Audacity classed as spyware

[ARikozuM]

We're up in arms because Audacity is asking for errors to be sent to them? 

[DrMacintosh]

9 hours ago, Sniperpaul296 said:

Users country (based on IP address)

Non-fatal error codes
Users OS and version
Processor in use

Weird, these are all things useful in debugging a program

[NotTheFirstDaniel]

9 hours ago, Sniperpaul296 said:

Users country (based on IP address)

Non-fatal error codes
Users OS and version
Processor in use

Why the hell are people MORE worried about the fact Audacity is collecting data such as User country (could possibly inform decisions on language localization), non-fatal error codes (you know, to make stuff easier for people who don't know how to correct/bypass them if they pop up a lot), User OS and Version (right because if 0.1% of people are using Audacity on Windows Vista, why the hell should any budget be reallocated to supporting it) and processor in use (because who knows there could be a trend where a specific error/bug is present in X or Y processor/processor architecture. If the M1 version of Audacity has an error the Intel one doesn't, then wouldn't it be great to know the difference was the processor) than how apps like Facebook and Instagram are quite literally creating a digital fingerprint on you? This shouldn't be taking up any space in the privacy argument since not only is it completely optional, its disabled by default!

 

The outrage is due to the word "Russia". Had Audacity been collecting this data and storing it in the US/Canada or somewhere in the European Union, there wouldn't be any outrage.

9 hours ago, Sniperpaul296 said:

Luckily we have a decent community of people developing a fork of 2.0. 

An entire fork of a project to remove like what, 5 lines of code that were disabled by default in the first place? Is there a bigger example of being overdramatic?

[Forbidden Wafer]

12 minutes ago, NotTheFirstDaniel said:

The outrage is due to the word "Russia". Had Audacity been collecting this data and storing it in the US/Canada or somewhere in the European Union, there wouldn't be any outrage.

Yup, people didn't force the closure of Facebook, Equifax, Experian, etc, even though they deserved it. We are living in an ongoing scam.

[LAwLz]

2 hours ago, poochyena said:

because they have large scale, government funded, troll farms and cyber attacks? https://en.wikipedia.org/wiki/Cyberwarfare_by_Russia

read the news every once and a while

Pretty much every country has that.

The US has USCYBERCOM for example. The CIA even has something called the "marble framework" which tries to make it so that cyberattacks from the US appears as if they come from Russia or China, so that those countries gets blamed instead.

 

But in any case, sending data to Russia is not inherently bad, just like sending data to for example the US is inherently bad. Preferably I wouldn't want my data being sent to either since both of those countries are horrible when it comes to privacy and security, but neither one is inherently bad.

The country the data is being sent to doesn't matter all that much. What really matters is what servers the data is how it is being sent, what servers it is stored on, who has access to those servers, and what the data is used for.

[poochyena]

15 minutes ago, LAwLz said:

Pretty much every country has that.

Thats like saying pretty much every person commits a crime. Huge difference between petty theft and murder.

Russia also has no accountability. They have a dictator as a leader. The US might have a slow justice system, but there is certainly less they can get away with than Russia or China.

Additionally, the claim was "any other country", but the only countries mentioned thus far are the US, Russia, and China. Do you believe these are the only 3 countries that exist, or do you believe that Kenya poses an equally as active and dangerous cyber threat to the world?

[Quackers101]

1 hour ago, LAwLz said:

The country the data is being sent to doesn't matter all that much. What really matters is what servers the data is how it is being sent, what servers it is stored on, who has access to those servers, and what the data is used for.

which is why the rules in china (and updated rules in russia) isn't all that great.

While the US is more like, well let's push our FBI and so on, onto everyone else with leaks or always on microphones in your TV... how great and good trusting.

[Hassan170]

20 hours ago, James Evens said:

Guess what? There will be a new Audacity branch if the right people are upset just like OpenOffice and LibreOffice is a thing.

 

@Arika S simple and old ideology:

Russia = bad

China = the worst/devil

America = perfect

western countries = okay ish

Ayyyy what about us asians?

