In what should be a surprise to absolutely nobody, Microsoft assigns a persistent identifier to every Windows installation, tying it to its user, and the company has no issues handing it over to law enforcement. Abhijith M B at windows Latest dove into the details, and it’s just as bad as you would expect.
Am I glad Stokes got caught? Yes, without hesitation. Thirty-five pages of a teenager bragging about diamond chains spelling out “HACK THE PLANET” while extorting a jewelry store don’t leave much room for sympathy, whatever role Microsoft’s telemetry played in building the case.
But that doesn’t make the GDID okay. Every company selling you software has some version of this, and a persistent device identity is a reasonable thing to build into activation and fraud systems. What gets me is that most people had never come across the term GDID before a federal court filing such as this. Microsoft wrote one sentence about it in an Azure Monitor reference table meant for enterprise IT admins pulling update reports, not for the 1.6 billion or so regular people whose PCs are generating this data.
You might be tech savvy enough to turn off Activity History, pick a local account, and strip out every scrap of optional telemetry, but none of it changes the fact that the identifier exists, and that it answers to your Microsoft Account instead of you. Microsoft only told the public about it once a court forced the issue.
↫ Abhijith M B at windows Latest
The thing is, even without this GDID, I can’t imagine Microsoft would have much trouble tying a Windows installation to a specific user. Consequently, I’m afraid the following is going to happen: this story gains even more traction, Microsoft removes the GDID, and everyone thinks the problem is resolved. Of course, in reality, any one of the hundreds of other metrics and data Microsoft collects can and will still be used in the exact same way as this GDID thing in this case.
If my experiences with Windows 11 weren’t clear enough – don’t use Windows. Just don’t.
