Use case

RVNT for activists and protesters: when your phone can be seized at a demonstration

For organizers and protesters who carry their phone into a crowd that may be surveilled, kettled, or arrested — RVNT pairs end-to-end encryption with on-device coercion defenses, but it is one layer in a plan that starts with leaving the device at home.

The threat model

Device seizure at a protest — your phone is physically taken during an arrest, a kettle, or a stop-and-search, and ends up in the hands of officers or a forensic extraction tool (Cellebrite/GrayKey-class) while you are detained.
Compelled unlock — you are pressured or legally ordered to unlock the device. In the US, courts have more readily compelled a fingerprint or face scan than a memorized passcode, so biometrics are the weak point an adversary reaches for first.
Cell-site simulators (IMSI catchers / Stingrays) — fake cell towers deployed at demonstrations that trick nearby phones into connecting to log who is present, harvest IMSIs, and in some configurations intercept unencrypted traffic. EFF documented suspected use at the 2024 DNC via its Rayhunter tool.
Mass identification and dragnet network surveillance — bulk collection of who-talked-to-whom around a protest (tower dumps, metadata correlation, social-graph mapping) used to identify everyone in attendance, not just a named suspect.
Post-event subpoenas to the apps and carriers you used — after the fact, investigators serve legal process on the messaging service or carrier to reconstruct the organizing chain from stored metadata and contact lists.

Why mainstream apps fall short

Mainstream messengers store your contact graph and account metadata on a company server that can be subpoenaed after a protest — even when message bodies are end-to-end encrypted, the record of who you organize with often is not.
Most apps tie your identity to a phone number, which links your protest communications to your real name, your carrier, and a SIM that a cell-site simulator can fingerprint in the crowd.
A locked-but-seized phone is only as safe as its unlock method — a normal messenger has no answer for being compelled to press your finger to the sensor or look at the camera, and no way to present a believable empty state under coercion.
Network metadata (your IP, your timing, the fact that you are using a privacy app at all) leaks to the network and to anyone running a fake tower nearby; ordinary apps make no effort to hide the existence or routing of your traffic.

How RVNT maps to those needs

If you are forced to unlock the phone during an arrest, real conversations must not be sitting there in plain view

Duress PIN that triggers a cryptographic wipe and presents a decoy or empty state

A phone confiscated as evidence should yield nothing recoverable even to a forensic extraction tool

Panic wipe — irreversible destruction of keys and the encrypted database, with hardware-backed key invalidation on supported devices

Seized data at rest must stay locked behind something the law treats as knowledge, not biometrics

PIN-as-key: the PIN is the only input to an Argon2id-derived key — there is no stored key and no recovery path

Who you organize with should not sit in a server's contact graph waiting for a subpoena

Proof-of-work identity with no phone number, email, or KYC, plus sealed sender so the network does not learn who messages whom

Your IP and the routing of your traffic should be hidden from a network observer or a fake tower nearby

Traffic routed over Tor by default, with a mixnet adding cover traffic and fixed-size padding

The legal & regulatory reality

RVNT makes no legal-compliance claims and is not a substitute for legal advice. It holds no certifications and offers no HIPAA/BAA or similar coverage — there is no company that can. Laws on compelled device unlock vary sharply by country and even by US court: a memorized PIN currently enjoys stronger Fifth Amendment protection than a fingerprint or face scan in much of the US, but this is unsettled and changing, and the calculus is entirely different at a border or outside the US. Destroying data that is subject to a preservation order or active investigation can itself be a crime in some jurisdictions. Know your local law and talk to a movement lawyer or legal-observer program (for example, the National Lawyers Guild) before you rely on any of these features. RVNT is a tool, not a legal shield.

Where RVNT is the wrong tool

RVNT is pre-release software and has NOT undergone an independent third-party security audit. Do not bet your liberty or safety on it. The code is open source and we welcome audits, but until one is published, treat every claim here as unverified by outside experts.
If your phone is compromised — stalkerware, a state implant, a malicious profile, or any malware — RVNT cannot protect you. The attacker reads the screen and keystrokes before encryption ever happens. Endpoint compromise defeats every messenger, including this one.
RVNT does not defeat physical coercion. A duress PIN helps you comply convincingly, but a determined adversary may notice an empty or staged vault, and 'rubber-hose' pressure can extract a real PIN. Software cannot solve a threat to your body.
For a high-risk protest, the safest move is the one EFF recommends: leave your primary phone at home or carry a minimal burner. RVNT is the WRONG tool if you are treating an installed app as a reason to bring a data-rich device into a situation where it can be seized — no app makes that safe.

Frequently asked questions

Will RVNT stop police from unlocking my phone if I'm arrested at a protest?

Not by itself. RVNT keeps your data behind a PIN that is the encryption key (no stored key, no recovery), which in much of the US is treated as protected knowledge rather than a compellable biometric — so following EFF's advice to turn off Face/Touch unlock before a protest matters. If you are forced to unlock anyway, the duress PIN can trigger a wipe and show a decoy or empty state. But none of this overrides physical coercion or a court order, and the law differs by jurisdiction. Pair it with a movement lawyer's guidance.

Does RVNT protect me from a cell-site simulator (Stingray) at a demonstration?

Partially, and only for your RVNT traffic. RVNT routes over Tor by default and uses sealed sender, so a fake tower or network observer learns far less about who you message and what you send. But a cell-site simulator operates at the radio layer — it can still detect that your phone is present and log its identifiers regardless of which app you use. RVNT cannot change that. EFF's guidance still applies: disable 2G (Android) or enable Lockdown Mode (iPhone), and for the highest risk, leave the phone at home or use a burner in airplane mode.

If I trigger the panic wipe, can the data be recovered by a forensic lab?

The wipe destroys the encryption keys and the SQLCipher database, and on supported hardware it invalidates keys in the Secure Enclave so the ciphertext becomes undecryptable noise. On SSDs, no software wipe is 100 percent against chip-off forensics — fragments can survive in flash. RVNT's defense is that those fragments are encrypted and the key is gone. That makes recovery impractical, not provably impossible, and it is irreversible — there is no undo.

RVNT is a post-quantum, peer-to-peer, end-to-end-encrypted messenger with no phone number and no servers — open source, and honest about being early.

Get RVNT All use cases