Skip to main content

The editorial spine

Operating principles

OffshorePress operates a small offshore hosting service for journalists, NGO IT staff, archivists, and lawyers working in adversarial jurisdictions. This page sets out, in plain prose, why the operator exists, what it concretely operates, what it deliberately refuses to operate, and the threat model under which the reader should evaluate the service. The operator considers this page part of the service. It is the document the reader is asked to weigh against the marketing page they did not get.

Why the operator exists

The right to be left alone, in the formulation that Brandeis put into the Harvard Law Review in 1890, is the right that the twentieth century then spent failing to defend. The hosting layer of the modern internet is one of the places where that defence is now made or abandoned in practice. A document written in confidence, sent to a journalist over an end-to-end-encrypted channel, then published from a server whose operator is required by treaty or by commercial expediency to log the publisher's metadata, is a document that has had its source betrayed at the last and most operationally invisible step.

OffshorePress was set up to operate that last step honestly. The premise is simple and not novel: hosting is a layer separate from publication, and the legitimate work of a hosting provider is to keep the layer running, not to inspect what runs on it or to volunteer information about who runs it. The post-2013 surveillance-reform conversation — Snowden, the Schrems decisions, the long argument over what counts as a lawful metadata demand — has not changed the structural problem. The default posture of most hosts is still to comply early, log speculatively, and forward subscriber data on receipt of the first plausible-looking notice. The operator considers that default a political choice, not a technical one, and operates differently as a matter of principle.

Jurisdictional engineering, in this frame, is a form of activism. Choosing to operate from Iceland and Switzerland — and only from those two countries — is a choice about which courts will hear the next subpoena and under what legal standard. The Icelandic Modern Media Initiative and the Swiss Federal Constitution's telecommunications-secrecy clauses are not abstractions; they are the legal instruments that decide whether an investigative archive stays online or comes down on a Tuesday morning.

What the operator concretely runs

The operator runs offshore VPS, dedicated machines, and a small email service from two jurisdictions: Iceland and Switzerland. The catalogue is deliberately narrow. The reader does not need a shared-hosting tier, a Windows RDP product, a streaming server, or a GPU rental; the reader needs hosting that holds up to the kind of scrutiny that an investigative publication, a leak aggregator, or an NGO infrastructure team draws. The catalogue is shaped to that audience and excludes the rest.

The operational posture is documented and audited. Subscriber registration accepts a pseudonym and a contact address; no government identity document is requested, kept, or correlated to a payment. Payment routes are limited to Monero, Bitcoin over the Lightning Network, on-chain Bitcoin, and physical cash by post; there is no card processor in the loop, which means there is no commercial counterparty between the subscriber's wallet and the operator's invoicing. Authentication is the operator's own; analytics, where present at all, run on a self-hosted Plausible instance dedicated to this brand and shared with no sibling property.

The legal regime under which a customer's workload sits is documented per jurisdiction in the dossiers under /jurisdictions. The payment routes the operator accepts are documented per route under /payments. The legal entity that signs the lease on the cabinet is disclosed below. The point of publishing all of this is that an honest hosting decision requires a reader who can weigh a posture against a threat model, and the operator considers the publication of the posture to be the precondition for that decision.

What the operator deliberately does not do

The operator does not site infrastructure inside Five-Eyes datacentres, regardless of price or operational convenience. The 2013 disclosures and the long subsequent litigation made the SIGINT-sharing posture of those alliances a matter of public record, and a hosting operator that places customer workloads inside the cooperating jurisdictions and then claims to take privacy seriously is asking the reader to ignore the structural arrangement under which the workload sits. The operator does not ask that.

The operator does not accept payment cards, and does not route any subscriber transaction through a commercial payment processor. The card networks and their processor counterparties are themselves a metadata channel, with chargeback regimes, merchant-account due-diligence requirements, and a long history of de-platforming entire categories of legal customer at the request of pressure groups. OffshorePress's customer base includes categories of legal speech that the card networks have, in the past, declined to process — adult journalism, drug-policy research, sex-worker rights organising. The operator avoids the infrastructure that has historically failed those clients.

The operator does not run growth-hacked upsells, does not display fictitious countdown timers on order pages, does not produce a ranked 'best of 2026' page that is in fact a list of the operator's own products, and does not pay affiliates to write comparison reviews. The brand voice and the commercial structure are aligned: the operator does not sell pressure, and the publication does not borrow the commercial vocabulary that manufactures it.

Funding, refusal, and the structural reason for both

The operator is funded by subscription revenue from its customers and by nothing else. There is no venture capital, no advertising revenue, no data-sharing arrangement with a third party, and no platform partnership that would create a structural reason to compromise the customer's posture in exchange for a continuing commercial relationship. The Electronic Frontier Foundation has documented the pattern under which a host's incentive structure predicts its behaviour under legal pressure; the operator has structured the funding to make refusal-to-comply with non-jurisdictional demands the obvious and the affordable choice.