[s_k]

If all you do is digitise stereo files (like tapes or records); there's a piece of software called "ocenaudio" that does it brilliantly, way nicer to work with than audacity. If you really need multi track capabilities you could consider the affordable reaper. It's rather professional so there's a learning curve to it, but it does the trick! I personally will stick to audition but that's neither free nor cheap.

[Sir Asvald]

THE Audacity! I cannot believe it!

[grg994]

Guys, check your sources on this topic, eg. the original privacy policy update ( https://www.audacityteam.org/about/desktop-privacy-notice/ )

These are not just crash logs for debugging. And I think some of you misunderstand the problem here, it is not that some freeware decided to collect data as many apps do today.

 

Audacity is an open-source project running now for decades. Many, perhaps hundreds of people contributed to the code - at the expense of their free time, most probably without receiving any compensation - so the software can serve all the public and public only. Many did this having the vision that people should be able to use free software without any compromises like ANY data collection.

 

And now their donated work is distributed in this way - having the users to agree that the software might collect eg. "data [...] for litigation and authorities request" and to share data to "[business] agents".

 

Maybe this functionalities are not enabled now, but any further update will have the right to do that. Maybe in the real world of google, facebook, etc. this whole story no big deal - but this doesn't change the situation: Audacity's parent company betrayed the open source community.

[DrEagleTalon]

Some Clarification and Updates to The Audacity Topic

With Links and Sources

 

 

 

Summary

As Apple Insider has pointed out, in this article¹¹, there has been some controversy surrounding Audacity and its new Owners, Muse¹², and their decisions regarding Data Collection, Privacy Concerns and their plans going forward with the much beloved Open Source Project, Audacity.

 

Originally on May 4th they planned on Using Google and Yandex for Telemetry¹ has been cause for concern from the Open Source, Privacy Minded, and especially the Close-Knit Audacity Communities. After the backlash they Published another Github Post on May 13th² where they attempted to discuss reasoning and decisions for telemetry, which meant dropping the previously discussed telemetry features. It was decided that data collected from error reporting and update checks would be self-hosted, taking Google and Yandex analytics out of the equation.

Then on May 25th another Github Discussion was started³, again by user workedintheory, where it requires anyone wishing to send a pull request to the original source code to agree on giving them unlimited and unrestricted rights to own the modified lines of code.

 

Then they decided to go in a better approach, albeit bad in its own rights, of collecting data on IP Address, Audacity Version, Operating System and CPU Information. User workedintheory posted on July 5th a "Clarification of Privacy Policy"⁴ Quoted here;

Quote

A quick statement to address the concerns around our new Privacy Policy.

We believe concerns are due largely to unclear phrasing in the Privacy Policy, which we are now in the process of rectifying. In the meantime, we would like to clarify what seem to be the major points of concern:

• Selling Data & Sharing - We do not and will not sell ANY data we collect or share it with 3rd parties. Full stop.
• Data Collection - Data we collect is very limited.
  • IP address - which is pseudonymised and irretrievable after 24 hours.
  • Basic System Info - OS version and CPU type.
  • Error Report Data (Optional) - Sent manually by users as part of an Error Report.
• Additional Data - We do not collect any additional data beyond the points listed above for any purpose.
• Compliance with Law Enforcement - We will not collect or provide any information other than data described above with with any government entity or law enforcement agency.
  • Compelled by Court - Data is not shared upon an agency request; we will do so only if compelled by a court of law in a jurisdiction that we serve.
  • Limited Window - After 24 hours the IP address being collected is irretrievably lost.
  • Jurisdiction Requirements - We operate in many countries around the world and this is a standard policy requirement for providing services in many jurisdictions, regardless of the depth of data collected or nature of service.
• Offline Use - The Privacy Policy does not apply to offline use of the application.

We are working with our legal team to revise our privacy policy to more clearly communicate the above points and our intent.

--

About the term 'Personal Data'

GDPR classifies an IP address as something that potentially counts as 'personal data', which is why we use that term in the Privacy Policy. This is necessary for two features being introduced in the next version of Audacity:

• Automatic Updates - checking to see if there is a new version available
• Error Reporting - an opt-in feature for users to send error reports to us

As mentioned in the Compliance with Law Enforcement above, we take steps so that the IP address we collect is non-identifiable after 24 hours.

