The recent arrest of 19-year-old Estonian individual Peter Stokes has sent ripples through the digital community, particularly due to the role of Microsoft Windows’ telemetry in his apprehension. Authorities extradited Stokes to the United States on charges related to digital crimes, with the FBI reportedly utilizing telemetry logs provided by Microsoft to trace his online activities. These logs included Stokes’ Global Device Identifier (GDID) and a record of the websites he frequented on his primary Windows machine.
Telemetry Insights
The concept of GDID is not novel; extensive analyses have previously scrutinized Windows telemetry’s data collection practices. Microsoft has publicly clarified that its extended telemetry modes—specifically the Full and Optional settings—can transmit lists of URLs accessed via SmartScreen and Defender, alongside the GDID. Interestingly, using the Edge browser under these settings can result in the transmission of every visited URL. However, the specific mechanism that triggered the telemetry upload in Stokes’ case remains undisclosed in court documents.
Security experts suggest that Stokes likely had his telemetry configured to Optional/Full, as the Required/Basic setting typically does not send URL data. By leveraging the telemetry GDID, the FBI was able to connect Stokes to his ngrok account, which he accessed during the same session as his Facebook and Snapchat accounts. Investigators also linked his travel records to a New York IP address and a rental at the Empire Hotel, aided by photos he shared of his hotel room. His attempts at discretion were notably ineffective, as he also made a trip to Thailand.
Collaborative Efforts in Tracking
In a notable display of inter-company cooperation, Google and Apple joined forces in the investigation. Google traced Stokes’ phishing phone number back to the same IP address and date when he created his ngrok account. Stokes, in a rather unstealthy manner, had established this account using a Gmail address associated with another phone number from which he conducted phishing calls.
While it is tempting to criticize Microsoft for its default data collection practices affecting billions of users, security professionals remind us that Windows telemetry is just one of many avenues for user tracking. Many software applications require identifiers like GDID for legitimate purposes, such as tracking usage, managing subscriptions, and ensuring licensing compliance. Moreover, companies behind such software can be compelled to provide information to authorities, as demonstrated by the involvement of Microsoft, Google, Apple, ngrok, and others in Stokes’ case. Even privacy-focused services like Proton are cautious about outlining what they can disclose under court orders.
Attempts at Anonymity
For those curious about Stokes’ efforts to obscure his digital footprint, the list is surprisingly brief. He employed a VPN service hosted on Tzulo servers, along with the developer-oriented ngrok tunneling service and teleport.sh. However, the complexities of modern digital identification make it challenging to remain anonymous. While using a VPN is often recommended for enhancing digital privacy, it is merely a foundational step. If not configured correctly, a VPN can inadvertently expose a user’s original IP address through certain applications and operating system features.
Moreover, a VPN does not prevent the operating system or applications from transmitting identifying information. The more pressing concern lies in the sophisticated nature of device and user fingerprinting, which can be difficult to counteract. For instance, standard web browsers can leak personal information, allowing data-harvesting entities to exploit features such as TLS levels, HTML5 Canvas capabilities, font lists, and even Widevine DRM to create a unique identifier for each visitor.
As Stokes navigates his new reality, he may find himself with ample time to delve into resources like the Electronic Frontier Foundation’s surveillance self-defense guides and explore scripts available on the Privacy Is Sexy website.