
Using a VPN is one of the most common pieces of privacy advice out there. Hide your IP address, encrypt your traffic, and you’re reasonably well protected. That logic held up right until a 19-year-old suspected member of the Scattered Spider hacking group got arrested, and the reason he got caught had nothing to do with his VPN failing.
Peter Stokes was extradited from Finland to the United States this week and accused of hacking a luxury jewelry retailer. According to court documents, he did use a VPN. The problem was something buried deep inside his operating system, something he almost certainly had no idea existed.
His laptop was running Windows. And Windows was quietly reporting home.
What is a Global Device Identifier, and why does it matter?
As reported by Proton VPN, the FBI’s criminal complaint reveals that Microsoft has a system called the Global Device Identifier, or GDID. It is described as a “device-level identifier designed to uniquely identify an installation of a Windows operating system on a device.”
In plain terms, every Windows installation gets a unique ID that Microsoft ties to that specific device. This ID is used to collect telemetry, meaning usage data that gets sent back to Microsoft’s servers over time.
A few details make this especially significant:
- The GDID is linked to a history of IP addresses that the device has connected from.
- Reinstalling Windows creates a new GDID, but the old one stays in Microsoft’s records and can still be used to identify the device.
- Users are never asked to consent to the GDID, and there is no straightforward way to remove it.
- Microsoft’s entire public documentation mentions “GlobalDeviceId” exactly once, in an obscure technical document most people will never read.
When the FBI came knocking with a subpoena, Microsoft handed over the records.
How investigators connected the device to a person
Knowing the GDID alone was not enough to make an arrest. But it gave investigators something very useful: a timeline of IP addresses that Stokes’ device had used over time.
From there, the FBI cross-referenced those IP addresses against logins to accounts they already knew belonged to Stokes. That included accounts with:
- Apple
- Snapchat
- Growtopia, an online game
When the same IP addresses showed up in both the GDID history and Stokes’ personal account logins, the connection was made. One of those IP addresses traced back to a New York hotel. Investigators say the hotel’s interior matches the background visible in a Snapchat photo showing Stokes covering his face with a handful of $100 bills. That detail is unlikely to help his defense.
The case worked as intended, but the questions remain
To be clear, this is a case where law enforcement followed legal channels. Stokes faces serious charges including conspiracy, cyber intrusion, and fraud offenses connected to over $100 million in ransom payments across more than 100 corporate breaches since 2022. The FBI obtained court orders and subpoenas. Nobody broke the rules.
But the GDID still raises uncomfortable questions that have nothing to do with criminals. The core issue is consent. You buy a laptop, install Windows, and a persistent unique identifier is created on your device that tracks your IP history and can be handed to third parties without you ever being told it exists. There is no opt-out screen. There is no checkbox during setup. It simply happens.
And Windows is not alone. macOS, Android, and iOS all have similar mechanisms that can uniquely identify devices back to their manufacturers. The uncomfortable reality is that most people simply accept this as part of using modern technology.
What you can actually do about it
For most people, there is no easy fix here. A VPN protects your traffic from your internet provider and hides your IP from websites. It does not stop your operating system from reporting your activity back to the company that made it.
The only practical way to sidestep this entirely is to use an open source operating system like Linux, where the code is publicly audited and no corporation controls what data is collected. That is not a realistic option for everyone, but it is the only approach that actually addresses the problem at the source.
For everyone else, this case is a useful reminder that the device in your hands is not entirely yours. You own the hardware, but the software on it may be working for someone else too.