Peter Stokes allegedly used VPNs, ngrok tunnels, and rotating IPs across Estonia, New York, and Thailand to cover his tracks during a luxury retailer breach. None of it mattered. The FBI subpoenaed Microsoft’s telemetry and found a single 64-bit string — g:6755467234350028 — that followed his Windows install everywhere, according to PCMag’s reporting on the DOJ complaint. That identifier is called a Global Device Identifier. It exists on his machine the same way it exists on yours. Most of Windows’ 1.6 billion users had never heard of it before court documents named it, raising fresh concerns about secretly tracking users at the OS level.
What GDID Actually Does – And Why There’s No Off Switch
Court records show GDID persists across Microsoft services with no user-facing controls.
The DOJ complaint describes GDID as “a persistent, device-level identifier designed to uniquely identify an installation of a Windows operating system on a device.” It survives OS updates but resets on a full reinstall. Reinstall and sign back into the same Microsoft Account, though, and activation records plus OneDrive sync can reasonably re-link you, according to privacy community analysis via PrivacyGuides.
Disabling GDID isn’t an option. The activation scripting community Massgrave concluded, via Cybernews, that removing it breaks Windows activation and UWP apps entirely. Before this case surfaced it publicly, Microsoft had documented GDID in exactly one obscure Azure Monitor schema reference — not in any consumer-facing privacy material.
There is no toggle. Not even a buried one.
You can’t remove the fingerprint, but you can reduce what gets tied to it:
- Use a local account. Skip the Microsoft Account login during setup. Signing into an MSA enriches the identity graph connecting GDID to OneDrive, Outlook, Xbox, and more.
- Minimize diagnostic telemetry. Go to Settings > Privacy & security > Diagnostics & feedback. Set data collection to minimum and disable “Send optional diagnostic data.”
- Cut Activity history and swap your browser. Turn off Activity history under Privacy & security — Phone Link and cloud clipboard stop working, but cross-device timeline logging drops with them. For sensitive browsing, skip Edge; community analyses suggest it feeds URL-level data into Microsoft logs linked to GDID. Firefox or a hardened Chromium build with no MSA login works better here.
- Reinstall carefully. A clean reinstall generates a new GDID, but only creates real separation if you avoid re-linking the same Microsoft Account on the same hardware. If you run into computer problems during this process, dedicated troubleshooting resources can help.
The VPN Problem Nobody Told You About
Relying on a VPN for privacy on Windows is like wearing a mask in a store that already scanned your fingerprint at the door.
VPNs hide your IP from destination sites. They do nothing to stop Microsoft from logging GDID-plus-IP-plus-URL combinations at the OS level. In the Stokes case, the same GDID appeared accessing his Apple, Facebook, and Snapchat accounts across multiple countries, correlating with travel photos he posted publicly — according to Tom’s Hardware and Cybernews reporting on the complaint.
Privacy researchers describe GDID as behaving “more like a covert tracking beacon than a typical advertising ID,” per PrivacyGuides forum discussion. For journalists, activists, or anyone with a serious threat model, the guidance from security researchers is pointed: don’t use Windows for sensitive work — especially given how a purpose-built surveillance app can compound these risks. Linux doesn’t run a closed, vendor-controlled device ID feeding a proprietary cloud telemetry graph.
Apple and Google at least expose user-facing resets for advertising identifiers. Windows offers nothing equivalent for GDID. For most people, that’s an uncomfortable reality to sit with. For anyone facing real risk, it may be reason enough to reconsider the platform entirely.




























