Microsoft Can Track Users via a Windows Device ID
Scope of Microsoft Tracking and GDID
- Commenters infer that Microsoft can correlate a Windows “GDID” with IP, timestamps, and at least domains, and possibly full URLs visited.
- Criminal complaint (linked in thread) is cited as evidence Microsoft logs URLs, IPs, and GDID as “telemetry.”
- Some participants stress that this effectively destroys privacy for Windows users, since activity can be retroactively tied to a specific device.
How the Data Is Collected (Unclear Mechanism)
- Multiple theories:
- Edge + Microsoft Defender SmartScreen sending visited URLs/domains for phishing/malware checks, tied to GDID and possibly Microsoft accounts.
- Windows telemetry bundling page titles, navigation transitions, and clicked links into diagnostic events (slides from a security talk are referenced).
- Licensing-related logs or other Windows services (Update, Defender, MAPS).
- Others argue it’s unlikely Microsoft logs all web requests at OS level, or that this would have gone unnoticed.
- Exact technical path from browsing action to GDID correlation is repeatedly described as unclear and missing from the article.
Browser and App Role
- Several commenters believe this primarily implicates Edge with default privacy/telemetry settings.
- Some note Chrome and other browsers also have options to send URLs to vendors (e.g., for “safe browsing”), but no hard evidence in this thread that non-Microsoft browsers feed into GDID-based tracking.
Comparisons to Other Platforms and Identifiers
- Many note that persistent device IDs exist on Linux (systemd
machine-id, D-Bus UUIDs), BSDs (hw.uuid, hostid), Android, etc. - Key distinction raised: local machine IDs vs. vendor-operated infrastructure correlating those IDs with network activity.
- Mitigations mentioned: rotating or randomizing machine-id, sandboxing (e.g., bubblewrap, firejail), avoiding certain browsers.
Legal, Privacy, and Policy Reactions
- Debate over GDPR: some say a random ID is not personal data; others counter that if it can single out a user or be linked to an account, it is.
- Many see this as confirmation that big tech does not meaningfully respect privacy and that cooperation with law enforcement on such telemetry is routine.
- Strong advocacy for moving away from Windows (toward Linux, BSD, Apple, privacy-focused tools) and skepticism of VPN marketing given non-IP tracking capabilities.