A newly unsealed federal complaint has thrown a spotlight on a hidden Windows identifier that law enforcement used to link a suspect’s online activity — conducted over multiple countries and through VPN services — back to a single physical device. The document alleges that Microsoft’s Global Device Identifier (GDID), a persistent tag embedded in Windows, allowed authorities to connect the dots in an investigation, even when the user attempted to mask their location and identity.
The Stokes Case: How a Persistent ID Pierced the VPN Veil
According to court documents, federal investigators tracked Peter Stokes by leveraging records from Microsoft that tied his online acts to a unique device identifier. The GDID is a string of characters generated during Windows setup, based on a combination of hardware components and an initial secret. It stays with the device through updates, network changes, and even some reinstalls. In Stokes’ case, the complaint states that this identifier surfaced repeatedly — in activity originating from Estonia, the United States, and other locations — each time unmistakably belonging to the same computer.
Crucially, Stokes had been using a VPN service. A VPN typically hides a user’s IP address, making it appear as though traffic comes from the VPN server’s location. But the GDID was transmitted in telemetry data that Windows sends home to Microsoft, completely independent of the VPN tunnel. When authorities obtained that telemetry, they could match the identifier across sessions and networks, effectively nullifying the VPN’s privacy shield. The complaint marks one of the clearest public examples of how Windows’ own inner workings can be turned into a tracking mechanism.
Microsoft has not publicly commented on the specifics of the Stokes case, but the company’s privacy framework allows the collection of device identifiers for “product activation, licensing, and diagnostic purposes.” It also complies with lawful requests for data from law enforcement, a fact that has drawn renewed attention in the wake of this filing.
What This Means For You: The Persistent Digital Fingerprint
At its core, this case is a warning for anyone who uses a Windows computer and assumes a VPN alone will keep their activity anonymous. Here’s what different users need to understand.
Home and personal users: Your Windows PC quietly carries a label that can link everything you do online — across browsers, apps, and even different Wi-Fi networks — back to that specific machine. If you sign in with a Microsoft account, the GDID is further associated with your email, OneDrive, and Microsoft 365 usage. Even with a local account, the identifier is still generated and embedded in the diagnostic data Windows transmits. When you combine this with location data from IP addresses (which the VPN obscures) and usage timestamps, a detailed profile emerges. Law enforcement or other parties who obtain these records can reconstruct much of your digital life.
Power users and privacy advocates: Tools like VPNs, Tor, and private search engines are not enough if the operating system itself is an identity leaker. The GDID is part of the “basic” or “required” diagnostic data that Windows sends by default; it isn’t something you can simply switch off in the Settings app. Moreover, because the identifier is derived from hardware, techniques like MAC address randomization don’t help. The identifier may even survive a clean Windows reinstall if the core components (motherboard, CPU, storage serial numbers) remain the same.
IT administrators and enterprise: In managed environments, you can restrict diagnostic data to the “Security” level or turn it off entirely via Group Policy, but this may disrupt Windows Update, activation, and certain enterprise features. Microsoft’s documentation acknowledges that device IDs are still present in the data they classify as “required for the security of Windows.” This raises compliance questions for organizations bound by privacy regulations like GDPR or CCPA. If Microsoft stores and potentially shares these identifiers with third parties (including under legal order), it could clash with data minimization principles.
How We Got Here: The Road to a Trackable Windows
Windows hasn’t always had such a granular, persistent fingerprint. Starting with Windows 10 in 2015, Microsoft dramatically increased the amount of telemetry collected. The operating system was given a unique “advertising ID” (for apps) and a “device ID” that fed into the Windows Diagnostic Data Hub. Microsoft’s own documentation spells out that the device ID is used “to understand the install base of Windows” and to “provide and improve Microsoft products.”
Over time, privacy watchdogs sounded alarms. In 2017, the Dutch Data Protection Authority found that Windows 10 violated local law by processing personal data without proper consent. Microsoft made adjustments, introducing clearer diagnostic level choices — “Basic” and “Full” (later renamed “Required” and “Optional”). But the device ID remained in both tiers. Independent researchers like those at the Austrian privacy group noyb have demonstrated that even a bare-bones, freshly installed Windows machine sends identifiers to dozens of Microsoft endpoints long before the user ever opens a browser.
Parallel to Microsoft’s data practices, Apple has marketed its ecosystem as more privacy-centric, introducing features like iCloud Private Relay to hide IP addresses and requiring apps to justify the collection of device identifiers. Google’s ChromeOS also transmits telemetry, but its identifier can be rotated more easily. Linux distributions generally do not include such persistent hardware-bound IDs. For Windows, though, the GDID has become an inescapable part of the package — and, as the Stokes case shows, one with real-world consequences.
What To Do Now: Reducing Your Exposure
Achieving complete device anonymity on Windows is arguably impossible without sacrificing core functionality, but you can take concrete steps to minimize what your PC broadcasts.
-
Set diagnostics to the minimum
Open Settings > Privacy & security > Diagnostics & feedback. Change “Optional diagnostic data” to “Required diagnostic data.” This won’t eliminate the device ID, but it reduces the volume of telemetry transmitted. -
Use a local account
Avoid linking your Windows profile to a Microsoft account. A local account decouples your online identity from the GDID from Microsoft’s cloud perspective, even though the device fingerprint remains. -
Block telemetry at the network level
Third-party utilities like O&O ShutUp10, WPD, or Pi‑hole can suppress telemetry traffic by disabling Windows services or blocking known endpoints. Be aware that these tools require ongoing maintenance and can occasionally interfere with Windows Update or Microsoft Store access. -
Consider a non‑Windows environment for sensitive work
For tasks that demand strong anonymity, boot a live Linux distribution such as Tails, or use a dedicated device running Qubes OS. Neither approach relies on persistent hardware identifiers by default. -
Review your Microsoft privacy dashboard
Visit account.microsoft.com/privacy to see what activity is already tied to your device and account, and delete it where possible. -
Understand the legal landscape
In the U.S. and many jurisdictions, law enforcement can obtain telemetry records with a subpoena or warrant. There is no practical way to prevent Microsoft from complying. If you are engaged in advocacy, journalism, or other sensitive work, treat a Windows device as a non‑anonymous platform by default.
Outlook: Will This Case Force a Reckoning?
The unsealing of the Stokes complaint arrives at a moment when regulators worldwide are scrutinizing big tech’s data collection habits. The European Union’s Digital Services Act and the ePrivacy Regulation could pressure Microsoft to offer a truly anonymous “guest” mode on Windows, or at least to let users reset their device identifier without breaking the OS. In the U.S., the Federal Trade Commission is reviewing data security practices across the industry; a high‑profile operational identifier being used to track someone despite privacy tools could invite fresh hearings.
Microsoft may also feel public-relations heat to clarify how many such identifiers it holds, how long they are retained, and how often they are delivered to authorities. A transparency report focused on telemetry requests would be a meaningful first step. Meanwhile, privacy-minded developers will continue to look for ways to spoof or block the GDID — an arms race that has played out in the telemetry-blocking tool community for years.
For Windows users, the Stokes case is a stark reminder: while a VPN protects one layer of your digital trail, the operating system may be writing another one in a permanent marker. The question is whether users will be given the tools to erase that mark.