In the very last scene of The Bourne Supremacy, Jason Bourne calls the CIA from what they presume is a public phone. Landy, who answers the call, instructs her team to trace it. Bourne says he wants to come in and asks for someone specific to meet with him. Landy stalls for time while her team tries to triangulate his exact location, so she asks how she can find the person he's referring to. That's when Bourne drops his famous line: "It's easy. She's standing right next to you." revealing that he's right in their vicinity. He hangs up seconds before the team could have located him.
That's one badass ending. (֊⎚-⎚)
It's not the only film where the protagonist, or antagonist, is clever enough to know exactly when to hang up before being pinpointed. There seems to be this universal piece of software that all law enforcement agencies use to triangulate calls in movies. It's some application built in the '90s, operating at modem speed, that just needs a little more time. A countdown clock. Tense music. Cut to black.
What is that software actually doing? "Triangulate" implies three points, maybe three cell towers sending a ping and measuring the response time from each, then using the difference to calculate distance. Computers, even old ones, are very good at math. So why would that take a full minute?
Well, mostly it doesn't. That's fiction.
The moment your phone connects to a cell tower, it generates a Call Detail Record (CDR). This record includes who you're calling (the network needs to know in order to route the call), how long the call lasts, and which specific tower and sector handled it. Location data is captured and stored automatically from the instant the call begins. In other words, the moment Jason Bourne hits send, he's already been logged.
When you connect to a single tower, location accuracy can still be within several hundred meters. But phones typically connect to multiple towers simultaneously, and triangulation narrows that down to tens of meters. If you're calling from a payphone, there's no triangulation needed at all. The address of each payphone is already on record.
The one advantage the protagonist realistically has is that CDR data isn't usually available in real time. Law enforcement needs to contact the telecom provider, obtain a court order, and wade through all the bureaucracy that entails. If there's a clock ticking, it should be for the number of days it takes to gather that data. Not how long the triangulation software takes to calculate.
The moment you accessed this page, you left a trail. Your device asked your Internet Service Provider (ISP) to connect you to my website. That request generated a log ,the digital equivalent of a CDR, recording that your IP address requested a connection to mine. When your ISP routed you to my server, it handed over your IP address so I'd know where to send the data back. From that IP address alone, I can make a rough guess at your location, usually accurate to your city or region.
Your ISP, however, knows exactly where you are. They assigned you that IP address and are actively providing your connection.
This is where HTTPS comes in. You've probably noticed the padlock icon in your browser. When you connect to a website over HTTPS, the content of your communication is encrypted in transit. Your ISP (or anyone listening on the network) can see that you connected to, say idiallo.com, but they cannot read what you sent or received. The data looks like noise to them.
The main distinction is that HTTPS hides the content, not the connection. Your ISP still sees the domain you visited. They still have a timestamp. They still have your IP address. The metadata is fully visible, even if the message itself is not.
Using HTTPS wasn't something most people worried about until 2013, when Edward Snowden's leaked documents revealed that the NSA had been running programs like PRISM that compelled major technology companies to hand over user data. They tapped directly into the fiber-optic cables connecting Google and Yahoo's data centers.
At those interception points, traffic that hadn't yet been encrypted internally was flowing in the open. The NSA could read emails, messages, and files, not by breaking encryption, but by scooping up data before encryption was ever applied. Or by accessing it at a point where it had already been decrypted. The content was exposed.
You can partially obscure your activity from your ISP by using a VPN. A VPN tunnels your traffic through a third-party server, so your ISP sees only that you connected to the VPN, not where you went from there. But now the VPN provider holds that information instead. You haven't entirely eliminated the trail, you've relocated it. One way or another, when you use any electronic means of communication, you leave breadcrumbs. The connection is always recorded somewhere.
That's why end-to-end encryption (E2EE) is important. Unlike HTTPS, which encrypts data in transit but means the server itself can read your messages, with end-to-end encryption only the sender and recipient can read the content. The service provider in the middle never holds the keys.
In practice, when you send a message through an E2EE app like Signal, your device encrypts the message using your recipient's public key before it ever leaves your phone. The encrypted message travels through Signal's servers, but Signal cannot read it, because they don't have the private key needed to decrypt it. Only your recipient's device holds that key. Even if Signal were compelled by a government order to hand over your messages, all they could produce is scrambled data that's meaningless without the key.
This is a meaningful protection. But it doesn't change the underlying reality: Signal still knows that your device contacted another device, at what time, and how often. The content is hidden. The connection is not.
We cannot make communication invisible. We can only make it unreadable.
In the realistic world, the only thing keeping Jason Bourne two steps ahead of law enforcement, is the bureaucracy and legal delays involved to retrieve CDR data. It's not his cleverness, not the speed of triangulating software, it's not technology.
Did you like this article? You can buy me a coffee.
Share your insightful comments here.
Comments
There are no comments added yet.
Let's hear your thoughts