If you use Windows, you’re probably(jendela baru) at least(jendela baru) vaguely aware(jendela baru) that your laptop is spying(jendela baru) on you. This week, we received a concrete reminder of just how invasive(jendela baru) to privacy(jendela baru) Microsoft’s ubiquitous operating system really is.
An alleged member of the notorious criminal hacking group Scattered Spider(jendela baru), 19-year-old Peter Stokes was extradited from Finland to the United States and accused of hacking “Company F, a luxury-jewelry retailer”.
What makes the case interesting, however, is how he was caught.
Windows as spyware
According to the FBI’s criminal complaint(jendela baru), Stokes used a VPN to hide his online activity. This is widely considered a sensible option, as a VPN hides your real IP address from websites you visit and your online activity from your ISP. But he made a fatal rookie mistake: he used Windows.
Authorities identified Stokes using Microsoft records that tied his computer to suspicious use of ngrok, a web development tunneling tool that was used to “circumvent Company F network defenses and enable persistent unauthorized access to the Company F data center”.
Microsoft was able to identify Stokes’ computer thanks to its Global Device Identifier (GDID), a “device-level identifier designed to uniquely identify an installation of a Windows operating system on a device”.
In other words, every installation of Windows has a GDID that Microsoft can use to identify a device (including virtual devices), and to collect telemetry(jendela baru). Reinstalling Windows creates a new GDID for that device, but doesn’t erase the old one from Microsoft’s systems, so it can still be used to identify a device.
Microsoft then handed this information to third parties.
How the FBI used the information Microsoft provided
This evidence alone wasn’t enough to pin the crime on Stokes, but knowing the GDID gave the FBI a history of IP addresses that his device had accessed over time. To prove those IPs belonged to Peter Stokes specifically, they cross-referenced this IP history against logins to accounts known to be his, including Apple, Snapchat, Facebook, and his Growtopia game login.
Connecting the GDID to accounts known to belong to Stokes helped prove the GDID used to hack the jeweler belonged to a device owned by Stokes.
That one of the IP addresses identified in this way belonged to a New York hotel that investigators say matches the interior visible in a Snapchat selfie showing Stokes covering his face with a wad of $100 bills is unlikely to help his case.

What does this mean for the rest of us?
The first thing to stress is that, in this case, the system worked as intended.
Stokes faces charges including conspiracy, cyber intrusion, and fraud offenses tied to over $100 million in ransom payments across more than 100 corporate intrusions since 2022. The FBI’s use of Microsoft data falls within legal frameworks requiring court orders and subpoenas.
But the GDID raises important questions about user consent and who actually owns the hardware you pay for. You are never asked to agree to the GDID on your device, and there is no easy way to remove it. Even completely re-installing Windows is only a partial solution.
In all of Microsoft’s extensive online documentation, GlobalDeviceId merits a single mention buried(jendela baru) in a highly obscure technical document that no-one is ever likely to read.
It is true, however, that all other major commercial operating systems, such macOS, Android, and iOS, can also almost certainly uniquely identify devices to their manufactures. The unfortunate thing is that most us simply accept this situation.
For those who don’t, the only practical way to avoid this is to use open source operating systems, such as Linux.






