News: 0184344290

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Microsoft Can Track Users Via a Windows Device ID (pcmag.com)

(Tuesday July 07, 2026 @05:00PM (BeauHD) from the privacy-red-flags dept.)


A criminal complaint against alleged Scattered Spider member Peter Stokes revealed that Microsoft [1]can associate Windows activity with a persistent "Global Device ID ," which investigators used to link his PC to online activity connected to a hack. While unique device IDs are common, the case has raised privacy concerns because the identifier can apparently persist across updates, has no simple opt-out, and may allow Microsoft to connect a Windows installation to activity on third-party services. PCMag reports:

> Last week, the U.S. announced it had [2]extradited 19-year-old Peter Stokes from Europe for allegedly being a member of the notorious hacking group Scattered Spider. But the case stands out because Microsoft played a key role in linking Stokes to the suspected hacking crimes, according to an unsealed criminal complaint. Stokes allegedly hacked an unnamed luxury jewelry retailer in May 2025 while using a VPN. The [3]39-page criminal complaint shows the FBI used Microsoft records to discover that his IP address was associated with a Microsoft device identifier known as Global Device ID (GDID).

>

> "According to a Microsoft representative, a Global Device Identifier in the Windows ecosystem is a persistent, device-level identifier designed to uniquely identify an installation of a Windows operating system on a device, either a physical device (e.g., a mobile phone or laptop) or virtual machine, across certain Microsoft services and scenarios," the complaint explains. The global device ID isn't exactly surprising, given that it's standard practice to assign a unique ID to each account or device so a tech provider can recognize and distinguish between them. But the complaint reveals Microsoft can associate the GDID with third-party services and the timing as well, giving Redmond a way to theoretically track a user's online activity. In other words, Redmond might be able to track the online activity of your Windows PC without third-party browser cookies.

>

> Stokes was discovered exploiting a web development tool called ngrok to bypass the jewelry retailer's network defenses. The complaint says Microsoft had records showing that on May 12, 2025, at 19:21 UTC, the GDID associated with Stokes' computer "accessed, among other ngrok pages, 'https://dashboard[.]ngrok.com/signup,' the ngrok page to set up an ngrok account." The document adds that Microsoft records also showed the GDID accessing "multiple sites" from servers at Tzulo, a web hosting provider, to help pull off the hack. Hence, the fact that federal investigators used the Microsoft identifier to nab a suspected hacker is raising concerns that it could be abused for other surveillance purposes. "Microsoft Windows is surveillance software," cybersecurity expert Matthew Hickey alleged in [4]a tweet .



[1] https://www.pcmag.com/news/a-hackers-arrest-reveals-microsoft-can-track-users-via-a-windows-device

[2] https://www.justice.gov/opa/pr/alleged-member-criminal-cyber-hacking-group-scattered-spider-arrested-finland-and-extradited

[3] https://www.justice.gov/usao-ndil/media/1450651/dl?inline

[4] https://x.com/hackerfantastic/status/2073840052187123931



A hacker using Windows? (Score:2)

by courteaudotbiz ( 1191083 )

From a "notorious hacker group"... Sorry, I can't raise my eyebrow this high.

Shocking, you can't trust Microsoft? (Score:4, Funny)

by Murdoch5 ( 1563847 )

Of course, Microsoft is creating trackable GUIDs, and linking those to online account and online activity. Why would anyone think that Microsoft would act in a decent, respectful, reasonable, security, privacy, and digital liberty respecting manner? We already knew these existed, if you go into Intune or the MDE portal, you can see the information about computers in your control / organization's control. The only reason to collect data, is to misuse and abuse data, so why would a company with the track record of Epstein for respecting users, not abuse them like it's a contest?

Device ID (Score:2)

by evanh ( 627108 )

to me means a peripheral controller like USB, SATA, PCIe, SSD, Monitor, GPU, mouse, printer. Certainly not all the hardware combined. I'd call what they're talking about an Installation or OS ID.

Of course, no big surprise that M$ behaviour is on the dark side. That's always been their nature. Their products should always be avoided.

Well Duh? (Score:3)

by oldgraybeard ( 2939809 )

Why would this be surprising? They know if is or has been registered right?

Registration is de-facto optional. (Score:2)

by couchslug ( 175151 )

MSFT self-evidently prefers free market chumming to locking down registration thus driving away legitimate users.

That makes sense as exemplified by early Windows and Office 97 which killed off competition by the choice not to seriously control activation.

Now that Windows pwns the market Redmond had to change hardware requirements to coerce users away from Windows 10 which for the vast majority of users needed no major changes. No need to make registration onerous when the goal is data mining and sales are

Re: (Score:2)

by tlhIngan ( 30335 )

> Why would this be surprising? They know if is or has been registered right?

Exactly - how else would Microsoft be doing it? I would say this started in the Windows XP era where they tied your Windows activation key to the hardware IDs. Change your CPU and you might have to re-activate Windows. Or change your motherboard. Or change your network card.

