Use case
Privacy tools for crossing borders with your devices
For travelers facing device searches and compelled unlocks at borders, RVNT pairs on-device coercion defenses — a duress decoy PIN and cryptographic panic wipe — with an architecture that keeps nothing on a server to subpoena. But the single thing that actually protects you at a checkpoint is data minimization: the only data that can't be compelled off your phone is data that isn't on it.
The threat model
- Border officer conducting a device search. At a port of entry, agents can inspect, copy, and in some cases forensically image your phone — a 'basic' manual scroll-through or an 'advanced' extraction with tools like Cellebrite or GrayKey. In the US this happens under the border-search exception to the Fourth Amendment, often with no warrant and no individualized suspicion.
- Compelled unlock at customs. You can be pressured, detained, or ordered to enter your passcode. US citizens cannot be denied entry for refusing, but a refusal can mean device seizure and delay; visa holders and visitors can be denied entry entirely. Biometrics (Face ID / fingerprint) are especially exposed — several courts have held they are non-testimonial and can be compelled, unlike a memorized passcode.
- Forensic extraction of a seized device. If your phone leaves your sight, assume an extraction tool tried to copy everything reachable, including data you believed was deleted. A powered-on, already-unlocked device is the worst case; a device powered fully off since boot is the hardest target.
- Cross-border legal and intelligence sharing. Data copied at one border can be retained, shared between agencies, and correlated later. What looks like a routine inspection can feed a longer record. This is an argument for carrying as little as possible, not for trusting any single app to win the search.
- Coercion beyond the booth. In some crossings the threat is not a polite officer but physical pressure to reveal a PIN. No software defeats a wrench; the realistic mitigation is a duress credential that complies-while-destroying, plus having nothing incriminating to reveal in the first place.
Why mainstream apps fall short
- Mainstream apps store your history somewhere you don't control. Cloud backups (iCloud, Google Drive, app-side server copies) mean a border search isn't limited to the phone in your hand — and a subpoena to the provider reaches what the device search misses. RVNT keeps message content and your contact list off any server entirely; there is nothing for us to hand over.
- Account identity ties you to a real-world identifier. Phone-number or email-based accounts (Signal, WhatsApp, Telegram) link your messaging to a SIM, a number, or an inbox an officer can ask about or cross-reference. RVNT identity is a locally generated keypair claimed by proof-of-work — no phone number, no email, no KYC.
- Most apps have no answer for compelled unlock. Once you're forced to open the app, end-to-end encryption has already done its job and stops helping — the messages are plaintext on the screen. Few mainstream apps offer a duress credential that produces a believable decoy instead of your real data.
- No first-class data-minimization story. Reducing what's on the device before a crossing is the highest-leverage move, and most apps make it awkward to surgically remove cached media and history. RVNT lets you clear local media and conversations and encrypt off-loaded files before deleting them.
How RVNT maps to those needs
The legal & regulatory reality
RVNT makes no legal or compliance claims. It is not a substitute for legal advice, and we are not lawyers — your rights at a border depend heavily on your citizenship, the specific jurisdiction, and your circumstances, and they change over time. Be aware that duress and panic features carry their own legal risk: in some jurisdictions intentionally destroying or concealing data when a search is imminent could be construed as obstruction, and a sophisticated examiner may recognize a decoy. RVNT holds no certifications (no SOC 2, no HIPAA/BAA, no government accreditation) and there is no warrant canary guarantee beyond what we publish. Know the law for the border you are crossing before you rely on any of this, and consult a lawyer or a press-freedom/civil-liberties organization for your situation.
Frequently asked questions
If a border officer makes me unlock my phone, does RVNT keep my messages safe?
Not by itself — no app does. Once you're compelled to open the device, end-to-end encryption has already done its job and stops protecting you, because the messages are plaintext on the screen. RVNT's relevant tools are the [duress PIN](/glossary/duress-pin), which opens a decoy vault while destroying your real data, and [panic wipe](/glossary/panic-wipe). But the genuinely reliable defense is minimization: don't carry the data in the first place. See our field guide, [Crossing a Border With Your Phone](/blog/crossing-a-border-with-your-phone).
Can a border agency subpoena RVNT for my chat history?
There is nothing to hand over. RVNT is peer-to-peer with [sealed sender](/glossary/sealed-sender): message content, your contact list, and the record of who you talk to never touch a server. Your history lives only on your device and your contacts' devices. That doesn't protect the physical phone in front of an officer — which is why this page is mostly about reducing what's on it — but it does narrow the attack surface to the device itself.
Should I use Face ID / fingerprint unlock when traveling?
Generally no. EFF advises not relying on biometrics at a border, and several US courts have treated compelling a fingerprint or face as non-testimonial — meaning it can be forced, unlike a memorized passcode, which receives stronger protection. For a crossing, use a strong PIN or passphrase, and [power the device fully off](/docs/panic-mode) before you reach the booth so keys aren't loaded in memory.
RVNT is a post-quantum, peer-to-peer, end-to-end-encrypted messenger with no phone number and no servers — open source, and honest about being early.