Microsoft Can Track Users via a Windows Device ID

Windows users are freaking out after Microsoft’s hidden PC tag helped bust a hacker

TLDR: A criminal case revealed Microsoft can link a Windows computer to web activity through a persistent device tag, helping police identify a suspect. Commenters swung from outrage to dark humor, with many saying this feels less like security and more like built-in surveillance.

This story landed like a horror movie for privacy-conscious Windows fans: a court filing says Microsoft used a persistent device tag, called a Global Device ID, to help investigators connect a teenage hacking suspect to activity on specific websites, even though he was allegedly using a virtual private network, or VPN, to hide. That alone was enough to send commenters straight into full tinfoil-hat mode — and honestly, many weren’t even surprised. One summed up the mood with a shrug-worthy “my surprise level is... zero,” while another boiled it down to a brutal accusation: “Microsoft Windows is surveillance software” is basically the vibe now.

The hottest reactions weren’t subtle. People speculated that Windows may be quietly reporting what sites your computer visits, tying that activity back to a unique machine-level tag. Others pointed to Microsoft’s built-in security tools, with one especially juicy comment noting that Defender’s cloud protection system used to be called SpyNet — which sounds like a parody, but is very real and instantly became the thread’s favorite villain origin story. And then came the comedy: amid all the panic, one commenter couldn’t get over the idea that a supposed hacker was using Windows in the first place. The broader debate got even messier when users asked the uncomfortable follow-up: if Microsoft can do this, are Apple and others doing something similar too? For many in the crowd, the grim punchline was simple: if you want to disappear, you may have to ditch mainstream systems altogether.

Key Points

  • An unsealed criminal complaint says Microsoft records tied a Windows Global Device ID to activity relevant to a hacking investigation involving Peter Stokes.
  • The complaint describes the Global Device ID as a persistent identifier for a Windows installation across certain Microsoft services and scenarios.
  • Investigators allegedly used GDID-linked records to connect the suspect’s device to visits to ngrok pages, including an account signup page, on May 12, 2025.
  • The complaint also says the same GDID accessed multiple sites from servers at Tzulo in connection with the alleged hack of an unnamed luxury jewelry retailer.
  • According to the complaint, a GDID persists across Windows updates but changes after a Windows reinstall, meaning one Microsoft user can have multiple GDIDs.

Hottest takes

"My surprise level is at approximately... zero." — zelphirkalt
"Fun fact, Microsoft Defender MAPS was previously named SpyNet." — midtake
"Truly terrifying. But also shocking that a 'hacker' is using windows" — egamirorrim
Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.