Microsoft always hashed your hardware IDs to form a unique hardware ID they used to tie to your activation key. If you tried to install Windows XP on multiple PCs

Linux has IDs as well. (Score:2)

by xack ( 5304745 )

Such as GUID partitions, if they want to track you on Linux, they will. If getting away with crime was as simple as installing Linux then Linux would have 99% market share.

Re: (Score:2)

by hwstar ( 35834 )

Yes, but at least the source code is available which makes it easier to sandbox off this information from a web browser.

Re: (Score:3)

by DarkOx ( 621550 )

Right there are plenty of ways to uniquely identify modern PCs. For good or ill most of us have hardware that is serialized in electronically readable way, as well as other things like GUID partitions, UUID for dbus, etc. In those latter cases on an open platform they are documented and I *CAN* change them, with reasonable assurance the former values are not easily recoverable. In the former cases I can inspect the open platform and understand what might send hardware identifiers outside the system, or I

Re:Linux has IDs as well. (Score:4, Informative)

by unrtst ( 777550 )

> Such as GUID partitions, if they want to track you on Linux, they will.

HAHAHAHHAAHHAH AHAHAH WTF ARE YOU TALKING ABOUT!?!?!

The correlation of Windows Device ID to site URLs visited at a specific time seems to be the key. Visited URL's (the website) do NOT get the Device ID in the traffic. That ID + IP + time would need logged somewhere for this.

AFAICT, Microsoft retains a log that includes the users IP address (apparent and real?), Device ID, and time. This may be normal windows check ins/telemetry stuff. I don't get the impression they are recording all URL's the machine had visited, but I don't know they're not.

The websites have logs of users apparent IP, the URL they visited, and time.

The IP + time can be cross referenced to then correlate traffic with the Windows Device ID.

Going back to your far fetched claim... something would need to be logging a GUID from your Linux install and your current IP address (and your apparent IP address) and the time. That's not happening. Furthermore, why the hell would a filesystem GUID be used for that purpose?!?

PS: Apparent IP refers to the IP that other hosts on the internet see as your source IP when you make outbound connections, as opposed to the IP address that is bound to your network adapter. IE: think NAT.

Re: (Score:2)

by allo ( 1728082 )

Common Linux distributions do not send your unique IDs to their creators. If they did, they won't need a GUID partition table, but could just put a secret file somewhere the agencies can find it when they search through your files. The question is, if something sends such an ID to thirdparties, who can track you using this ID.

Maybe Microsft knew something that we didn't (Score:5, Insightful)

by hwstar ( 35834 )

Assigning unique id's to devices connected to the Internet would be welcomed by open arms by the government. The government would then be able to track every computer just like Flock is doing with roadside ALPR's.

Also, age verification becomes a whole lot easier with per-device ID's,

Although linking a person to a specific device would still be something the government would have to prove in court, they could use other methods to prove that a specific person was using a computer at a specific time.

Per device ID's would have a chilling effect on free speech online.

Let's hope this doesn't get shoved down the throats of Linux users.

Re: (Score:2)

by Himmy32 ( 650060 )

Also remember that the OS doesn't have to be involved to generate a [1]fingerprint for tracking. [eff.org]

[1] https://coveryourtracks.eff.org/

Re: (Score:3)

by kutnut ( 228570 )

The EFF test fails with Linux Mint, Waterfox, uBlock and scripting off. So be careful what you allow on your system. There are certainly other methods to obtain fingerprints, but not by the above link.

What's In Your Wallet? (Score:2)

by SlashbotAgent ( 6477336 )

Never mind. I'll just ask Microsoft. They know. And they've got the receipts to prove it.

Re: (Score:2)

by hwstar ( 35834 )

More like: What's in your computer?

"Microsoft Windows is surveillance software" (Score:2)

by RitchCraft ( 6454710 )

Well no shit Sherlock.

Legal Windows needs a registration key. (Score:2)

by Fly Swatter ( 30498 )

which is unique to the install/owner/system board, we also know they track various things, and no one really believes this to 'anonymized'. Why is anyone here acting surprised?

Most hardware has a serial number, even your USB mouse. Main components might hide this by firmware option, but not that mouse.

Re: (Score:2)

by Dragonslicer ( 991472 )

> Why is anyone here acting surprised?

Who here is acting surprised?

Fingerprinting (Score:4, Interesting)

by Archangel Michael ( 180766 )

Its called fingerprinting, and it has been going on a very long time, using techniques that go back decades. This just makes it more persistent and spans attempts to obfuscate fingerprinting in easier ways.

If you want to avoid this, work from a non-persistent VM that is created and destroyed every online session, using no identifiable information (no-logins ever).

Security isn't convenient.

unclear on the mechanism, but there are steps... (Score:3)

by PhantomHarlock ( 189617 )

I'm unclear on the exact mechanism for how the device ID was extracted by a website. Is this something available as a piece of data a site can request via edge?

Is this part of telemetry data sent back to microsoft if you leave all that enabled, at the windows level?

