Crossing a Border With Your Phone: A Field Guide
A border checkpoint is one of the few places where the threat model is not theoretical. An officer can ask you to unlock your phone, take it into another room, and hand it back twenty minutes later. You will not see what happened in that room. You may have no right to refuse, no lawyer present, and no realistic way to walk away. This is not a place where clever software saves you. It is a place where preparation, restraint, and an honest understanding of what your tools can and cannot do are the only things that help. This guide is written for journalists, researchers, activists, and anyone whose phone, if searched, could endanger someone other than themselves. It is not legal advice, and the single most important sentence in it is this: the only data that cannot be compelled or extracted from your device is data that is not on it.
The threat, stated plainly
Border device inspection covers a wide range. At the low end, an officer scrolls through your photos while you watch. At the high end, your device is connected to a forensic extraction tool — Cellebrite, GrayKey, or similar — that copies everything it can reach, sometimes including data you believed was deleted. Between those poles sits the most common and most underestimated risk: compelled unlock, where you are pressured, detained, or legally ordered to enter your passcode.
No messaging app defeats this. RVNT does not, and we will not pretend otherwise. Once your unlocked phone is in someone else’s hands, the encryption that protects data in transit and at rest has already done its job — and that job is over. An end-to-end-encrypted message is plaintext on the screen of the device that received it. A keylogger or extraction tool on your own endpoint sees what you see. This is the central limit we publish in our threat model: RVNT protects the network and the storage. It cannot protect a device that someone else is operating as you.
So the strategy is not “win the search.” The strategy is to make the search yield as little as possible.
Before you travel
Everything that matters happens before you reach the checkpoint. Once you are in line, your options have collapsed to almost nothing.
Minimize first, encrypt second
Encryption is the second line of defense. Minimization is the first.
- Travel with a clean device if you can. A separate phone holding only what the trip requires is the strongest single move. It limits the blast radius of a seizure to data you chose to bring.
- If you must take your primary phone, reduce it. Remove conversations, contacts, files, and accounts you do not need for this trip. Sign out of services you can re-authenticate later.
- Off-load, then delete. Move sensitive material to a location you control and can reach after the border — then remove it from the device. Data that is genuinely gone cannot be compelled.
- Clear what is cached locally. In RVNT, remove old media and conversations you do not need in transit. The media cache, the SQLCipher-encrypted database, and your message history are all things a forensic tool would target.
Understand what RVNT keeps off the network
This is where RVNT’s architecture genuinely helps your pre-travel calculus. There is no central server holding your messages, your contact list, or a record of who you talk to. Your identity is a locally generated Ed25519 keypair and a self-claimed username — no phone number, no email, no SIM, no KYC. The server we run sees only public prekey bundles and bootstrap peer discovery through a Kademlia DHT; it never holds your keys, and it never learns who you are or who you talk to.
The practical consequence: an officer cannot subpoena RVNT for your message history, because we do not have it. The data lives on your devices and your contacts’ devices. That narrows the attack surface to the physical phone in front of you — which is exactly the surface this guide is about minimizing.
Pre-configure your defenses while you’re calm
Set up duress and panic before you are stressed and surrounded. Decide in advance what your decoy vault contains and rehearse entering each PIN until it is muscle memory.
At the checkpoint
You are now in the lowest-agency moment of the whole trip. Plan for that.
Power off before you arrive
A phone that has been powered off and not unlocked since boot is in its hardest cryptographic state — keys are not yet loaded into memory, and many forensic tools are far less effective against it. Power down before you reach the booth. This costs nothing and removes an entire class of “extract from a running, unlocked device” attacks.
If you are asked to unlock
This is a legal and personal-safety decision, not a technical one, and it varies enormously by jurisdiction, your citizenship, and your circumstances. We are not lawyers and this is not legal advice — know your rights for the specific border you are crossing, before you reach it. What we can speak to is the tooling.
RVNT offers two relevant mechanisms, and it is critical to understand the difference:
- Duress PIN (decoy vault). A secondary PIN that opens a plausible, populated decoy vault while your real data stays sealed and untouched. This is built for the coerced unlock — when refusing is not a safe option and you need to hand over something that looks complete. See PIN authentication for how unlock and the duress path are kept cryptographically separate.
