Windscribe Acquitted on Charges of Not Collecting Users’ Data

The company doesn’t keep logs, so couldn’t turn over data:

Windscribe, a globally used privacy-first VPN service, announced today that its founder, Yegor Sak, has been fully acquitted by a court in Athens, Greece, following a two-year legal battle in which Sak was personally charged in connection with an alleged internet offence by an unknown user of the service.

The case centred around a Windscribe-owned server in Finland that was allegedly used to breach a system in Greece. Greek authorities, in cooperation with INTERPOL, traced the IP address to Windscribe’s infrastructure and, unlike standard international procedures, proceeded to initiate criminal proceedings against Sak himself, rather than pursuing information through standard corporate channels.

Tags: , , , , ,

Posted on April 28, 2025 at 2:17 PM9 Comments

Comments

not important April 28, 2025 6:00 PM

Per ‘unlike standard international procedures, proceeded to initiate criminal proceedings against Sak himself, rather than pursuing information through standard corporate channels.’

Sorry to say but like ABBA claims in
https://www.youtube.com/watch?v=81WhM9dOcYI

‘being like a fool PLAYING BY THE RULE’

there are no rules aka international and domestic laws which provide you guarantee you are not a fool playing by them rather opposite: rule of jungle covered by thin layer of procedures – the winner takes it all by money of force.

That is what you need to know not what you want to hear – as PM Brawn of UK said to Parliament many years ago. Please don’t delete post. I guess many will agree on my point. Can we handle the truth? The ugly truth?

Wannabe Techguy April 28, 2025 6:36 PM

Abba? Talk about a flashback! 1980 the year I graduated from H.S. I had way more hair then!
As for the article; way to go Windscribe!

iAPX April 29, 2025 7:18 AM

Either the Greek law make the owner and/or renter of the Public IP Address responsible for any usage of the TCP/IP network through it, or not.

I am a law abiding citizen, and understand the need to be able to investigate and have access to a lot of information under the control of the Justice system through judges.

But if we make everyone responsible for any usage of the Public IP Address they own or rent, this might turn private companies into censoring/banning monsters for their own security, without Justice oversight. It’s a slippery slope.
Privacy and freedom would obviously suffer.

I have no idea how to create a balance, and in fact I am pretty sure there’s no balance possible satisfying everyone, not even the majority of people.

Taking down a non-logging VPN is NOT a solution.

But on the other side, maybe we could have public-key encrypted logs (you know pseudo-random key, encrypted with the public key, to encrypt a log entry), with the corresponding private key detained by authorities and access to encrypted logs (and thus clear text logs) controlled by the Justice system through judges.

Naturally this is theoretical: at some point some private keys will be leaked, breaching privacy. So no-one will be assured their traffic is partially private.

Peter A. April 29, 2025 10:46 AM

@iAPX: The task of investigating, collecting evidence and surveiling suspects lies with the police under warrant oversight by the justice system. If we force everyone to collect evidence on everyone under penalty, we make everyone a policeperson and create not even a police state but a police society. That is, soviet Russia on steroids. It does not matter if the evidence is encrypted or not.

Two inmates of a soviet labor camp sit in a barrack:
– For what were you arrested?
– For laziness.
– ???
– One night I was drinking with another guy and we were telling jokes about Stalin. I was lazy and I thought I would go to NKVD in the morning and denunciate him. The bastard went to NKVD that night!!!

Clive Robinson April 29, 2025 10:49 AM

@ ALL,

This is a very old argument going back to before any form of electrical / electronic communication.

The two ends of the argument are,

Officially unknowing and full liability of the “carrier of the communications”.

It’s why those “officially unknowing” are classified as “common –law– carrier –services–“,

https://en.m.wikipedia.org/wiki/Common_carrier

Note the comment in the first paragraph,

“A common carrier offers its services to the general public under license or authority provided by a regulatory body, which has usually been granted “ministerial authority” by the legislation that created it. The regulatory body may create, interpret, and enforce its regulations upon the common carrier (subject to judicial review) with independence and finality as long as it acts within the bounds of the enabling legislation.”

In the past with “letter and parcel services” each nation operated it’s own licenced and regulated “Postal Services”.

Cross border carrying was always “terminated at customs” such that duties and tariffs could be assessed and charged and other import or export legislation applied.

The advent of electromechanical communications caused no end of issues and is in part reason for the very strange ways phone charges are reconned.

