnD6UiBMCEs6oMxvV
mHqZmwGnu/opaOabSDPfL1qhQrtpRvyhSG3T3WD8G/772y8hl+J8UTIfnVWU
uqw92YkQVVRBt52UbjRd9EU7X/WdkKgks2MHLPqDwW1NPoZ3VV0skUTKW3wQ
3pSPRLZ4TyUd3gGnBephQ4YC5WTYahkygZMG5+8WCg7mHlTbo8cC6FdqwcoO
qV6nZDuVosG38uOHKvtB24JQUECZQb9KAEA4fmKmXkn1rTC36uFnNmBiIzK7
/uNl7mh2L5rVSfHQqrFUrmWx1lmElllBdYiXxV7jYsShxHnssKg1NGZxwzwN
8AiGnALNHc+MewddpKR8sf4zHDxG/uEt0uElf50WnFw5qpaboxXYQSiemntd
4BAu2sREfVTg7MiECYmA1OMNPTC1VFgQ05hn8F4ihbGkuKlQ0agDpRSyTo1J
u33JemuT95ffTr39fKhUoxzNR1/6oKHcc5a7ASyiC1mn+fPzzeKuLRvtx59O
BvS/YHLwfqMfbyZvyyXsGKg6U1q7wzgfKglVtr0gCXVR6BPE/fBT23xo72Jg
2xj4PEuQJJSb56+xv9MjhvSII8TOpt9CIKNz25K5juiqUVUiEPs8anU8E8Xi
ASZu0O+fYYmZTYCORohwnFsmfJJE8P9SqGPmwLCZl5RUMd/m+TOVWPGKnRL7
ldu7YqMGBCSQon7JzZdW4AsOuBK1weNu2hEjFcls2Mx0LwnWbTnI2A55bqLB
Cs4lwEbbTcE2N8XkQNaS+DqEz3c9NwC2qvTAyBMzq+QZDc2Ro6lJAJ+LnmGY
hIeGYbwjEDLRkmNV7/bsyVhuqU9XOx72dbtF5e1dHBaezakiTl+/uz6jQHH1
a5wry9nn0A3HTiok6Hf7j73dTbjFU74qG3h8c3f9upQmgDmxcfQNPZ2/QY6X
BUT9bUL3InWwrNbQNB0IoMaprVvvVprH03hVMU5f1+0cUzhLmNmEIJ9j3tAZ
eWzMXULEu3YQXAaXAwHAIX78G7poeCKBGm+ZamXsmrVbJQFI0jBbthzlem6m
8a0x9roV0uJFdLnqSQ2VlN0+hvVHh8tOiYJV4YI1khndLoMeynyCmkLmWOkT
Pb3FfABTpHJrHLUo8W3ljGAHOyWmk96MDAucOUrak62QY4bm6OZGNqfJFH3Y
lQTgydFbys2mgt9BySCRGGFJTVjCqqfBX5gEEqVhFXShaoIG2lU4cqW+ojtl
VW3jHYKKqJrcJ3uBVMIbFujJCL3+BulEwtv2BUAfftyE42fZTnX35O9UgPdf
PfSZsUHmZV3rfoERirbisp1XpVokMxPpxWvvTkqF8sd/RM+hKtiXjB0XNLGc
XhViYUuGrlZ4yaM2Exe+QqkidPFXbvwkXSdXZhdVWSzE3RMlKBwIF/GcnNxs
eNeuYDo0uOu12ioRR99pUHx0qoTIdKIki3Gw3633GxFU+lDN94U8x1dfUcb0
iXOEeEbe+M1+W9k3/hBn8faufejalMPXHHclAjSlog2iWZFukNSzFdJc8zyV
P8wYgb3hW06atOPjzS/iDNTUFMOusgAc2aHOpdakyvd5l73DJK8Gf1EpZqA+
bcPlaOmjJV6/Uq6ahjv1sSJxuBh6KXGVP3SBhVKEWlIspeFMNQK64TNpzWH3
VcNaHuo1zFFAjgIbqumd7Zx1BHvjjrLTSD16az45sIMsaMKIk5dBX9af+PoQ
ScT3elksC40qrLZwoXBrnAafOOqLJgbUca6IUXr+rFg+8mngLFzBqq/AErne
ioTouMdLOpi5vMfMHVmruKzEaCoTutO44os0HnaFSD9Wxy+/v06WNQNo8mq5
QSS9E2mw1XEzbuBuGGLUdnqry+MXFEexbpPO5oGGgMitMTJEm1WvKzHvouHN
iAxR8gtmiOVMUByIFI21EWff9tvhBfjrx6p80moVa66S79lJ3+sLf5gyZf5y
dUnmL9c9q05OGR7VB+9Km0+zS+FdDC7ECbKoWF+YhGDa6w4Xtllawae4Tyzl