- Panic mode. A cryptographic self-destruct: it overwrites local key material, invalidates Secure Enclave keys, destroys the SQLCipher database, removes keychain entries, and wipes the media cache. It is irreversible and leaves a clean device.
A decoy vault buys you a plausible answer. A self-destruct buys you a clean device. Neither buys you a way out of the room — and a destroyed device can itself attract suspicion. Choose deliberately, with the actual legal stakes in mind.
Be honest with yourself about the limits. A duress PIN is convincing only if the decoy looks lived-in and you do not flinch. Panic mode protects data but not you — in some jurisdictions, destroying evidence or obstructing a search carries its own consequences. Neither tool defeats coercion: if someone can compel you to keep entering PINs until the real data appears, no app stops that. Tools shift the odds. They do not rewrite the situation.
Coerced to unlock?
Refusing is safe ...... refuse / ask for counsel
Refusing is NOT safe .. duress PIN -> decoy vault
Device must not survive .. panic mode (irreversible)What you should not do
Do not improvise. Do not try to delete things in line, fumble between PINs, or argue technical specifics with an officer. Visible nervousness and last-second deletions invite exactly the escalation you are trying to avoid. Your preparation is your composure.
After you cross
Treat any device that left your sight as potentially compromised. Twenty unobserved minutes is enough to image the storage, install something, or attach a tracking profile.
- Assume tampering until proven otherwise. If the phone was out of your hands, your safest posture is that its contents and its software are now untrusted.
- Rotate what you can. Change passwords and re-authenticate accounts from a different, trusted device — not the one that was searched.
- Re-establish RVNT from a known-good state. RVNT’s Double Ratchet gives forward secrecy and break-in recovery, so future messages heal as the ratchet advances — but that only holds if the endpoint itself is clean. If you suspect the device is compromised, a fresh install on trusted hardware is the only honest reset.
- Tell the people you protect. If contacts could be exposed by what was on the phone, they deserve to know before they message you.
The honest summary
RVNT’s design removes the central honeypot, keeps your identity out of the metadata, and gives you a decoy vault and a self-destruct for the worst moment. That is real, and it is more than most tools offer. But a border is fundamentally a physical-access, compelled-access problem, and the durable defense is not cryptographic — it is the discipline to carry less. Minimize before you leave, power down before you arrive, decide your duress strategy while you are calm, and treat every searched device as burned. The math we publish is meant to be verified, not trusted — and the same skepticism should apply to any promise, ours included, that software alone keeps you safe at a border. It doesn’t. Preparation does.
Keep reading
All posts →-
The Anthropic Recall: How Centralized AI Threatens Decentralized Privacy
A breakdown of today's US government export control directive targeting Anthropic, the vulnerabilities of centralized AI architectures, and why decentralized, sovereign communications are vital.
5 min read -
Sealed Sender: Hiding Who Talks to Whom
A technical deep-dive on RVNT's sealed sender: how encrypting the sender certificate to the recipient hides the from-to routing pair, and how forgery, replay, and abuse are handled.
9 min read -
Chat Control, Explained: The EU's Fight Over Scanning Your Messages
EU Chat Control explained: what the CSA Regulation proposes, why client-side scanning breaks end-to-end encryption, the 2025-2026 timeline, and its current status.
11 min read -
Metadata Is the Message
"It's just metadata" is a dangerous phrase. Who you talk to, when, and how often can reveal more than what you said — and RVNT is built to minimize it.
9 min read -
Can Your Employer Read Your Messages? Workplace Surveillance Explained
Can my employer read my messages? Yes for work email, Slack and Teams DMs, and company devices. Here's what they legally can and can't see in 2026 — and how to separate personal from work.
11 min read -
RVNT vs Signal: An Honest Comparison
Signal is the gold standard for encrypted messaging. Here is where RVNT agrees, where it diverges, and the honest tradeoffs of each — no strawmen.
10 min read -
How to Contact a Journalist Securely: A Source's Guide
How to contact a journalist securely: SecureDrop, Signal usernames, the metadata problem, OPSEC, and the honest limits no encryption tool can fix.
12 min read -
How to Remove Your Information From Data Brokers
A practical 2026 guide to remove your information from data brokers: the free DIY opt-out process, California's DROP, paid services, and why removal is ongoing.
11 min read