--

We do understand that unclear phrasing of the Privacy Policy and lack of context regarding introduction has led to major concerns about how we use and store the very limited data we collect. We will be publishing a revised version shortly.

In the meantime, the Privacy Policy doesn't actually come into force until the next release of Audacity (3.0.3). The current version (3.0.2) does not support data collection any data of any kind and has no networking features enabled.

 

Essentially the TLDR is that the IP is only kept for 24 hours and after that is salted and irretrievable and the rest is kept for an unspecified amount of time and that the rest of the data collection is very limited in scope.

 

They also decided to self-host all this data as the concern for data breaches was a concern, and while self-hosting gives them more control over the security of the data, no one is un-hackable. 

 

Furthermore, they have Updated the Privacy Policy⁵ on July 2nd to include whom they share Personal Data with as it States in Item 4;

Quote

3. Minors
4. Who does Audacity share your Personal Data with?
   1. We may disclose the Personal Data listed above (your hashed IP address) to the following categories of recipients:
      1. to our staff members. We take precautions to allow access to Personal Data only to those staff members who have a legitimate business need for access and with a contractual prohibition of using the Personal Data for any other purpose.
      2. to any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, or (ii) to exercise, establish or defend our legal rights;
      3. to our auditors, advisors, legal representatives and similar agents in connection with the advisory services they provide to us for legitimate business purposes and under contractual prohibition of using the Personal Data for any other purpose.
      4. to a potential buyer (and its agents and advisers) in connection with any proposed purchase, merger or acquisition of any part of our business, provided that we inform the buyer it must use your Personal Data only for the purposes disclosed in this Notice;
      5. to any other person if you have provided your prior consent to the disclosure.

 

They Describe what they Collect, Why and the Legal Grounds in this Table;

 

Why we collect it	Personal Data we collect	Legal grounds for processing
• App analytics • Improving our App	• OS version • User country based on IP address • OS name and version • CPU • Non-fatal error codes and messages (i.e. project failed to open) • Crash reports in Breakpad MiniDump format	• Legitimate interest of WSM Group to offer and ensure the proper functioning of the App
• For legal enforcement	• Data necessary for law enforcement, litigation and authorities’ requests (if any)	• Legitimate interest of WSM Group to defend its legal rights and interests

 

While this is obviously very concerning they have attempted to walk back over and over, in what seems to be the majority of the communities opinion, a futile attempt to appear that they never intended to use the data for any reason other than Updates and Legal Reasons.

 

Many have stated, fairly, that an Offline App should not for any reason, especially by default, need Network Communication. In this Statement⁶, by Github User and Audacity Team Member, workedintheory tries to explain what they mean by personal data and again attempt to walk back on their decisions;

 

In the Comment section of that same Post another Audacity Github Collaborator, shoogle, had this to say concerning the Check for Updates, IP address and Opt-in/Opt-Out Status;

Quote

Check for updates is the only networking feature enabled by default (it is opt-out while the others are opt-in).

This, and your IP address, is the only information sent during a check for updates:

GET /feed/latest.xml HTTP/1.1
Host: updates.audacityteam.org
Accept: */*
Accept-Encoding: deflate, gzip
User-Agent: Audacity/3.0.3 (Windows 10_0_19042; x64)

You can see this in the source code here¹⁴ and here¹⁵. The IP address is stored on the server as a hash and becomes irretrievable after 24 hours when the salt is discarded.

We believe that if we stated this more clearly in the privacy policy then fewer people would have a problem with it.

Both are optional, but update-checking is opt-out whereas error reporting is opt-in. The system info sent during update-checking is similar to the information your web browser sends during an ordinary HTTP request.

 

Then there is the fact they are violating the GNL License in a odd and plainly obvious way by stating in their Privacy Policy⁷;

Quote

3. Minors
   1. The App we provide is not intended for individuals below the age of 13. If you are under 13 years old, please do not use the App.

This is a direct violation of the GNL License and while may not affect Privacy and Security it is just another chilling example of the direction Muse Group is taking. 