+bCN2FjWuoCgNfOd5M0ny5KWm5hhXHjbLnumMebtuu8OBuchU6ENXnquVLp1
Ru7Xhf2ew+Q7jeGHyD8YXFvYZeJ8xOHWD8RC31xb9cG+s2bFKy6iXYZHOld9
Xmk+3xB+qczUvbKRqhCeTyeeJ59Sjsu8MHtZ2BNK54bfd2lLDJYFxw23YO6r
3V9wfIQv3v/jmn4NVn4tWDHQJCXno0zIIBq9P09jDHVPifPJrZyKqaX+n3HU
PVaSVeGkb0dPV/+7hBWnSNed6nnD3cye3VrodHrPFWXwZL8XfVB970tzYuJD
RUvgHa1DYet0RJRGipw82XINDjQHZNuz2JtoD5/btOzBBLVUDuiulSoLHMU7
NJloAP7Vn+PYeSDARiiQfQD50M8WddsvE0200vDdxCO3Wu1F56iGD+AixUwj
41a5bKG0XANgYBz72trXqYBTPJ5qO+l23Yhh/5ZBaX74crKlZeUBq8uavlr1
p3RKwJBgXBXpLc/i2Yq24bhlnp/lMWGTYtRO9hapUDes9Arlur7LgbnASH+8
ydcO2+mAswO63voqEv2fvSWxil+ea0tDI5VWdV9OUXgX9Ky5n/joqzOps+0o
JgSPk8OQSgI6X61lQyZo8DIIt726+PjpRmzuFfCdMyqq8j4foxNV/04gn2L5
SxNQAFIfGGW+wRtTpoTg0hlC+2XbwVb//tftXBUqHwW+aFbMi2LBEhEnd/Hz
aDFBq3mijYvQAUGx507KkedGeTdiKA0Y14COVJCsGXsQulGYarzVBAK6u2HX
0nfkKjZo5ETuq80sfoY1Q5EbnKeIMSZKC/PUpryz6nUm11IuFDxSQjDyakJt
xXZp05BpE0u9XGZOlr3RTgbJyht4UyZUe8M3oiGiV82uQSr8LUMUGYioerX6
YX63rs2urYc9cFL0TUqoFnaldIvjxIcbcgKUMRu2TvIrjcycvBVWbdgYz8Ta
gKEi5ULUh+fJEx14c2Fw9iSk9FEAXgZo1Pr4GMWNwJTpcnXdZHFY/yDQz9JZ
i+hVTmp1DOjVCZme4naC4Kxo3ZCuQOTq7IqsbHIN/R+rybfKjyQzrwlXrpZF
sY0nDAUz8xKRXF1Tk6IiKq2ksibG/MEZv7BVblMVcyuNUxAijWelE5gV2bZb
ZtvbciGpqx+nWjRjhoOx6o3RCp/n75/9YMtqbsovg5ZFmyi5UsahYBkD5/7l
vFYPbORCT91s12qOaIgGC46ePAYo/N33/wJGWYJSaQY6//s5JNmhLFlLwjYa
trUIEWYKcQKBeZesxyjpDPWif/XoyopPe/ruzff/cTaV5+TEwSKVKCbGAyou
PAu+kvvwCZSy0fLEY+n0/ac3Z3Br4BnHoNnDdTlaH0rEckzMOJQyI1C/2TeT
tzw/eGPB47+apI+pcljtrGhrKDdPIaNWImzJlBLAtx7hDT44XYPo9oiPktrr
xNW0UrPDukT/Os4wlAhaMlXrKRsk2+8KAkgjfPfpFmkM9qlGe9Tp3lfB8GSl
0Rpg0xLXlAxQ2CC4q7ZU4sqzhqmOqfkMOZ1AjSH2Jrzuo3NNnXHARMv+sfQC
7RuFLAtUUuQW4ikvTkB8jr9vi8dd1z4WTir3n9XDvJg/wZb/EJdk42U7ugqq
kxj/8ip6n2z3sz4oGsPj2om2khJILFNBtJZp5nRlF2nSCX6MlOaE5Parb6yN
sC7i3YEuKyaZuTT+CCHIIRpDip+BNCSLIUJ9qHeKlsE5+FNP5PM3cLCbk6ks
j6eiC0Os0uRvxWNxs9hWG3iZy1LiY+TrKeemAERzCVVJkRhehRcqLVYpyopW
DIlHwrpUEAfwcjp1nlkJrlXI1RRfQ7zwb1Jc/SalOjJOXrDvlZvdHdQO47kz
9TxAonF8gKPGXo1U+oArgOFFzxY9tEztZ82e+P0Slz05H92Mnx5jt32lTBV6
+6SJQ7/STkUrHxwbk9F/pHPVGTHmpIQbKEwl3mW41/FyMf4kMu5sKn1R0qsI
