Table of Contents
There is a number assigned to your Windows PC that you almost certainly do not know about. It was generated the moment you linked your device to a Microsoft account. It has been quietly reported back to Microsoft ever since — through software updates, through connected services, through the ordinary daily operation of your computer. It is stored in your registry. It cannot be disabled without breaking core Windows functionality. And until last week, most people had never heard of it.
It is called a Global Device Identifier, or GDID. And the reason the world now knows it exists is that the FBI used one to track a hacker across VPN connections, proxy servers, and four countries over eight months — and the federal court filing that documented how they did it became public record.
Microsoft confirmed the identifier is real. What they did not do is explain why no one was ever told about it.
A Hacker, a Heist, and a Hidden Fingerprint
The story starts with a breach. In May 2025, a luxury jewelry retailer in the United States was hit by a ransomware attack that ended with an $8 million ransom demand. The perpetrators were allegedly members of Scattered Spider, a cybercriminal group that has become one of the most closely watched threat actors in recent years — responsible for attacks on MGM Resorts, Caesars Entertainment, and dozens of other high-profile targets.
The suspect identified in the July 2026 federal complaint is Peter Stokes, a 19-year-old. The complaint describes in methodical detail how investigators built their case — and one of the tools they relied on was the GDID assigned to Stokes’ Windows device: g:6755467234350028.
Here is where it gets interesting for anyone who thought a VPN was sufficient protection. Stokes allegedly used VPNs, proxy servers, and moved across multiple countries during the period investigators were tracking him. None of it mattered. Microsoft’s records showed that the Windows device carrying that specific GDID had connected to ngrok’s sign-up page at the exact timestamp the ngrok account used in the attack was created. The same GDID appeared in records tied to logins on victim retailer websites, social media accounts, and other services — building a timeline of activity that prosecutors could place in front of a jury.
A VPN changes your IP address. It does not change your GDID. That is the point.
What GDID Actually Is
Until this court filing surfaced, GDID existed in a single obscure sentence buried in Azure Monitor documentation, describing it as “an identifier used by Microsoft internally.” That was the extent of the public disclosure.
Here is what it actually does.
When you install Windows and sign in with a Microsoft account, a chain of Windows services generates a persistent device-level identifier. The wlidsvc service — Windows Live ID Service — requests what is called a Device PUID from login.live.com. The Connected Devices Platform then registers this in Microsoft’s Device Directory Service. The Delivery Optimization component, which handles Windows Update peer sharing, reports it back to Microsoft during update activity. The resulting identifier is stored in the Windows registry under:
HKCU\SOFTWARE\Microsoft\IdentityCRL\ExtendedProperties
It takes the form of a lowercase “g” followed by a long decimal number — hence g:6755467234350028.
The identifier persists across Windows updates. It survives driver reinstalls. It survives most “reset” operations that feel like starting fresh but preserve your Microsoft account link. It only resets on a full clean reinstall — though even then, your old GDID does not disappear from Microsoft’s servers. It just gets joined by a new one.
The thing that makes GDID different from the cookies and tracking pixels we have all grudgingly accepted as the cost of using the internet is that it operates at the operating system level, below the browser, below the VPN, below any application-layer privacy tool. You cannot block it with an ad blocker. You cannot rotate it with a privacy extension. It is baked into the plumbing of how Windows communicates with Microsoft’s infrastructure.
The Part Nobody Can Explain
The FBI using a persistent device identifier to catch someone who allegedly helped extort millions of dollars from a retailer is not, in itself, the story. Law enforcement has always used whatever technical evidence is available. Phone records, IP logs, login timestamps — this is standard investigative practice, and most people would have no objection to it in the context of a criminal prosecution.
The story is everything else.
Microsoft has known about GDID for years. The identifier is not a new feature introduced in Windows 11 — it has roots in the Windows Live infrastructure that dates back to the Windows 8 era. For all that time, Microsoft chose not to document it publicly, not to surface it in privacy settings, not to offer any opt-out mechanism, and not to publish any transparency reporting about how often GDID data is shared with law enforcement or other third parties.
You were never asked. You were never told. And you cannot turn it off.
Security researcher Matthew Hickey put it plainly in response to the revelations: “Microsoft Windows is surveillance software.” That characterization is deliberately provocative, but the technical facts do not leave much room to argue with it. When your operating system maintains a persistent identifier that it reports to its developer’s servers, that developer can correlate your device’s activity across any service that logs connections, hand that correlation to law enforcement without your knowledge, and there is no mechanism — not a setting, not a policy, not a privacy dashboard — through which you can stop it.
There is no known opt-out. There is no known transparency report that covers GDID disclosures. There is no public policy from Microsoft describing under what circumstances GDID data is shared, with whom, or with what legal threshold. A privacy researcher posting under the alias IT Guy on X summarized the gap: Microsoft has “no public policy on when it shares GDID data, no known opt-out mechanism, and no transparency reports covering GDID disclosures.”
Compare that to Apple’s App Tracking Transparency framework, which at least presents users with a consent dialog before apps can track them across services. Or Android’s resettable advertising identifier, which users can delete from settings. Neither of those systems is beyond criticism, but they represent at least a nominal acknowledgment that the user has some right to know what is happening on their device and why.
