Use case

RVNT for journalists and their sources

For reporters and whistleblowers, the danger is rarely the message text — it's the metadata trail that links a source to a journalist, the subpoena that asks the journalist to hand it over, and the seized phone at a checkpoint.

The threat model

The metadata correlator: an investigator (corporate security, a state agency, or a plaintiff in a leak probe) who never needs to read a single message. They subpoena phone records, app server logs, and call-detail records to prove that a specific source and a specific reporter communicated — at which time, how often, around which document drop. As former NSA Director Michael Hayden put it, 'We kill people based on metadata.' Even Signal, which the server cannot read, lets a server operator observe that an account messaged a journalist's account at 3:47 PM.
The journalist's own legal process: a court order, grand-jury subpoena, or (in the US) a national security letter served not to the platform but to the reporter or their employer, compelling production of communications, contacts, or an unlocked device. The threat is that anything the journalist's app or provider retains can be compelled out of them later.
Device seizure at a border, raid, or arrest: a customs officer, police unit, or hostile authority who takes physical possession of the phone or laptop — locked or unlocked — and runs forensic extraction (e.g. Cellebrite/GrayKey-class tooling) to pull the source's name and the conversation history off the disk.
The source-side exposure: the whistleblower's employer or government running an internal leak hunt — examining badge logs, print logs, network DLP, and which insiders had access to the leaked material — then cross-referencing against any discoverable contact with the press. The source, not the journalist, is usually the one who gets prosecuted.
Network-position adversaries on a newsroom or hostile-country connection: an ISP, telecom, or in-country operator performing traffic analysis and timing correlation to flag that a device is talking to a known journalist or to an anonymity network at all.

Why mainstream apps fall short

Mainstream apps protect message content but leak the relationship. A phone-number-based messenger ties both parties to real-world identities (and to a SIM that a telecom can map), and its servers can observe — and be compelled to reveal — who contacted the journalist and when. For source protection, hiding the link matters more than hiding the words.
Account registration creates a paper trail. Phone-number or email signup, SMS verification, and app-store/push-token records all generate records that outlive the conversation and can be subpoenaed. A source who installs a 'secure' app may already have created the very record that burns them.
Provider-held data is subpoenable data. Anything a centralized service stores — contact graphs, timestamps, retained backups, push metadata — is a target for legal compulsion against the company, regardless of how good the encryption is. The only data that cannot be compelled is data that was never collected.
Seizure resilience is usually an afterthought. Most consumer messengers keep a readable local history and offer no plausible response to 'unlock this phone now.' Reporters crossing borders or working in hostile environments need on-device defenses, not just transport encryption.

How RVNT maps to those needs

Hide that a source ever contacted a specific reporter — the relationship, not just the words

Sealed sender: the sender's identity is encrypted inside the envelope, so relays and any compromised server see only an opaque blob and a truncated recipient hash, never who sent it

Defeat timing correlation between a source's device and a journalist's device on a monitored network

Mixnet batching plus continuous cover traffic and fixed-size padding break the 1:1 send/receive timing link (strongest in Maximum Privacy mode)

Proof-of-work identity: a local Ed25519 keypair claimed by computation — no phone number, no email, no SMS verification, no KYC

Make a journalist subpoena yield nothing about the source

No central server holds message content, contact graphs, or sender/recipient pairs — RVNT cannot produce what it never collected; this is architecture, not policy

Survive a device seizure at a border or raid without handing over the source list

Duress PIN opens a decoy vault while panic mode cryptographically destroys keys and the SQLCipher database; identity keys are invalidated at the hardware level on Apple Silicon

The legal & regulatory reality

RVNT makes no compliance or certification claims of any kind — there is no HIPAA, no Business Associate Agreement, no SOC 2, no shield-law guarantee, and using RVNT does not by itself satisfy any newsroom, legal, or regulatory obligation. What RVNT offers is architectural, not legal: because there is no central server holding message content, contact graphs, or sender/recipient pairs, a subpoena or court order served to RVNT cannot extract those things — RVNT cannot hand over what it never had. That protects against legal process aimed at the platform. It does not protect against legal process aimed at you or your source: a court can still order a journalist or a source to unlock a device or produce messages, and reporter's-privilege and source-shield protections vary enormously by jurisdiction and are not absolute. Treat the law, not the app, as your binding constraint, and consult a media lawyer for your specific situation.

Where RVNT is the wrong tool

RVNT is pre-release software and has NOT undergone an independent third-party security audit. Do not stake a source's safety or liberty on it. For a source whose life, freedom, or career is genuinely at risk, established and audited tools come first: Signal for real-time contact and SecureDrop for anonymous document submission, paired with professional operational-security guidance from the Freedom of the Press Foundation or EFF. RVNT is young; those tools have years of scrutiny and real-world deployment behind them.
RVNT cannot protect a compromised device. If a phone or laptop is infected with spyware or a state-grade implant (e.g. Pegasus-class tooling), the attacker reads messages off the screen before encryption ever happens — no messenger can stop that. The endpoint is the weakest link for both reporter and source.
Sealed sender hides the sender from the network and the server, not from the recipient. The journalist necessarily learns who the source is, and a malicious or compromised recipient — or their seized device — can expose the source. Mutual trust and the source's own device hygiene still matter.
The mixnet is a low-latency design and does not defeat a global passive adversary that can watch all internet traffic at once; over enough messages, such an adversary may still correlate. Relayed file transfers are capped at 256 MB (resumable relay is not yet shipped), and a relay should never be assumed to carry unlimited-size material.

Frequently asked questions

Should I use RVNT instead of Signal or SecureDrop to talk to a source?

Not for high-stakes source protection — not yet. RVNT is pre-release and unaudited. For a source whose safety or liberty is on the line, use Signal for direct contact and SecureDrop for anonymous, deniable document submission, and get operational-security guidance from the Freedom of the Press Foundation or EFF first. RVNT's design (sealed sender, proof-of-work identity with no phone number, no server-held contact graph) is built for exactly this problem, but it has not earned the trust those tools have. Consider it for lower-risk reporting or as a second channel, not as the thing a life depends on.

If a court subpoenas RVNT for my source's identity, what can they get?

From RVNT's infrastructure, effectively nothing useful: there is no central server storing message content, contact graphs, or sender/recipient pairs, and sealed sender means even a relay never learns who sent a message. RVNT cannot produce what it never collected. But that only covers process aimed at the platform — a court can still compel you or your source directly to unlock a device or produce messages, and reporter's-privilege protections vary by jurisdiction. The app reduces the platform's exposure; it does not override the law applied to a person.

What happens if my phone is seized at a border or in a raid?

RVNT's on-device defenses are built for this. A duress PIN opens a decoy vault that looks like a normal, low-stakes app while panic mode runs, and panic mode cryptographically destroys your keys and the encrypted SQLCipher database — on Apple Silicon the identity keys are invalidated at the hardware level, so the message history becomes unrecoverable rather than merely deleted. The honest limits: no software wipe is guaranteed against a forensic lab that desolders flash chips, a sophisticated examiner may recognize a decoy, and you cannot be protected if you are physically coerced into giving up the real PIN. Plan your border crossing assuming the device may be taken, not just hoping it won't be.

RVNT is a post-quantum, peer-to-peer, end-to-end-encrypted messenger with no phone number and no servers — open source, and honest about being early.

Get RVNT All use cases