cgMgdWovlAslOuSEcvsgEo7S3eI8JHIJzI2PN/UYHeE13rXj55bxnw3UTIOR
SUrTCnuLQRKQLiJdQlbhP80I7b0NtG+eimaIH7Der6kLDLnATOq5EdLK/O/O
Rg7VS++b8e9uq0wMmZch/WKYqSmSmRULUgxNk+b9OpogjLfsVMI0zd5fnWkZ
r43YoccC0MOA/xtQdVSe27Npq9spW4dJ/jABwAcVFwuTH1DySlxacBWUjd8Q
QotW4EHKf5XxDzCTWnmZumOqWjWR/anTYj5GdW0b7SVG2yOzLRTNpj/NLSZ0
H17RC9oB0kmvMPEI5KEeUtc60Dvp7Aqa1lg34F6wpD5czzaSqWHdvJLoC9s8
StVNTxskF0eIbkOlGeCc13wOe0PNDt1e2UoJx7eVAQjH58kA35eRzs6FO31b
ZIi7xAM/2nkjKvi0A5nIzZQRcjlMJKG0V09FyQ52nbGe+AU0QjjU18aF9eZD
/vcQEFa/SJ7bYBrAw7Y7zporzLmAKILn6K3rUTx/9sCPXKHiQIw3xuoXnZYh
HkoD5E0z1mq5QlyZ89axdgjXSkIxyEQh7fhondecuJsBPSipzTwam5ywWYwr
MX2MQdAlwa6lvqpZc+o3ibhBw1up1RhaTJqd6NsqHU4Oghc1FxqWvP11W6L8
R7XGVV2sOxt1HOw7a4UJHoFMUjdM0e9aZNYXSfljqtNEorjtLiM/CPkSxn3W
8vDuWyZGDbRSQW8FELNas2o85MJDiaoKzmLccTvQ2pAKnsIWsuYPgSxFJ597
cEE5WXOcxEboc+DcyJqdV1lLkKfEdwivpcUvJdiz70jAbSgfXTIkatAahNY1
0vBpHZnHMJTEaxVM/QKJNkmKzGZymn0Oj/tBEBlShCIarwh5Pxm21GuhWo7H
AsngVM8sERvoyPy9BaF4JOqs4cqodr3aMg6BHBgaI73RN3ntSVnzZDT3Gef5
57Kat1OfiRjXwpuFNxzj4FJ5erWi5uSo8SY/NE5VFRcc/1x8Q4kvD66imZD1
thTnD45mPOTjlJw8tnWvB15dLtfliVaHtMRyci1Ua9f8JZ78pqxXM5QN48EO
x9bAxeb2+gS8b5Z9DOL3J9ozBzYr7Il48xPUeOK+k2gn9Ju7tl5KPkdGsQQT
UV8O9Y+Y8X5zbWxCdyWzNoVKdXIQ8DGk4SSj3c5Hl2VUBwsgnql8sIGwBdrf
5Fg+IkvOrw9p84f6MO2iz70FcDGsGHxKg1pFUkprM60LYcw5kjSImwEKVXpY
eqdx6EYDkJ3XUoAF34QvxKkj+5l1DeKgK+5LUdsGiPLRW5/KwgCgJNCRBaAi
kHFgq+IRd8bI4tktcbLNu130NDXdpfrvdIz30/XO8tU0lLvF+ZlVrrFPftZU
n4CQwO6MNBa4izJNDEbm7Jgcv4dGEaoxmMPu/bndxnVyTQLPt3EDROcbS7P8
VTn8Cfj++bWb1hvJG9zG52HSA8sAn9y3RxbBRQ57hNFXLps5iGCu+m1cBHcO
NDCiOJbRJY0cNncxtMZ0eTVWOkCZKVY8GB6ABM3HMkrQAGxNYTCBomQLEF5j
/VBKHqz91Hpf5hqoX9WSERMNq3z3RuKraRR07wgxIr6s8B0Wb8D5UcR93i9g
8YIOfef8Cbm1lYeWct7k8NHj/WFFtSM3MXV6YjhlKT1Ly+QBQuCP7a7S9tXs
3TX89NCR4dt7r360s5FMkROiqq13iZa/gv8pI1lfVo+ie4C6OO2tvYrBeNmI
hY3NC2akfoW/OsoDUpfBIgnJcmngwVCaj+EHgUUISqelGsbiEAfP9c73woXd
VCZSrRaH8G8C2WnXTz5VTnMU3rbbdbuLtzlhImqhSSPcwDlcfmRay6tan25f
vwVgmxkeOh3RiqSAedvXapGY09nG82CRcrleqxRaGctEmeKwUcrM0A3OkLZJ
73dn7xdZdfJT8RAaUiVdCuxvcsUEWVP1D9EkG1HNxWI3Ob28enNx5uw33xD4
c3n14Xr2jUJRLxmnzz7C172Ju6THKxLViE5/PLqyZvanwvYvCfIiDqZd97J5