Use a privacy-safe brower with blocking plugins (ublock origin) and completely disable all telemetry to microsoft using O&OShutUp and WinHance to turn off every single reporting mechanism that goes back to Microsoft. And use the shell access on the first windows config screen to create a local account only. Do all of this before ever connecting the machine to the internet.

Not surprising at all (Score:2)

by TwistedGreen ( 80055 )

They probably got the idea from Skype

[1]https://it.slashdot.org/story/... [slashdot.org]

Or even earlier, for Intel's processor serial number way back in 1999

[2]https://news.ycombinator.com/i... [ycombinator.com]

[1] https://it.slashdot.org/story/07/02/07/0146245/why-does-skype-read-the-bios

[2] https://news.ycombinator.com/item?id=10106870

You've been here since Slashdot was good. (Score:2)

by couchslug ( 175151 )

I e-genuflect to thy digits.

The warnings then were of course unheeded by the public.

How is the ID accessed? (Score:2)

by whoever57 ( 658626 )

Not explained here, how is this information accessed remotely? Does Edge (or any other browser) send it in a header? Is there Javascript on some websites that makes the target send it?

Re:How is the ID accessed? (Score:4, Interesting)

by Anonymous Cward ( 10374574 )

Every URL is sent to Microsoft with Optional/Full telemetry enabled when you don't use InPrivate Browsing and that includes your GDID. You can observe this in the Diagnostic Data Viewer, and as it's full URLs (not just domains) Microsoft knows every little search query too. Even if you scale back to security-only telemetry, Microsoft still receives full URLs (not just domains) not via diagnostic telemetry data but instead via Microsoft SmartScreen, and AFAIK that still includes a unique device identifier, with the legitimate reasoning being for their Intelligence Graph to identify malicious endpoints between sessions.

Likewise, all the telemetry related to the running of programs is queued and uploaded with Optional/Full even if no crashes occur, as well as diagnostic logs relating to software installs/updates, so Microsoft can see what devices have been running, when and for how long. All of that can be correlated once law enforcement is involved because they can subpoena third-parties to nab access logs which allow for the use of statistical analysis to reidentify the user.

All of this is legit, but the problem is that Microsoft abused our trust by violating their own Privacy Policy, since they claim not to identify people, but clearly did in this case.

Re: (Score:2)

by whoever57 ( 658626 )

> Every URL is sent to Microsoft with Optional/Full telemetry enabled when you don't use InPrivate Browsing and that includes your GDID.

OK, so what is on the ngrok site that triggers this?

Re: (Score:2)

by whoever57 ( 658626 )

And, what about alternative browsers? Do they send this also?

Internet privacy is a contradiction in terms. (Score:3)

by couchslug ( 175151 )

Internet privacy is a contradiction in terms.

Do nothing on the web you'd greatly mind the world knowing.

Trust nothing and no one to be other than self-serving.

Have the least practical info on every networked device. If it's not airgapped it may as well be posted to 4chan.

Title Correction: (Score:2)

by Sebby ( 238625 )

> Microsoft Can Track Users Via a Windows Device ID

"Privacy Rapist Can Track Users Via a Windows Device ID"

There FTFY.

Since sandybridge its been worse (Score:4, Interesting)

by AcidFnTonic ( 791034 )

Since sandybridge its been worse. This was all mostly scrubbed off the net but let me share this. When Sandybridge was released Intel had slides they showed the public and hosted on their site that said this was the first processor with 3G connectivity (before we had 4g/5g/etc). This was sold as "a way to disable a cpu that has been stolen". Immediately it stunk. Who would you call to do this? Intel?

This was around the same time Microsoft was trying to rollout Palladium which was their new DRM at the time everyone knew was going to turn into what today is.

Then the 3G stuff all was silently not brought up again and scrubbed from past pages. If you look hard enough you can go find mentions of this on your own. Similar to the old Microsoft Telemetry pages that mentioned "employees could remotely access your computer even if off to download relevant files relating to a support request generated by Telemetry."

Then that was all scrubbed too.

You people are fools for not actually archiving anything.

phpinfo (Score:3)

by kyoko21 ( 198413 )

I don't know what kind of website he had visited but back in the day I'd used phpinfo as a simple "helloworld" app to test my nginx/php installs and the amount of information it'd dump out from literally doing nothing is astronomical. Granted, at the same time, you could override various browser/host settings if you had the right browser and you could confuse the heck out whatever server/daemon was running on the other side especially if it was trying to do some matching/filtering of the information it got from browser agent. The road goes both ways.

The NSA was using the Google session id (Score:2)

by allo ( 1728082 )

These days they can't just sniff it from traffic but need to actually ask Google for it. Or maybe they have Google's TLS keys, who knows.

MS Owns Your Computer (Score:2)

by markdavis ( 642305 )

"You will own nothing and be happy"

Or you can install Linux and potentially be a hell of a lot happier/safer/free.

Maybe it's time to break that.
-- Larry Wall in <199710311718.JAA19082@wall.org>