As someone pointed out in the X argument comments, this is unconfirmed and most likely NOT how the actual GDID being sent to microsofts servers looks like.
1. The GDID that most closely resembles the one mentioned in the DOJ indictment of Stokes is found inside the registry key Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\IrisService\IrisActionCreatives, which starts with the "g:" prefix and is explicitly called GLOBALDEVICEID. This keys holds cached json response from microsoft servers and this is clear as night and day what value microsoft servers consider a "GDID"
2. According to the research, a Microsoft account is required. No, it's not necessary. Whether or whether you are not logged into your Microsoft device, GDID is being filled in. Did AI forget to check that?
3. How can author claim this is full writeup of GDID, when you did not verify whether the value your AI found, is the one being sent along with telemetry network requests? Author did not even verify whether he found the right thing
I also verified the value computed as suggested by the repository's creator and it is different from the value discovered inside the Iris registry key that begins with "g:".
Summary: The value author of repo claims is a GDID, is not the same value as saved on microsoft servers.
1) Do we think this is actually how the FBI found this kid or is this simply what they're saying in order to keep some other tool hidden?
2) Is there a way to block or manually change the GDID from being revealed. If it's the browser leaking it, do all browsers leak it?
This surveillance is certainly going to expand in scope as age verification comes into widespread usage. Personally I see little legitimate use case for this telemetry. It seems only useful for the purposes of tracking users for law enforcement or targeted advertising purposes.
That's a half truth if I ever saw one. Telemetry also includes the hardware hash (which does use SMBIOS serial number, CPUID, TPM identifiers, etc.) and that one survives OS reinstalls and even hardware swaps. It is the underlying id used for things like Autopilot (the equivalent to Apple's remote MDM lock).
Windows telemetry used to track web activity, link VPN activity to source IP
https://news.ycombinator.com/item?id=48807767
U.S. v. Stokes https://www.justice.gov/usao-ndil/media/1450651/dl