Single-domain backups are not backups

A backup that shares a failure domain with the data it protects is not a backup. It is a second copy in the same system, and a single event that reaches the system destroys the primary data and the safety net in the same operation.

The failure domain need not be physical. At Kyoto University in December 2021 (E-0015), buggy backup scripts and the data they protected executed in the same software context; a single administrative action destroyed both. The same architectural principle holds for physical failure domains — a backup in the same building is destroyed by the same fire, the same flood, or the same power failure — but the Kyoto case shows that software failure domains collapse the distinction between primary and backup just as completely.

This Claim is the operational form of the M-0002 distribution principle. Independent failure domains are the architectural input; "backups" that violate independence are not preservation, regardless of how they are labeled.

The operational implication is that a great deal of what institutions count as backup is not. On-premises backup-to-tape in the same data center is not a backup against fire, flood, or administrative action. Cloud backup to the same provider is not a backup against acquisition, defunding, or jurisdictional action. Geographic separation alone does not produce independence if the failure domain is organizational or jurisdictional.