Archival projects are the customers OffshorePress was set up to serve at the edge of its envelope. The hosting decisions a leak repository, a human-rights documentation collection, or an institutional-memory archive has to make are different from the decisions a contemporary news publication has to make. The archive’s adversary timeline is longer; the archive’s content is by definition not retractable; the archive’s operational survival depends on its preservation against legal demand, against infrastructure failure, against political-environment change, and against the slow bureaucratic erosion that has historically taken down archives that the more dramatic adversaries did not. This article is the operator’s editorial framing of what the threat model an archival project ought to reason about looks like.
The frame matters because the documented record of activist archives is asymmetrical. The archives that survive into the second decade of their existence, in the historical record the operator has read carefully, are the archives whose threat-model work was done early and revisited often. The archives that do not survive are not, in the cases the operator has studied, the archives that suffered a single dramatic adversarial event; they are the archives whose maintainers had not reasoned about the slow accumulation of small failures that eventually made the archive untenable. The threat-model question is not “who is the dramatic adversary” — it is “what is the failure mode the archive is most likely to actually encounter” — and the answer to the second question is rarely the answer the maintainers would have given before they did the work.
The archive’s adversary timeline
The first dimension of the threat model is time. A news publication’s threat model can plausibly be set up against a horizon of a year or two — the litigation cycle, the political cycle, the editorial cycle that governs which stories the publication will be defending in court. An archive’s threat model has to be set up against a horizon of a decade or more. The Snowden documents that journalism organisations published in 2013 are still under active litigation in 2026; the Pentagon Papers archive is on its sixth decade of legal pressure; the Stasi-records archive in Berlin is on its fourth. The operational decisions the archive makes in its first year are the decisions that govern the archive’s ability to operate in its tenth year, and the operational decisions that look efficient in the first year frequently turn out to be the decisions that constrain the archive’s options in the tenth.
The practical consequence for a hosting decision is that the archive needs to be evaluating its hosting provider not on the provider’s current posture but on the provider’s likely posture across the archive’s planning horizon. A hosting provider that is currently amenable to the archive’s work but whose ownership structure makes a near-term acquisition by a less-amenable counterparty plausible is a hosting provider whose current posture is misleading. A hosting provider whose current pricing is competitive but whose long-run business model depends on a customer mix the archive is operationally uncomfortable being adjacent to is a hosting provider whose current pricing is misleading in the same way. The archive’s hosting decision is a long-horizon decision, and the evidence-base for the decision has to be the provider’s likely long-horizon posture rather than the provider’s current marketing.
The institutional question I would most have wanted to know the answer to in 1971 is which of our infrastructure counterparties would still be operating in the same posture in 1991. The answer, which I now know, would have informed every operational decision we made.
The implication for the operator’s own posture is direct. An operator that hopes to serve the archival audience well has to be readable, on its own published record, against the long-horizon question. The operator’s funding structure, the operator’s ownership structure, the operator’s contractual stability, the operator’s track record under legal pressure, the operator’s published commitments on what it will and will not do — all of these are part of the evidence-base the archive is entitled to weigh before making the hosting decision. The operator’s view, defended at greater length in the OffshorePress operating principles, is that the publication of the operator’s posture is the precondition for the customer’s long-horizon judgement.
The non-retractability of archival content
The second dimension is the irreversibility of what the archive holds. A news publication can in principle pull a story from its website on the strength of a court order; an archive cannot, because pulling the content from the public side of the archive does not retract the content from the historical record the archive exists to preserve. The structural consequence is that an archive’s hosting decision has to anticipate not just the demand to take down the public side of the archive but the demand to produce the archive’s underlying records — the original document scans, the metadata about who deposited which document at what date, the access logs of who has read which document — to a party the archive’s depositors did not consent to.
