logoalt Hacker News

ranger_dangertoday at 12:22 AM4 repliesview on HN

What I'm more interested in is how/where the GDID is used. Imagine if e.g. Edge started sending your GDID as a header in every single web request.


Replies

hyperrailtoday at 1:27 AM

In a sense it doesn't matter how the global ID is used now. The fact that it exists allows it to be used in ways like what you describe, either by a malicious (?) Microsoft itself or by a malicious third-party attacker.

I'm familiar with these global IDs because I routinely used the Windows telemetry system as part of my work on the Windows core at Microsoft. We had strong policies on how and when we could access or use data for a single device as identified by global ID.

But ultimately, these policies will have a "government or court order" exception in reality even if not in theory, just like in most other consumer software observability systems. The Windows difference is simply the breadth of data that is intentionally collected by Microsoft or can be identified by any Microsoft-controlled IDs. That difference is huge in potential impact but very small conceptually.

m463today at 2:40 AM

When IE did this at the very beginning of the internet it was a real scandal.

then verizon did it for (to?) mobile phones.

I guess these things get normalized, people might say "those jerks" and then put it out of their mind.

naturalmovementtoday at 12:32 AM

I always assumed Chrome and Edge already did this — but sent the data to their respective masters.

Isn't every Chrome download unique?

It used to be even though the package contained an Authenticode signature, each installer stub download had a unique hash, because Windows' digital signatures allow a non-executable data area in the trailer which is not computed as part of the signed data.

There is zero technical reason to do this (generating unique binaries) aside from tracking purposes.

photiostoday at 5:38 AM

[dead]