Full Writeup of the Windows GDID
44 points
5 hours ago
| 9 comments
| github.com
| HN
pogue
23 seconds ago
[-]
So can you change/spoof your GDID easily?
reply
hyperrail
3 hours ago
[-]
How a Windows device's global ID is generated may be new info in the public sphere, but the fact that the global ID exists is not a secret. This format of device ID has been in Windows since the initial release of Windows 10 in 2015, when it was introduced as part of Windows' current telemetry subsystem. To see your device's global ID, open Windows Feedback Hub, then go to Feedback Hub Settings and look under Device Information.
reply
ranger_danger
2 hours ago
[-]
What I'm more interested in is how/where the GDID is used. Imagine if e.g. Edge started sending your GDID as a header in every single web request.
reply
hyperrail
1 hour ago
[-]
In a sense it doesn't matter how the global ID is used now. The fact that it exists allows it to be used in ways like what you describe, either by a malicious (?) Microsoft itself or by a malicious third-party attacker.

I'm familiar with these global IDs because I routinely used the Windows telemetry system as part of my work on the Windows core at Microsoft. We had strong policies on how and when we could access or use data for a single device as identified by global ID.

But ultimately, these policies will have a "government or court order" exception in reality even if not in theory, just like in most other consumer software observability systems. The Windows difference is simply the breadth of data that is intentionally collected by Microsoft or can be identified by any Microsoft-controlled IDs. That difference is huge in potential impact but very small conceptually.

reply
m463
42 minutes ago
[-]
When IE did this at the very beginning of the internet it was a real scandal.

then verizon did it for (to?) mobile phones.

I guess these things get normalized, people might say "those jerks" and then put it out of their mind.

reply
naturalmovement
2 hours ago
[-]
I always assumed Chrome and Edge already did this — but sent the data to their respective masters.

Isn't every Chrome download unique?

It used to be even though the package contained an Authenticode signature, each installer stub download had a unique hash, because Windows' digital signatures allow a non-executable data area in the trailer which is not computed as part of the signed data.

There is zero technical reason to do this (generating unique binaries) aside from tracking purposes.

reply
nullbio
2 hours ago
[-]
Can promise you a re-install does nothing for your privacy. Plenty of IDs are embedded in the hardware.
reply
rrix2
4 hours ago
[-]
one thing this doesn't touch on that I am curious about is how was browsing history, etc, correlated to the GDID?
reply
typeofhuman
2 hours ago
[-]
Ya. The FBI report to the court said that Microsoft showed the GDID visited the ngrok.com/signip page while using a VPN. I would have figured at that level the OS would not know domains but likely IP addresses. So it must be browser telemetry right?
reply
murderfs
4 hours ago
[-]
Edge history syncing, presumably.
reply
ggerules
4 hours ago
[-]
Wasn't this the GUID (Globally Unique Identifier) of early 00s Windows? When did it change to GDID? Are they the same?
reply
wrs
4 hours ago
[-]
No relation. GUID is just a format for a 128-bit unique number, used throughout the software industry. This is a specific 64-bit number assigned to your Windows device.
reply
miffy900
4 hours ago
[-]
Maybe try reading the writeup? GDID's are 64 bit for one thing, not 128 like GUIDs.
reply
stackghost
3 hours ago
[-]
For those like me who were not abreast of this issue: the FBI was able to arrest some kid who hacked/is alleged to have hacked a jewellery retailer through a VPN. They were able to track the hacker via the user's GDID, which is a stable identifier unaffected by VPN usage.

This surveillance is certainly going to expand in scope as age verification comes into widespread usage. Personally I see little legitimate use case for this telemetry. It seems only useful for the purposes of tracking users for law enforcement or targeted advertising purposes.

reply
Joker_vD
3 hours ago
[-]
Well, it's a darn good thing there is nothing like that over here on the Linux side. I'm pretty sure that if e.g. systemd attempted to generate a unique, persistent machine identifier during the installation process, it'd be shot down and patched off extremely quickly.
reply
chocolatkey
3 hours ago
[-]
Linux does though?

  cat /etc/machine-id
reply
ranger_danger
3 hours ago
[-]
reply
typeofhuman
1 hour ago
[-]
Is this sarcasm?
reply
gigel82
2 hours ago
[-]
> The court record itself says a reinstall produces a new GDID

That's a half truth if I ever saw one. Telemetry also includes the hardware hash (which does use SMBIOS serial number, CPUID, TPM identifiers, etc.) and that one survives OS reinstalls and even hardware swaps. It is the underlying id used for things like Autopilot (the equivalent to Apple's remote MDM lock).

reply
ChrisArchitect
1 hour ago
[-]
Related background:

Windows telemetry used to track web activity, link VPN activity to source IP

https://news.ycombinator.com/item?id=48807767

U.S. v. Stokes https://www.justice.gov/usao-ndil/media/1450651/dl

reply
xyst
4 hours ago
[-]
this is why Microsoft is pushing so hard for Microsoft accounts at install
reply
ranger_danger
3 hours ago
[-]
An MS account is not required for a GDID to be issued.
reply