Microsoft Can Track Users via a Windows Device ID

Scope of Microsoft Tracking and GDID

  • Commenters infer that Microsoft can correlate a Windows “GDID” with IP, timestamps, and at least domains, and possibly full URLs visited.
  • Criminal complaint (linked in thread) is cited as evidence Microsoft logs URLs, IPs, and GDID as “telemetry.”
  • Some participants stress that this effectively destroys privacy for Windows users, since activity can be retroactively tied to a specific device.

How the Data Is Collected (Unclear Mechanism)

  • Multiple theories:
    • Edge + Microsoft Defender SmartScreen sending visited URLs/domains for phishing/malware checks, tied to GDID and possibly Microsoft accounts.
    • Windows telemetry bundling page titles, navigation transitions, and clicked links into diagnostic events (slides from a security talk are referenced).
    • Licensing-related logs or other Windows services (Update, Defender, MAPS).
  • Others argue it’s unlikely Microsoft logs all web requests at OS level, or that this would have gone unnoticed.
  • Exact technical path from browsing action to GDID correlation is repeatedly described as unclear and missing from the article.

Browser and App Role

  • Several commenters believe this primarily implicates Edge with default privacy/telemetry settings.
  • Some note Chrome and other browsers also have options to send URLs to vendors (e.g., for “safe browsing”), but no hard evidence in this thread that non-Microsoft browsers feed into GDID-based tracking.

Comparisons to Other Platforms and Identifiers

  • Many note that persistent device IDs exist on Linux (systemd machine-id, D-Bus UUIDs), BSDs (hw.uuid, hostid), Android, etc.
  • Key distinction raised: local machine IDs vs. vendor-operated infrastructure correlating those IDs with network activity.
  • Mitigations mentioned: rotating or randomizing machine-id, sandboxing (e.g., bubblewrap, firejail), avoiding certain browsers.

Legal, Privacy, and Policy Reactions

  • Debate over GDPR: some say a random ID is not personal data; others counter that if it can single out a user or be linked to an account, it is.
  • Many see this as confirmation that big tech does not meaningfully respect privacy and that cooperation with law enforcement on such telemetry is routine.
  • Strong advocacy for moving away from Windows (toward Linux, BSD, Apple, privacy-focused tools) and skepticism of VPN marketing given non-IP tracking capabilities.