The hosting layer is not the layer that solves this problem; the layer that solves this problem is the archive’s encryption-and-access design. The hosting layer can, however, fail the encryption-and-access design in ways that meaningfully reduce the design’s protection against the production demand. A hosting provider that retains operational logs of which IP addresses connect to the archive at which times has, in effect, expanded the archive’s data-collection footprint beyond what the encryption-and-access design assumed. A hosting provider that takes a snapshot backup of the archive’s volume, retains the snapshot beyond the documented backup-rotation schedule, and stores the snapshot in an unencrypted form on shared infrastructure, has expanded the footprint further. A hosting provider whose business records can be compelled by a foreign court order has expanded the footprint into a jurisdiction the archive may have explicitly chosen to operate outside of.
The archive’s threat-model work has to map each of these failure modes against the actual operational behaviour of the hosting provider, not against the provider’s marketing claims. The questions the archive should be asking the provider in writing are: what operational logs do you retain, for how long, and under what legal regime are they producible; what backup snapshots do you take, where are they stored, are they encrypted at rest; what documentation do you produce for a court order from your own jurisdiction, what is your documented response to a court order from a foreign jurisdiction; under what conditions do you terminate a customer’s subscription, and what happens to the customer’s data on termination. These are not exotic questions; they are the questions an archive’s own counsel is going to ask in due diligence, and a hosting provider that does not answer them in writing is a provider the archive has insufficient evidence to choose.
The political-environment shift
The third dimension is the political environment in which the archive’s hosting jurisdiction sits. The hosting jurisdiction’s legal posture today is not necessarily the posture across the archive’s planning horizon, because the political environment that produced the legal posture is itself subject to change. An archive that hosted in a jurisdiction whose press-protection statutes were the work of a single legislative majority is an archive whose protection is contingent on the durability of that majority. The historical record shows that legislative majorities that produced press-protection statutes have, in some cases, been displaced by majorities that subsequently weakened the statutes; the displacement does not happen often but it has happened in the documented period.
The operator’s reading of the case for Iceland and Switzerland as the two OffshorePress jurisdictions includes an explicit consideration of the political-environment-durability question. The Icelandic Modern Media Initiative was passed unanimously by the Althingi, with cross-party support that the operator reads as making a near-term reversal politically expensive; the Swiss telecommunications-secrecy clause is a constitutional provision whose amendment requires a federal referendum and a double majority of cantons, which the operator reads as making a near-term reversal procedurally expensive. Neither evaluation is a guarantee, but both are stronger evaluations than the equivalent for jurisdictions whose press-protection postures were produced by simple legislative majorities that could be reversed in a single legislative cycle.
The archival project that is making a hosting decision against this dimension should be doing the same evaluation independently. The political-environment-durability question is one that benefits from local-counsel input rather than from any hosting provider’s own assessment, because the hosting provider has a structural incentive to overstate the durability and a local counsel does not. The operator’s recommendation for an archive that is at the early stage of the hosting decision is to commission a brief independent legal opinion on the durability of the protection in the candidate jurisdiction; the cost is modest relative to the long-horizon stakes, and the opinion’s reasoning is itself part of the archive’s documented operational record.
The slow bureaucratic erosion
The fourth dimension, and in the operator’s reading of the historical record the most underappreciated, is the slow bureaucratic erosion of operational viability. The archives that have failed in the documented record have, more often than not, failed because the maintainers ran out of money, ran out of attention, ran out of legal-defence capacity, or ran out of community legitimacy — not because the dramatic adversary won a single dramatic legal action. The dramatic-adversary frame is the frame the maintainers were paying attention to; the bureaucratic-erosion frame is the frame the maintainers were not paying attention to and the frame in which the failure actually happened.
The operational implications for the archive’s hosting decision are several. The archive’s hosting cost structure has to be sustainable across the planning horizon, which means the archive’s hosting decision has to consider not just the current monthly fee but the likely fee trajectory and the likely cost shocks. The archive’s hosting provider has to be operationally reachable — a provider whose customer-service response time is measured in weeks is a provider that will become operationally unmanageable for the archive over time. The archive’s hosting provider has to be accountable in a documented way — a provider whose published commitments are vague and whose actual practice is opaque is a provider that will erode the archive’s trust in the hosting layer over time, and an archive whose maintainers have lost trust in the hosting layer will move the archive somewhere else, frequently in haste and frequently to a worse provider.