The advent of data communications over “radio circuits” caused the next set of rules including notably for “encryption”. But the legislative issues got worse with data communications in a “packet based” rather than “circuit based” network caused even more issues such as data could come over two or more physical networks from two or more legal jurisdictions…

The result of which is most modern data communications are carried out on a “nudge and a wink” rule of,

“Don’t ask and we won’t look”

The thing is whilst most governments are responsible for “criminal prosecutions” via an agency (the CPS in the UK) not all countries exclude people starting criminal prosecutions against others (I’ve done so in the past and the court was decidedly touchy about it).

And they used to almost always allow government agencies to start prosecutions though in some places the ill wisdom of this has become clear (in the UK the “Iraqi Big Gun” from Customs and Excise, was a major embarrassment one or several others since is of course the long running Post Office Horizons affair is one most will have heard of).

Thus it’s probably fair to say that “Windscribe” did not have “Common Carrier” status in “Greece” which is what enabled the nonsense to be started. I guess we will have to wait for a translation of the full ruling by the Judge.

Why Interpol got involved with this brings up all sorts of questions that can only weaken their position.

But consider that the “postal service” either does not log the user who sends a letter or parcel, or when loged for other reasons –such as “signed for delivery”– not in a verifiable way.

The same issues apply to a data packet carrier, those IP headers are not at all verifiable as I’ve indicated in the past.

iAPX April 29, 2025 6:10 PM

@Clive, All,

Effectively behind all this case is an obvious reality: a Public IP Address doesn’t authenticate any person, company or entity.
Not even a physical destination. No a route.

From the attacked point-of-view, he could only identify the first hop outside its infrastructure: its connection point to The Internet.

There is no guarantee whatsoever after this point.
And it is demonstrable and has been demonstrated through routing manipulation of many sorts, in many ways, including -abuse- use by Government Agencies.

For example my traffic used to go from my place to Boston (500km/300 miles away) and back, while a neighbour on the same network didn’t. Was 18 years ago.
Now my traffic isn’t any more, traceroute is convinced about it, now it just magically loose around 10ms between the first hop and the second. Always…

And my ISP NEVER EVER change my Public IP Address, they cautiously avoid that for me while it’s observable for nearly every other of their client.
I feel loved!

Clive Robinson April 29, 2025 7:09 PM

@ iAPX,

With regards,

“…a Public IP Address doesn’t authenticate any person, company or entity. Not even a physical destination. No[t] a route.”

I’m glad I’m not the only one who gets that… Fancy trying to educate politicians, police and corporate managers?

Nope me neither.

And that’s all before you consider the NSA use of “tees” in routers and “dead drops” as declared destination.

I once set up a demonstration using two hotels and customer. The traffic was “destined” for one IP address at one hotel but was routed through an IP address at a different hotel, this “mid point” then “teed of” the data to another sink at the customer.

Could anyone see this going on?

Not really they would have to find the “mid point” being used as a router and tee first…

Such tricks can be used to route traffic “off shore” thus making it subject to FISA rules even though it should never have been…

Peter A. April 30, 2025 11:32 AM

@iAPX: Ah, the joys of ‘data fabric’ and layered network architecture. In the days past I could traceroute how my packets went through several major cities, international and under-ocean links, etc. etc. before they reached some remote corner of the woods on the opposite continent. All these routers’ interfaces were meticulously named. I could observe changes in routing and wonder what caused the packets to go the long way. Now the packet enters some border router at the ISP and magically appears half the world away, like there was a fiber laid in a straight line from here to there… You can only estimate by the RTT how many times it circled the world.

Clive Robinson April 30, 2025 1:47 PM

@ Peter A., iAPX, ALL,

You observe correctly that,

“Now the packet enters some border router at the ISP and magically appears half the world away, like there was a fiber laid in a straight line from here to there…”

Actually it’s droped off the bottom of the IP stack into that “Physical Layer”.

It’s another trick that national SigInt agencies have used.

One such was to make their packets take the short route, whilst the packets you want from a server take the long route.

The stack protocol design assumes that multiple packets can happen thus just drop the later packet.

So you get to see what the SigInt agency wants you to see, and what was actually set from the server that you wanted to see just hits the bin bucket on the floor.

What killed off this type of attack was the use of “End To End Encryption”(E2EE) by the likes of HTTPS.

But those of a thoughtful mind can see how such an attack can be upgraded by a MITM attack.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.