Windows offers no equivalent for GDID. Technically, you could theoretically reduce GDID’s reach by signing out of your Microsoft account and minimizing connected services — but doing so breaks Windows activation, Microsoft Store access, and a growing list of features that Microsoft has been steadily integrating with account sign-in across successive Windows releases. The practical ability to use Windows while opting out of GDID reporting is effectively zero for most users.
The Broader Pattern
GDID did not appear in a vacuum. It is one component in a larger architecture of telemetry that Microsoft has been expanding steadily for over a decade, and which has accelerated significantly with Windows 11.
Windows 11 ships with a raft of built-in data collection features: diagnostic telemetry sent to Microsoft by default across all editions, activity history synced to the cloud, advertising identifiers tied to your Microsoft account, personalized recommendations based on usage patterns, and Recall — the AI-powered feature that takes continuous screenshots of everything on your screen and stores them for search. Each of these was introduced with varying degrees of disclosure. Recall, at least, generated enough backlash that Microsoft made it opt-in. The others are defaults that most users never change because most users never know they exist.
GDID belongs in that same category. The difference is that GDID is more fundamental than any individual feature — it is the persistent anchor that ties all of the above to a single, identifiable device. Strip away every other telemetry feature and GDID remains, ticking away in the background, ready to be correlated with whatever records Microsoft holds.
The question that nobody at Microsoft has answered is a simple one: why was this never disclosed? GDID is not a secret ingredient in an anti-piracy system that only works if bad actors do not know about it. It is a device management identifier. Documenting it in privacy settings and offering users transparency about how it is used would not undermine its legitimate functions. The only reason to keep it undocumented is that full disclosure would generate the kind of questions that are now being asked anyway.
What This Means for You
The Stokes case is being reported primarily as a cybercrime story, and in that framing GDID looks like a useful law enforcement tool that helped catch a bad actor. That framing is not wrong — but it is incomplete.
The question is not whether GDID was used appropriately in one specific federal investigation. The question is what else it could be used for, by whom, under what legal standard, and without your knowledge.
Law enforcement in authoritarian states compels technology companies to hand over user data as a matter of routine. American legal processes for obtaining records from tech companies — National Security Letters, FISA orders, and similar instruments — can come with gag orders that prohibit the company from ever telling the user their records were requested. Microsoft, like every American technology company operating under US law, is subject to all of these mechanisms.
Your GDID exists in Microsoft’s systems. You cannot delete it. You cannot audit what Microsoft has done with it. You cannot know whether it has been shared with anyone. And Microsoft has not told you any of this, because — as the single obscure Azure Monitor sentence reveals — they barely acknowledged it existed.
Proton, whose privacy research team analyzed the GDID revelations, framed the fundamental issue clearly: “You are never asked to agree to the GDID on your device, and there is no easy way to remove it.” The question of who owns the hardware you purchased is not rhetorical. If a persistent identifier on your device reports to a corporation’s servers without your meaningful consent and cannot be disabled without degrading the device’s core functionality, the practical answer to that ownership question is complicated.
The Linux Footnote
The community reaction to the GDID revelations has been predictable in some quarters and thoughtful in others. On social media, the response that appeared most often was a variation of: “Glad a cybercriminal got caught, but this is another good reason to switch to Linux.”
That reaction is easy to dismiss as ideologically motivated. It is also technically correct.
GNU/Linux distributions do not ship with an equivalent to GDID. They do not maintain a persistent device identifier that is reported to a central server and correlated with your activity. The kernel is public — anyone can inspect exactly what it does. The distributions most commonly used on desktop systems ship with privacy-respecting defaults that require no obscure technical documentation to understand.
This does not mean Linux is without trade-offs. The hardware compatibility issues, the learning curve, the occasional driver headache — none of that has disappeared. But the GDID story illustrates something that abstract privacy arguments rarely communicate as effectively: the cost of using a proprietary operating system is not only the license fee. It is also the data. And the data collection, as this case makes clear, can happen in ways that are entirely invisible to the user, for purposes the user has never consented to.
The community reaction to GDID is not just about catching one hacker. It is about what it means to use software that treats your device as an endpoint in someone else’s data collection infrastructure — and only reveals that fact when a federal court filing makes it unavoidable to ignore.
The Disclosure That Never Came
Microsoft confirmed GDID exists. That confirmation came because a court filing made denial impossible, not because Microsoft decided users deserved to know.
There is a version of this story where GDID is documented clearly in Windows privacy settings, where Microsoft publishes an annual transparency report covering law enforcement requests for GDID data broken down by jurisdiction and legal authority, where users can generate a new GDID if they choose to, and where the whole system operates with the kind of informed consent that the EU’s GDPR has been trying to establish as a baseline for a decade.
That version does not exist. Instead, the disclosure came from prosecutors in a federal criminal case, filtered through a tech news article, landing in front of millions of Windows users who are only now learning that their operating system has been assigning them a permanent tracking number they cannot opt out of.
The Stokes case will proceed through the courts. GDID will continue doing exactly what it has always done. And most Windows users will close this tab, open a Microsoft Edge window with a GDID quietly ticking in the background, and move on with their day — without a single notification, a single consent dialog, or a single meaningful choice about any of it.
That is the system working as designed. Whether that design is acceptable is the question nobody at Microsoft seems eager to answer.
Sources: ghacks.net · The Register · Proton VPN Blog · Windows Latest