Refusal-to-comply, in this context, means refusing to act on a legal demand that does not arrive through the courts of the jurisdiction in which the workload sits. A US Section-512 takedown notice received at an Icelandic facility is not a binding instrument under Icelandic law; the operator's policy is to read it, file it, respond to the sender to that effect, and take no action against the subscriber's workload. A Swiss federal court warrant served on the Swiss entity is a binding instrument under Swiss law; the operator's policy is to comply with the order in its narrowest form and to challenge any ancillary demands that exceed the warrant's scope. The distinction is not rhetorical; it is the operating procedure.

Threat model

What the operator knows, what the operator can be compelled to do

The questions below are the ones the operator actually receives from prospective customers in the audience for which OffshorePress was built. The answers are written in the same register as the rest of the publication — sober, factual, neither oversold nor underspecified. Where a question's honest answer is 'we don't know' or 'it depends on the jurisdiction', the answer says so.

  1. What does the operator know about my workload?

    At the platform layer, the operator knows what every hosting provider knows: the IP addresses assigned to your machine, the bandwidth your machine consumes, the size of the disk image and the broad outline of when you provisioned it. The operator does not inspect the contents of your disk, does not read your application logs, and does not run network introspection against your traffic in transit. There is no deep-packet-inspection middlebox between your VM and the carrier uplink.

    At the subscription layer, the operator knows the pseudonym you chose at signup and the contact address you provided. If you paid in Monero, the operator does not know which wallet sent the funds. If you paid in cash by post, the operator knows the postmark on the envelope and nothing else about the sender.

  2. What does the operator give to a court order from the jurisdiction in which the server sits?

    A valid Icelandic or Swiss court order, served on the operating entity in the corresponding jurisdiction, is complied with in the narrowest form the order permits. The operator's policy is to read the order against counsel, to produce only the records the order specifically names, and to challenge ancillary demands — production of records the operator does not in fact hold, prospective logging obligations beyond the warrant's scope, gag orders that exceed what the issuing court actually authorised.

    The operator publishes an annual transparency note documenting the count and shape of orders received, to the extent gag provisions allow. The first edition is in preparation; the warrant canary is part of /legal once that surface ships.

  3. What does the operator give to a foreign legal demand received at an Icelandic or Swiss facility?

    Nothing, unless the demand has been routed through the Icelandic or Swiss courts via the appropriate mutual-legal-assistance procedure and reissued as a domestic court order in the jurisdiction in which the workload sits. A US Section-512 takedown notice served directly on the Icelandic entity is read, filed, and answered to that effect. A US grand-jury subpoena served directly on the Swiss entity is referred to Swiss counsel; if it has not been routed through Swiss courts, no records are produced.

    The operator's preference is to publish the existence of such demands, and the operator's response, to the extent the underlying jurisdiction's gag provisions permit publication.

  4. How is the operator funded, and what does that mean for refusal-to-comply with non-jurisdictional demands?

    The operator is funded by subscription revenue and nothing else. There is no advertising revenue, no venture capital, no data-sharing partnership with a third party, no platform deal that would generate a continuing commercial reason to fold under legal pressure. The structural consequence is that refusal-to-comply with a demand that has not been routed through the courts of the operating jurisdiction is the obvious operational choice, not a costly act of principle that the business cannot afford.

  5. If the operator is compelled to start logging my traffic, do I find out?

    The operator's intent is yes, by means of a warrant canary published in /legal and refreshed on a documented schedule. If the canary stops being refreshed on the published cadence, the absence is the signal. The legal complexity around warrant canaries varies by jurisdiction; the form the canary takes for OffshorePress will be settled with counsel before /legal ships and will be documented honestly in the page that hosts it.

    The operator does not promise that compelled logging cannot happen. The operator promises that the customer's posture should not depend on the operator's silence about it.

  6. What is the operator's incident response if a server is physically seized?

    Customer disks are encrypted at rest with a key the operator holds in memory and not on disk; a power loss or a physical removal returns the disk to a state in which the data is not readable without re-keying. Re-keying after a seizure is a deliberate act that the operator does not perform on behalf of a third party.

    If a facility is subject to a physical search, the operator publishes the fact in the journal as soon as gag provisions permit. Affected subscribers are notified individually via the contact address on file at the earliest moment that notification is lawful.

  7. Is there an authentication backdoor, a vendor-installed remote-access tool, or a hypervisor escape hatch the operator uses for support?

    No. Support access to a customer's VM requires the customer's explicit per-incident consent and is performed through the customer's own credentials, not via an out-of-band operator key. The hypervisor host has no standing route into a running guest. There is no enterprise-grade remote-access agent installed by default.

  8. Does the operator share infrastructure or operational metadata with sibling brands or with marketing partners?

    The operator's analytics are a self-hosted Plausible instance dedicated to OffshorePress and shared with no sibling property. There is no third-party tag manager, no advertising pixel, and no remarketing identifier in the page source. Email from the operator is sent from the operator's own SMTP infrastructure; subscriber addresses are not synced to a marketing-automation vendor.

A note on what this page is for

The operator does not consider this page a marketing surface and does not expect a reader to be persuaded by it into a purchase. The page exists because the audience for which OffshorePress was built reads carefully, weighs the hosting decision against a real adversary model, and is owed an honest account of what the operator will and will not do under pressure. If the account here matches the threat model the reader is working to, the catalogue is one click away. If it does not, the reader has the information needed to look elsewhere.