The operator considers the bureaucratic-erosion dimension the dimension on which the operator is most exposed to honest evaluation, because the dimension is the dimension on which the operator’s marketing matters least and the operator’s actual long-run conduct matters most. The operator cannot persuade an archival customer of the operator’s bureaucratic-erosion resilience in the customer’s first year; the operator can only build the documented track record over time and let the track record speak in the customer’s tenth year. The structural bargain the operator is making with the archival audience is that the operator publishes the posture honestly, the operator operates against the posture in the documented record, and the customer makes the long-horizon judgement on the strength of that record rather than on the strength of any single article.
What the threat-model work looks like in practice
The archive’s threat-model work, if it is done seriously, produces a written document. The document names the adversaries the archive is operating against, the operational vectors each adversary is plausibly going to use, the layers of the archive’s infrastructure that are exposed to each vector, the mitigations the archive has in place at each layer, and the residual risk the archive is accepting at each layer. The document is updated on a documented schedule and is reviewed against the archive’s actual operational record at each update. The document is the basis on which the archive’s hosting decision is made, the basis on which the archive’s encryption-and-access design is made, and the basis on which the archive’s response to an actual adversarial event is improvised.
The archive that does not have this document — and the operator has been in conversations with archival projects that did not have this document — is an archive operating on intuition. Intuition is sometimes right and is sometimes wrong; the historical record contains archives that were saved by intuition and archives that were lost because the maintainers’ intuition did not match the actual adversary’s behaviour. The threat-model document is the discipline that makes the maintainers’ intuition checkable against evidence, and the discipline is the difference between an archive whose decisions are defensible in retrospect and an archive whose decisions are not.
The Tactical Tech collective’s “Holistic Security” handbook, the EFF’s “Surveillance Self-Defense” guide, and the Centre for Investigative Journalism’s “Security for Investigators” toolkit are the three published references the operator points archival customers at most often. None of them is sufficient on its own and none of them is specifically tailored to the archival audience, but the three together are a defensible starting point for the threat-model work the archive needs to do. An archive that has worked through all three is an archive that is prepared to write the document the previous paragraph describes; an archive that has not worked through any of them is an archive that needs to spend the time before it makes the hosting decision rather than after.
A note on what the operator does and does not know
The operator’s role in the archive’s threat-model work is bounded. The operator knows the operator’s own posture, the operator’s own jurisdictional choices, the operator’s own contractual terms, the operator’s own track record under legal pressure. The operator does not know the archive’s adversaries, the archive’s depositors’ threat models, the archive’s encryption-and-access design, or the archive’s operational practices. The operator is the layer; the archive is the publication that runs on the layer; the threat-model work is the archive’s responsibility and the archive’s authority.
The operator publishes the operator’s own posture at length so that the archive can incorporate the layer-level evidence into the archive’s threat model. The operator does not write the archive’s threat model on the archive’s behalf; the operator could not write it well even if it tried, because the archive knows things about the archive’s depositors and the archive’s adversaries that the operator does not and should not know. The hosting decision is the customer’s; the operator’s role is to make the decision well-evidenced, by publishing the evidence the customer needs to read against the customer’s own threat model, in the same register as the rest of the publication.
The catalogue is one click away in the navigation bar. The reader who has worked through their own archive’s threat-model document and decided that OffshorePress’s posture is the right fit is the reader for whom the catalogue exists. The reader who is at an earlier stage in the threat-model work is welcome to spend more time in the journal, in the per-jurisdiction dossiers under /jurisdictions, in the per-payment-route dossiers under /payments, or in the operating principles under /principles, before making the decision. The operator considers the time well spent; the operator does not consider the catalogue’s monthly recurring revenue worth the customer’s later regret over a hasty decision.