 

My thoughts

With them operating in the EU, USA and Russia they do have a tricky legal situation. This is in no way an excuse as others manage this just fine and while I am no expert on International Laws or even the FLOSS Community I think that outside of updates the application should not be communicating with the internet without opting in which, user and collaborator Shoogle has said, is the case.

 

So Ultimately it looks like they have reached a point where it not as big of a Privacy or Security Concern as it was originally with the original Idea but there is still some concerns. Even though they have walked it back to, what I believe to be, an acceptable level - the damage is done. They have hurt the trust the community has and Trust is hard to fix in the Open Source community.

 

Audacity will be fine and will continue to be at the top but I think we will see some new popular Forks/Competitors out there, such as this one⁸, that may or may not rise to the challenge of maintaining a complex application and be able to keep it up to date, work on bugs and issues and also continue to upgrade its feature set an UI. Its something I plan on paying attention to for the foreseeable future and hope this serves as a reminder, Much like OpenJDK, OpenOffice and XFree86 before them, to any other open source projects or Corporate Companies that buy up the Open Source Community Projects that they need to stay true to the community and the Open Source ethos.

 

Honestly I think that if they had consulted with the community before hand and let their intentions be known PRIOR to actually inserting any changes they could have appeared way more transparent and solved this before anything actually happened. This could all have been avoided by basically better communication with the community that has worked for so many years on this project. 

 

Also check out this Fork by cookie.engineer⁹ which seems to be the reigning champ of forks and you can even read this Fosspost article¹⁰ about it.

 

If you are interested in joining the discussion or just follow along, this is a link to the Audacity GitHub Discussion Page¹³ .

 

I hope I did mess anything up but if I did or if I missed something let me know and I will make edits to the comment. 

 

 

 

Sources

¹ Link to the Github Pull Request on May 4th for data collection through Google and Yandex

² May 13th Response by Tantacrul, A Youtuber who joined the Audacity Team 3 months Ago

³ May 25th GitHub Conversation Outlining the New Contributor License Agreement

^{4, 6} July 5th Response by User Workedintheory trying to Address Concerns over the Privacy Policy

^{5, 7} Link to the Audacity Team Websites Privacy Policy

^{8, 9} What most are saying is the most Starred Fork and Potentially will be the Main Fork of Audacity in the Future by GitHub User cookie.engineer

¹⁰ Fosspost Article Discussing cookie.engineer's fork of Audacity and how to support it

¹¹ The Apple Insider Article that sort of Blew this up

¹² Music Tech Article in May Describing the Purchase of Audacity by Muse Group, who Also Owns MuseScore and Ultimate Guitar

¹³ The Audacity Github Discussion Page to follow any Updates or Fork the Code yourself

¹⁴ Links to the Audacity GitHub Code where it has the Network Request

¹⁵ Link to the Audacity GitHub Code where it asks for Audacity Version, Release and Revision

 

More Links

Reddit Post Detailing the Apple Insider Article and a Classic Reddit Discussion Surrounding the Topic

Another Fosspost article about the Situation

Reddit Post in r/Linux Discussing the Situation

A Link to My Reddit Post in r/Privacy

A Link to my New Post about it that I believe Does not Violate Tech News Posting Guidelines due to the amount of Difference from Original Post here and amount of Information and difference in the way it was discussed.

 

 

 

[dalekphalm]

@DrEagleTalon can you elaborate as to why restricting use of a piece of software to those aged 13 or older is a violation of the GNU/GPL license?

[Roswell]

18 hours ago, Caroline said:

There shouldn't be, but man's justice is subjective and blind. Theft, murder, adultery and even lying (there are no "big" or "small/white" lies) weigh the same when it comes to living in disgrace.

 

 

Or maybe consider that most people don’t care about what religion thinks and refrain from regurgitating it on a tech forum.

[Avocado Diaboli]

1 hour ago, dalekphalm said:

@DrEagleTalon can you elaborate as to why restricting use of a piece of software to those aged 13 or older is a violation of the GNU/GPL license?

I think they might be conflating Version 2 and Version 3 of the GNU/GPL. I'm not intimately familiar with either, but at a cursory glance I found the following in there:

 

Version 2 (the one Audacity includes at the time of writing) states the following:

Quote

Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program).

