Skip to content
Tech News
← Back to articles

Microsoft Can Track Users via a Windows Device ID

read original more articles

The arrest of a teenage hacker has revealed that Microsoft can track a Windows PC and its online activity through a “Global Device ID" that seems to have no easy opt-out, sparking fears about potential surveillance.

Last week, the US announced it had extradited 19-year-old Peter Stokes from Europe for allegedly being a member of the notorious hacking group Scattered Spider. But the case stands out because Microsoft played a key role in linking Stokes to the suspected hacking crimes, according to an unsealed criminal complaint.

(Credit: DOJ)

Stokes allegedly hacked an unnamed luxury jewelry retailer in May 2025 while using a VPN. The 39-page criminal complaint shows the FBI used Microsoft records to discover that his IP address was associated with a Microsoft device identifier known as Global Device ID (GDID).

You May Also Like

“According to a Microsoft representative, a Global Device Identifier in the Windows ecosystem is a persistent, device-level identifier designed to uniquely identify an installation of a Windows operating system on a device, either a physical device (e.g., a mobile phone or laptop) or virtual machine, across certain Microsoft services and scenarios," the complaint explains.

The global device ID isn’t exactly surprising, given that it's standard practice to assign a unique ID to each account or device so a tech provider can recognize and distinguish between them. But the complaint reveals Microsoft can associate the GDID with third-party services and the timing as well, giving Redmond a way to theoretically track a user’s online activity. In other words, Redmond might be able to track the online activity of your Windows PC without third-party browser cookies.

(Credit: DOJ)

Stokes was discovered exploiting a web development tool called ngrok to bypass the jewelry retailer's network defenses. The complaint says Microsoft had records showing that on May 12, 2025, at 19:21 UTC, the GDID associated with Stokes’ computer “accessed, among other ngrok pages, 'https://dashboard[.]ngrok.com/signup,' the ngrok page to set up an ngrok account.”

The document adds that Microsoft records also showed the GDID accessing “multiple sites” from servers at Tzulo, a web hosting provider, to help pull off the hack.

... continue reading