In a case that exposes the depth of data Windows quietly collects, Microsoft handed the FBI a detailed log of every IP address linked to a single Windows device—using its unique Global Device Identifier (GDID)—enabling agents to tie a 19-year-old suspect to the notorious Scattered Spider hacking group, according to a criminal complaint unsealed this week.
The suspect, Peter Stokes of Florida, faces charges of identity theft, wire fraud, and hacking. Prosecutors allege he is a member of Scattered Spider, a cybercriminal crew known for sophisticated SIM‑swapping attacks and high‑profile breaches at companies like Twilio and Okta. The complaint reveals that the FBI subpoenaed Microsoft for IP‑address history associated with a GDID found on a device used to access compromised accounts. Microsoft complied, turning over months of IP addresses and timestamps that helped place the device at Stokes’s residence and other locations he frequented—even when he switched networks or used a VPN.
What is a Windows Global Device Identifier?
The Global Device Identifier, commonly known as the advertising ID in Windows, is a string of numbers and letters that uniquely identifies a Windows device. Introduced with Windows 10, it functions like a permanent cookie for your PC. Apps request it to serve targeted ads, but Microsoft also uses it internally for telemetry, diagnostics, and to link device activity across sessions. Unlike browser cookies, which users can easily clear, the GDID persists indefinitely unless reset manually or through an OS reinstall.
Crucially, the GDID creates a consistent profile of a device’s network connections. Every time the device contacts Microsoft’s servers for updates, service checks, or telemetry, the GDID is included. This allows Microsoft to maintain a log of IP addresses associated with that specific device over time—exactly the kind of data the FBI requested. The identifier does not reveal your name on its own, but when combined with other data (like a Microsoft account sign‑in, location services, or ISP records), it can paint a detailed picture of a user’s movements and online behavior.
What the FBI subpoena shows
According to the court documents, the FBI initially tracked a GDID to a device that had logged into a series of compromised online accounts tied to Scattered Spider. With a legal order, agents obtained the IP‑address history Microsoft had linked to that identifier. The data spanned several months and included dozens of IPs, revealing not only the suspect’s home internet address but also connections from coffee shops, libraries, and other locations where Stokes was known to spend time. Analysts correlated those timestamps with physical surveillance, further solidifying the case.
This use of the GDID has rung alarm bells for privacy advocates. Even when a suspect uses a VPN to mask their IP, Microsoft’s logs can tie activity back to the same device identifier. A VPN changes the IP that websites see, but it does not prevent Windows from reporting the real IP—and the GDID—to Microsoft’s own services. For consumers who believed a VPN alone would make them anonymous, the case is a stark wake‑up call.
What this means for everyday Windows users
The average person might wonder: if Microsoft can hand over my IP history to law enforcement, should I be worried? The answer depends on your threat model. If you are not breaking the law, you might not immediately fear a subpoena. However, the broader privacy implication is that Microsoft retains a timeline of your device’s network connections, which law enforcement (or, potentially, hackers in the event of a data breach) can access. The GDID essentially turns your PC into a long‑term tracking device, and you agreed to it when you accepted Windows’ licensing terms and set up the operating system with default settings.
For those who use Windows with a Microsoft account, the linkage is even stronger. Your sign‑in ties the GDID to your identity, email, and cloud activity. Microsoft’s privacy statement notes that the company may disclose personal data “if we believe it is necessary to comply with legal process or to protect the rights, property, or safety of Microsoft, our customers, or the public.” The Stokes case makes it clear that IP logs are considered such data.
How we got here: a short history of Windows telemetry
The controversy over Windows telemetry has smoldered since Microsoft rolled out Windows 10 in 2015. At launch, the operating system collected vast amounts of diagnostic data, including application usage, browsing history via Microsoft Edge, and network connection details. Critics argued that the “Basic” telemetry setting still sent too much information home. European regulators investigated and fined Microsoft for insufficient privacy controls. Over time, Microsoft added more transparency and controls, and Windows 11 tightened some defaults, but the core telemetry infrastructure—and the advertising ID—remained.
The GDID itself has evolved. Originally positioned purely as an advertising tool, it became clear that it doubles as a device fingerprinting mechanism. Microsoft’s own documentation states that the identifier is used “to provide a more personalized experience.” But the company doesn’t explicitly detail how long IP‑address histories are retained or how often they are pulled for law enforcement requests. Microsoft’s latest transparency reports indicate it receives thousands of legal demands each year, the majority of which involve some form of content data.
Scattered Spider itself, the group at the center of this case, has been a top target for the FBI. Known for targeting young hackers and using advanced social engineering, the group breached numerous tech giants and telecommunications companies. Their method often involved calling IT support desks and convincing them to reset employee credentials. The FBI’s ability to track a GDID back to a physical person represents a significant investigative leap, but it also highlights the depth of data resident inside Windows.
What you can do now to limit GDID tracking
If you want to minimize the trail your Windows device leaves, here are practical steps.
1. Turn off the advertising ID
Go to Settings > Privacy & security > General. Toggle off “Let apps use my advertising ID for experiences across apps.” This doesn’t delete the ID, but it tells apps not to use it and may reduce ad tracking. To fully reset the GDID, click “Reset your advertising ID” under the same menu (Windows generates a new one immediately).
2. Set diagnostic data to Basic
In Settings > Privacy & security > Diagnostics & feedback, switch to “Send optional diagnostic data” to “Off” (or “Required diagnostic data” on some versions). This reduces the telemetry that accompanies the GDID, though some core data still flows.
3. Use a local account
A Microsoft account ties all your activity to your identity. Use a local account instead—this severs the direct link between your GDID and your real‑world profile. You can create one during Windows installation or switch in Settings.
4. Harden network privacy
While a VPN won’t hide your IP from Microsoft’s services that use the GDID, you can block known telemetry servers at the network level using a firewall or a Pi‑hole. However, this requires advanced configuration and can break services like Windows Update.
5. Consider enterprise‑grade controls
Group Policy and registry tweaks can disable telemetry more thoroughly on Windows Pro, Enterprise, or Education editions. For example:
- Set group policy Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Allow Telemetry to 0 – Security (Enterprise only).
- Use tools like O&O ShutUp10++ or W10Privacy to apply dozens of privacy tweaks at once.
6. Recognize the limits
Even with all these measures, Windows still phones home with some data—especially on Home editions. If your threat model requires absolute privacy, a different operating system may be warranted. For most, however, the above steps will substantially reduce the GDID’s tracking footprint.
Outlook: what to watch next
The Stokes case is likely to reignite debates over Windows telemetry and user privacy. Expect fresh scrutiny from regulators, especially in the European Union, where the GDPR requires explicit consent for many forms of data processing. Microsoft might face questions about the length of time it retains IP‑address logs and whether users are adequately informed. Meanwhile, the cybersecurity community will watch whether this technique becomes a routine tool for law enforcement—and whether hackers themselves start exploiting it for counter‑surveillance.
For Windows users, the lesson is clear: your device leaves a longer digital trail than you might assume, and it’s not just websites that can track you. The operating system itself is a silent witness. Taking control of your GDID and telemetry settings is a prudent step toward reclaiming some of that privacy.