Now I'm not 100% sure how to interpret this. In the first sentence it clearly states that it does not cover anything that isn't part of copying, distribution and modification. But the second sentence immediately turns around and also guarantees you the right to use the software. This is either a direct contradiction or just a clause intending to state that just the license itself doesn't represent any restrictions, but it also doesn't outright deny whoever uses the license to not mandate further restrictions regarding the use of the software. 

 

Now version 3 rewords this into the following:

Quote

This License explicitly affirms your unlimited permission to run the unmodified Program.

As far as I can tell, version 3 specifically aims to deny whoever releases software using it from further mandating any restrictions on use of software released under it.

 

I assume that this age clause has been implemented by the Audacity developers to comply with the Children's Online Privacy Protection Act (COPPA), which clearly states that you're not allowed to collect data from children, which according to COPPA are defined as individuals under the age of 13. This data collecting would clearly violate that if they'd allow children to use the software.

[Lord Szechenyi]

On 7/5/2021 at 11:31 AM, Sniperpaul296 said:

Muse purchased Audacity in May

i wasn't aware of this, i might be wrong on this, but wasn't Audacity an open source program?

 

Did that change then?

[dalekphalm]

2 minutes ago, Lord Szechenyi said:

i wasn't aware of this, i might be wrong on this, but wasn't Audacity an open source program?

 

Did that change then?

Audacity is open source yes. No, that shouldn't change.

 

Hypothetically, if they wanted to make Audacity closed source, they'd likely have to recode the entire program from scratch. I believe the GNU/GPL license forbids taking something that was Open Source and just making it closed source (I'm not an expert on these license models though).

[sub68]

So audacity is basically outsourcing there crash logs.

I wouldn't really be too scared. (my old pc is running older versions so shrug)

[spartaman64]

On 7/5/2021 at 1:26 PM, poochyena said:

Considering its open source, I don't think its too big of a deal. Its good people are made aware of the changes, but its not like it forces updates or anything, so, meh.

because they have large scale, government funded, troll farms and cyber attacks? https://en.wikipedia.org/wiki/Cyberwarfare_by_Russia

read the news every once and a while

so they are going to tell putin what processor im using? omg i need to go into hiding 

[Mark Kaine]

If you need to write that much to justify your innocent data collection habits, something  is really really highly sus. 

[Quackers101]

5 minutes ago, Mark Kaine said:

If you need to write that much to justify your innocent data collection habits, something  is really really highly sus. 

"innocent data collection" is that even real at this point.

so long you dont live in russia then it might not cause too much issues, due to the targeting of free speech, which is not on the same scale else where.

Would be more annoyed at all the data collection in the millions of users that doesnt get notified or even have a chance to disable such collection of data.

like windows etc.

[Chunchunmaru_]

People forgetting that the project itself is just code?

There will be tons of audacity builds for all windows and linux distributions out there with this, simply disabled

[Sauron]

On 7/11/2021 at 3:14 AM, Mark Kaine said:

If you need to write that much to justify your innocent data collection habits, something  is really really highly sus. 

They needed to release a statement because a bunch of people made a huge fuss about essentially nothing. Can you point to anything wrong with what they're doing or is this just a baseless gut feeling on your part?

[Mark Kaine]

1 hour ago, Sauron said:

They needed to release a statement

yes, but it should be short and concise instead of lenghty without saying much. 

 

1 hour ago, Sauron said:

Can you point to anything wrong with what they're doing

why does a small, basic audio app need to collect ip adresses? Thats one thing, the discrepancies between "only for a short time" and "or maybe longer for 'reasons' …" is another thing im not really happy about. 

[OrangeSunshine]

The statement about collecting " Data necessary for law enforcement, litigation and authorities’ requests (if any)" is worrisome. My whole quarrel is Audacty has essentially given themselves a huge elastic clause as to what data they can collect. What data could an audio app need to report to law enforcement? It isn't like there is a plague of murderers dictating their crimes with audacity. I see this potentially being used in enforcing copyright complaints and such. Frankly, I don't want everything I record being scanned for any reason and reported to any government. That is why I am jumping ship.