8PnMiSMNMjPfB1kuhGZWZWf9RHjOjivU2onTJ7Y7HsjMgqBoyQ7FBIAcUIjS
9mtILY6dMyMLIFTjG7mBJqrK4RWS1eJoSfa8hGlfM5Mpjyh8izFOEhpVjohl
KiA2xamoi6fzSTZTE5tVIdVPzHxeqWM1U//aKHordX7tTj55OfGUtfeXS99+
9KofjDZBxTZkHaKD+e1bRxKpMBDhVs+frfjTDD8N46uQC5+z88laYjVDGYfL
ifMwWTQqyVvBA/tIZUKFXt2dkKBrwSW+2FYqv4iZEo8/DRUZnAJNn6xdPEUX
S+laNko1sWhVRtCzgo4HOjoSh78RtqtFpXnJetWihuVL4p+rYRptzeBQfMr9
RPRqtdCK8UomTEKw/WgmRmKdeatAPPXKmjw7Vpzl5Xj4eEe4QN3cK0lfUGMy
oHylaVGRHPVrJCo8NiGuGMWF8cCDRedhnw8UzOoSwNHeQu+IxKOJABsOgXSu
JHkXYdMeGFepCsq4iSUQlDZ2dKYqm8ua0f9UUiSnVYK5/KEZc8kKrj9xJ6YE
R00UxVow4wT6W49MHkyaKLlKT3mtkGlXp7/O5nEkX5atcYm8tb897RnpgGlH
IxfMWxoXgPDlSkttSmFsFz6fAOLXPpa5rv2RVabox91eU0SZ2DG2mipn+XhO
NnW/XhvXjUriTE88vVHD/nVTH0anSx8EIHFe6yT2hkFbC4Vl1kz1xfW4V7+z
PVrvGbOshxU1sXnpV8VY8U6CJqd0mUTHfzkglnp+vm23mYRpm+nHmi43QfNy
lezYGfSIELupuqJdmlZInrdxFX4oQIkmxucAhBXnPcYQwmw2yXWXRqeSdDnx
RFGyf0VxJ3axrGtqeJjmiLFCcKokj4BXwTSqrJrDfV7+KuiKwdWE4XAjZPaU
MC6f8pGmFW9FK9Es4duQ2RVq8RBYw0P9G6fa82f5j2OjczsYg74WnM54McoV
yaqvkidhv216eXHhsoheGLgUO5wBN7tyE70B9n8oqf108lMVj86q76D1suub
Yhre9VssoRhavkPFJH7nollu47NeLeJAiawExyIyW5OPVd3x2ldxLxRlHT7h
37ga8Nl1Adzq/eSnYlHec2hv7mLAGWO2Fg3JM2RlACD5H7CN+6edlQEA
<section anchor="acks" numbered="false">
<name>Acknowledgments</name>
<t>This document benefited from discussions with and input from
<contact fullname="David Belson"/>, <contact fullname="Stéphane Bortzmeyer"/>, <
contact fullname="Vinicius Fortuna"/>,
<contact fullname="Gurshabad Grover"/>, <contact fullname="Andrew McConachie"/>,
<contact fullname="Martin Nilsson"/>, <contact fullname="Michael
Richardson"/>, <contact fullname="Patrick Vacek"/>, and <contact fullname="Chris
Wood"/>.</t>
<t>Coauthor Hall performed work on this document before employment at the
Internet Society, and his affiliation listed in this document is for identificat
ion purposes only.</t>
</section>
</back>
</rfc> </rfc>
 End of changes. 393 change blocks. 
2389 lines changed or deleted 1570 lines changed or added

This html diff was produced by rfcdiff 1.48.