Proton is calling Microsoft’s Global Device Identifier (GDID) “spyware,” arguing that the persistent, device-level identifier is assigned without user consent and cannot be removed.
The controversy follows a federal complaint where the Federal Bureau of Investigation (FBI) used a GDID to unmask an alleged Scattered Spider hacker despite his Virtual Private Network (VPN) use. Proton found only one mention of the identifier in Microsoft’s public documentation.
How the FBI used GDID to track a hacker
This whole situation involves 19-year-old Peter Stokes, a dual U.S.-Estonian citizen who was arrested in Finland and extradited to the U.S. to face charges connected to a May 2025 break-in at a luxury jewelry retailer.
According to the FBI affidavit, the attackers called up the retailer’s Information Technology (IT) help desk, acted like they were locked out employees, and managed to trick the staff into resetting passwords. They then used ngrok (a secure tunneling and reverse proxy service) so they could keep their network access alive.
Microsoft records showed that a specific GDID accessed ngrok’s signup page at the exact minute the attack account was created. A Microsoft representative described the GDID as a “persistent, device-level identifier designed to uniquely identify an installation” of Windows.
With that GDID in hand, the FBI was able to access the device’s full Internet Protocol (IP) history, which investigators then cross-checked against logins to Apple, Snapchat, Facebook, and various other accounts linked to Stokes.
The consent and transparency problem
Proton points out that the GDID brings up some big questions about user consent and control. Users are never asked to consent to the GDID, and there isn’t really a straightforward way to just get rid of it. Even if you go through the hassle of reinstalling Windows, that just generates a new identifier, while all the old records stay floating around in Microsoft’s systems.
Proton found exactly one mention of “GlobalDeviceId” in Microsoft’s public documentation, buried in an obscure Azure Monitor reference. It seems Microsoft didn’t actually let the public know about how they use this identifier in their privacy policies or terms of service.
Tom’s Hardware noted that the court documents do not specify which telemetry mechanism uploaded the data, and that Uniform Resource Locator (URL)-level telemetry likely requires the Optional or Full diagnostic data setting rather than the default.
It’s worth noting that Apple has its own similar device identifiers, and Linux systems use a machine-id. Proton recommends open-source systems for those unwilling to accept such tracking. Interestingly, the Devuan GNU/Linux distribution (a fork of Debian) removed the /etc/machine-id identifier back in 2019 precisely because of the privacy risks it posed.
For privacy-conscious crypto users, the GDID saga serves as a wake-up call: if you are serious about decentralization in your financial life, you might want to start with your operating system (OS).




