In development. RVNT is pre-release — not yet security-audited. Source code, public builds, and the iOS / App Store release aren’t available yet. Expect rough edges.

2026-06-09 · 9 min read · RVNT Team threat intel

Metadata Is the Message

metadatasealed-sendertormixnettraffic-analysis

When people hear that a message was encrypted, they tend to relax. The content is sealed, the math is sound, the adversary sees noise. So when a system is described as “only leaking metadata,” it sounds like a footnote — a small technical leftover that doesn’t really matter. That framing is wrong, and it is wrong in a way that has gotten people surveilled, deported, prosecuted, and killed. Content is what you said. Metadata is who you are. And for most adversaries, who you are is the part they actually want.

What metadata actually is

Metadata is everything about a communication that isn’t the communication itself: the sender, the recipient, the timestamp, the duration, the frequency, the size, the network address each side connected from, and the pattern these form over weeks and months. None of it requires reading a single word you wrote.

Consider what an observer learns without ever breaking your encryption:

  • You messaged an oncologist’s office, then a specific pharmacy, then a support group — three times a week, late at night.
  • A journalist’s number appears in your records the day before a story breaks, and never again.
  • You contacted a divorce attorney, a locksmith, and a women’s shelter in the same evening.
  • Your phone reached a mosque every Friday at the same hour for a year.
  • A cluster of activists all went quiet, then all reconnected through one shared contact two hours before a protest.

In each case the content is unknown and irrelevant. The shape of the conversation already tells the story. Associations, health, faith, sexuality, dissent, sources, sleep schedule, physical location — these fall out of the graph, not the text.

“We kill people based on metadata.” — former NSA and CIA director Michael Hayden.

That quote is not hyperbole and it is not new. Intelligence agencies prioritize metadata precisely because it is structured, scalable, and unencrypted by default. Content is hard to collect at scale and easy to hide. Metadata is cheap, it is everywhere, and historically almost no one bothered to protect it. “It’s just metadata” is the most expensive four words in privacy.

Why content-only encryption isn’t enough

Most “encrypted” messengers protect the body of your message and stop there. The transport layer still announces a connection from your address to a server, the server still logs which account talked to which account and when, and message sizes still vary in ways that fingerprint what you sent. You can have perfect end-to-end encryption and still hand an observer a complete social graph.

This is the gap RVNT is built around. Strong content encryption — hybrid X3DH combined with the Double Ratchet — is table stakes. The harder problem is starving the adversary of the metadata that sits outside the encrypted payload. There is no single switch for that. It takes a stack of independent defenses, each closing a different leak.

How RVNT minimizes metadata

RVNT is fully peer-to-peer: messages travel device to device, and no central server ever sees content. But “no server sees content” is not the same as “nothing observable leaks.” Here is what each layer is designed to hide.

Sealed sender — who is talking to whom

In a normal system, even an honest relay has to know who sent a message in order to route the reply. That sender identity is metadata, and it is enough to draw the graph.

RVNT uses sealed sender: the sender encrypts their own identity inside the envelope using the recipient’s public key. The infrastructure that helps deliver the message sees only a recipient id and an opaque blob. It cannot tell who sent it. The “who-talked-to-whom” edge — the single most valuable piece of metadata in the whole graph — is removed at the source.

Tor — your network address

Your IP address is a location, a subscriber, an ISP account, and often a real name. Every connection you make broadcasts it.

RVNT routes all traffic through Tor using an embedded arti (Rust Tor) client. Standard mode uses 3-hop circuits; maximum-privacy mode uses 5-hop circuits. No single relay on the path knows both who you are and what you’re connecting to, so your network identity is no longer trivially tied to the traffic you send.

Padding — message length

Message size is metadata. A short payload and a large one look different on the wire, and length alone can distinguish “yes” from a leaked document. RVNT pads messages to a fixed size so the length of what you sent doesn’t leak through the shape of the packet.

Mixnet, cover traffic, and random delay — timing

Even with sealed sender, Tor, and padding, raw timing can betray you. If a packet leaves your device and an identical-sized packet arrives at your contact’s device a fixed interval later, every time, an observer watching both ends can correlate the two and reconstruct the edge they couldn’t read directly. This is traffic analysis, and it is the discipline that broke many systems that thought encryption was enough.

Maximum-privacy mode attacks timing directly:

  • A mixnet batches messages from many users and adds randomized timing delays, so the moment a message enters is decoupled from the moment it leaves.
  • Cover traffic adds decoy messages, so “you sent something” and “you sent nothing” are harder to tell apart on the wire. The presence or absence of activity becomes a weaker signal.

Together with fixed-size padding, this is designed so that an observer near you cannot easily tell when you communicated, how much, or with whom — only that your device, like everyone else’s, occasionally moves traffic of a uniform shape.

content encryption -> what you said
sealed sender      -> who you said it to
Tor                -> where you are
padding            -> how much you said
mixnet + delays    -> when you said it
cover traffic      -> whether you said anything

The honest limit

We will not tell you this is invincible, because it isn’t, and a tool that names its limits is more trustworthy than one that claims to solve everything.

RVNT’s metadata defenses are strong against a local or regional observer — your ISP, a hostile network, an agency tapping one segment of the path. They are designed specifically to defeat the cheap, scalable collection that “it’s just metadata” enables.

They do not guarantee protection against a global passive adversary: an entity that can observe essentially all internet traffic at once and apply AI-driven correlation across every link. Against an adversary watching every node at the same time, timing analysis becomes a fundamentally harder problem that no deployed system fully solves. Mixnets, delays, and cover traffic raise the cost enormously — but they are mitigation, not a proof of impossibility.

RVNT also does not protect you from threats that live outside the wire: a compromised device with malware or a keylogger, someone reading over your shoulder, a contact who screenshots or forwards what you sent, or a legal order served to one of your contacts. Metadata minimization is about the network. Endpoint and human security are separate disciplines, and we say so plainly in our threat model.

Why we build this way

“It’s just metadata” is a comfort offered by systems that don’t protect it. The honest version is that metadata is frequently the message, and guarding only content while leaking the graph is a half-measure that feels like security.

RVNT treats the network’s exhaust — who, when, how often, how long, how big — as a first-class secret, defended in layers, with the limits stated out loud. Don’t trust us on that. The code is public. Read it, check the protocol, and verify that the metadata you can’t see in the message is also the metadata an adversary can’t see on the wire.

Keep reading

All posts →