Identifying Hackers with Windows GDID: The Reality of Telemetry Tracking
Windows GDID was used as evidence for the first time in the arrest of a Scattered Spider member. We analyze the technical details and privacy concerns of telemetry-based individual tracking.
A New Chapter in the Scattered Spider Case
In July 2026, 19-year-old Estonian Peter Stokes was extradited to the United States. Stokes, a member of the hacking group Scattered Spider, is accused of engaging in digital crimes. What drew widespread attention in this case was the use of Windows’ built-in telemetry function as decisive evidence to identify the suspect.
According to a report by Tom’s Hardware, the FBI issued a subpoena to Microsoft, requesting telemetry logs collected from Stokes’ Windows machine. These logs included the GDID (Global Device Identifier) and URLs of websites he visited on his Windows device.
How Telemetry Data Works
GDID is a unique identifier assigned to devices by Windows’ telemetry system. Microsoft uses this identifier to collect information about OS performance and error reporting. While the existence of GDID has long been known, this marks the first public instance where law enforcement has used it as evidence in a criminal investigation.
Windows telemetry operates in multiple modes. In the Required (basic) mode, only minimal data is sent. However, in the Optional (full) mode, lists of URLs analyzed by SmartScreen or Microsoft Defender are uploaded along with the GDID. If the Edge browser is used, all visited URLs may potentially be transmitted. Court documents have not clarified the specific mechanism through which telemetry data from Stokes’ machine was sent.
FBI Investigation Techniques and Process
Using the GDID, the FBI identified Stokes’ ngrok account. During the same session where he used ngrok, Stokes also accessed his Facebook and Snapchat accounts. Investigators were able to cross-reference the GDID obtained from telemetry data with access logs from these services.
Google and Apple also cooperated in the investigation. Google identified the phone number used for phishing, as well as the IP address and date when Stokes created his account. Apple is believed to have provided login information for his accounts.
While traveling in Thailand, Stokes played Ubisoft’s game Growtopia and accessed his Apple ID, Facebook, and Snapchat accounts. These activities were recorded via telemetry. Additionally, travel records, a New York IP address, and stay details at the Empire Hotel were linked to him.
The Longstanding Debate on Privacy
Since its release, Windows telemetry data collection has faced intense criticism from privacy advocates. A major issue is that telemetry is enabled by default in Windows Home and Professional editions, leaving users without an easy way to disable it completely.
Microsoft argues that telemetry data is essential for debugging and system management. While it is critical for diagnosing issues in enterprise environments, general users remain uncertain about the extent to which their activities are being tracked.
In Required mode, URLs are reportedly not sent. However, Optional mode transmits detailed data, including browsing history. Many users unknowingly use default settings without understanding these distinctions.
Renewed Analysis by Security Researchers
The Scattered Spider case has reignited interest among security researchers in understanding the workings of GDID. Analysts are delving into how GDIDs are generated and the scope of data associated with them.
One key area of focus is the extent to which telemetry data can be leveraged by investigative agencies. While the FBI adhered to proper legal procedures by issuing a subpoena to Microsoft, this case highlights a pathway for government agencies to access private telemetry data.
Editorial Opinion
In the short term, this case may lead to increased scrutiny of Windows telemetry monitoring. Privacy-conscious users are likely to explore ways to disable telemetry. Microsoft may face pressure to revise its default settings and adopt more transparent data collection policies. Particularly in the Japanese market, where privacy regulations are becoming stricter, the impact on global companies cannot be ignored.
In the long term, the debate over the use of OS telemetry in criminal investigations is set to intensify. While such data collection contributes to antivirus measures and system stability, it also carries the risk of being exploited as a surveillance tool by governments. Over the next one to three years, discussions around the legal framework and user consent for telemetry are expected to gain momentum. There is potential for the development of international standards under frameworks such as GDPR or Japan’s Personal Information Protection Law to determine the acceptable scope of OS-level telemetry.
As a point of inquiry, the editorial team raises the question of how to balance surveillance for crime prevention with the protection of general users’ privacy.
References
- Tom’s Hardware: “Arrest and extradition of Scattered Spider hacker shines light on how Windows telemetry GDIDs can identify and track users” (2026-07-08) https://www.tomshardware.com/tech-industry/cyber-security/arrest-and-extradition-of-scattered-spider-hacker-shines-light-on-how-windows-telemetry-gdids-can-identify-users-microsoft-device-identifier-is-just-one-digital-fingerprint-in-a-software-world-rife-with-them
Comments