Audacity classed as spyware

[Mark Kaine]

13 minutes ago, OrangeSunshine said:

Frankly, I don't want everything I record being scanned for any reason and reported to any government. That is why I am jumping ship.

I didnt even think about this… that makes it actually bad (at first i was actually thinking, while not great, its not a big deal, ip adresses, blah, blah, but the fact this app records audio makes it so much worse imo)

 

 

And yes, the wishy washy "justification" has been a huge red flag already… 

 

 

[OrangeSunshine]

23 minutes ago, Caroline said:

In the end everything is binary code.

No, that is just the limitation of the simulation we are in. The real world probably uses tertiary, or heck, even quaternary, code. 

[MultiGamerClub]

On 7/5/2021 at 11:51 AM, akio123008 said:

I'm guessing this applies to the latest version then? I mean I'm still using whatever version I downloaded 6 years ago.

Same, hope they dont rebrand older versions or force me to update. Still works great 5 years old, somehow.. Good software tho until this owner change

[MultiGamerClub]

53 minutes ago, Mark Kaine said:

I didnt even think about this… that makes it actually bad (at first i was actually thinking, while not great, its not a big deal, ip adresses, blah, blah, but the fact this app records audio makes it so much worse imo)

 

 

And yes, the wishy washy "justification" has been a huge red flag already… 

 

 

RECORDS? Hold up! I never thought it would RECORD things.. Welp im never updating this app.

[Sauron]

9 hours ago, Mark Kaine said:

why does a small, basic audio app need to collect ip adresses?

Legal reasons. The addresses are not shared with anyone and are not stored for longer than a single day. At worst, if they really wanted to, they could know *gasp* what operating system you use. Outrageous, I know. Did you know your browser tells that, together with your IP address, to every website you visit?

 

Also again, completely opt-in.

9 hours ago, OrangeSunshine said:

Frankly, I don't want everything I record being scanned for any reason and reported to any government. That is why I am jumping ship.

JUST DON'T OPT IN my friend.

[Video Beagle]

On 7/6/2021 at 1:08 PM, dalekphalm said:

I believe the GNU/GPL license forbids taking something that was Open Source and just making it closed source (I'm not an expert on these license models though).

Sort of a side to the topic, but...how would it stop them? What ...legal body..exists to enforce these licenses?

[Avocado Diaboli]

2 hours ago, Video Beagle said:

Sort of a side to the topic, but...how would it stop them? What ...legal body..exists to enforce these licenses?

The same one that decides on any kind of licencing, contract or copyright: the courts. Licenses don't need to be signed off from on high, they are just a contract like any other, you and the contract party are free to negotiate contracts to a fairly unlimited degree (yes, I'm aware that there are limits to contracts) and if both of you agree to the terms defined in the contract, even implicitly, i.e. "by using this software you agree to XY" and you violate that contract, any old court will be the arbiter over what happens because of that.

[dalekphalm]

5 hours ago, Sauron said:

Legal reasons. The addresses are not shared with anyone and are not stored for longer than a single day. At worst, if they really wanted to, they could know *gasp* what operating system you use. Outrageous, I know. Did you know your browser tells that, together with your IP address, to every website you visit?

 

Also again, completely opt-in.

JUST DON'T OPT IN my friend.

Seriously it’s baffling to me why people are upset by this information that is gathered. 
 

Why do they know your IP? Because your IP literally connects to their systems. 
 

Your WAN IP is almost certainly being logged by literally every node and web server on the internet you visit. 
 

Most of the time it’s simple stuff:

 

IP x visited page y on z date/time

 

Audacity doesn’t even store that data for more than 24 hours. 

3 hours ago, Video Beagle said:

Sort of a side to the topic, but...how would it stop them? What ...legal body..exists to enforce these licenses?

Same as anything else: you sue them in a court of law (which court depends on a lot of factors, including the country the body suing is from, where the defendant is from, etc). 
 

Most likely the US or EU court systems. 

[LAwLz]

5 hours ago, Sauron said:

Legal reasons. The addresses are not shared with anyone and are not stored for longer than a single day. At worst, if they really wanted to, they could know *gasp* what operating system you use. Outrageous, I know. Did you know your browser tells that, together with your IP address, to every website you visit?

 

Also again, completely opt-in.

JUST DON'T OPT IN my friend.

I don't really buy the argument you presented here.

If it's actually a legal requirement then why it is opt-in? If Audacity are legally required to collect this info then surely they must collect it (as in, it's not optional). If they don't legally require to collect it then clearly they don't have to.

 

 

24 minutes ago, dalekphalm said:

Seriously it’s baffling to me why people are upset by this information that is gathered. 
 

Why do they know your IP? Because your IP literally connects to their systems. 
 

Your WAN IP is almost certainly being logged by literally every node and web server on the internet you visit. 
 

Most of the time it’s simple stuff:

 

IP x visited page y on z date/time

 

Audacity doesn’t even store that data for more than 24 hours. 

From what I've gathered the data is collected from the Audacity program, not the browser. The program Audacity shouldn't require a connection to their servers at all, so the whole "well they know your IP because it connects to their system" argument makes no sense.

 

I am not trying to argue that Audacity is spyware or that this whole thing is terrible, but I think the people defending Audacity right now have very bad arguments.

I even agree with you on the whole. I don't think this is a bad thing. Hell, I run Audacity 3.0.2 right now. I can't find the settings for telemetry though so I can't confirm if my version has it or not. I guess not since I can't find the settings?

Anyway, I think the arguments both you and Sauron has presented are really weak. Telling people "others already have that personal info about you anyway" is not an argument that works on people who don't want their private info spread around.

 

I would consider myself moderately privacy conscious. I don't go out of my way too much to the point where it's inconvenient, but I try to minimize the amount of companies who get access to my data, and minimize the data they get access to. Telling someone like me "just give your data to Audacity, you are already giving it to your ISP" is a really stupid argument. TO me it sounds like a defeatist who just lie down on the floor and give up.

To me, saying "give your IP to Audacity because companies like your ISP already has it anyway" is like saying "give me your bank account details because others like your employer and your bank already has it anyway".

 

 

If you want to defend Audacity for their data collection then don't just say "just give them the data. You already share it with others anyway".

You should make arguments like point out what data they collect, why they collect it, how they collect it, etc. Instead of telling people "it's not a big deal, just do it", explain what is happening so that people can come to the conclusion that it is not a big deal on their own.

If they can't figure it out on their own, you telling them "just do it" won't exactly change their mind either.

[Sauron]

2 hours ago, LAwLz said:

I don't really buy the argument you presented here.

If it's actually a legal requirement then why it is opt-in?

It's a legal requirement if audacity is connecting to their servers to upload diagnostics data. In that case they might have to comply with a disclosure request from a local government (what data they logged from where). If you don't opt in, audacity does not connect to the server and none of this is an issue.

[LAwLz]

21 minutes ago, Sauron said:

It's a legal requirement if audacity is connecting to their servers to upload diagnostics data. In that case they might have to comply with a disclosure request from a local government (what data they logged from where). If you don't opt in, audacity does not connect to the server and none of this is an issue.

Sounds like circular reasoning to me but I think I understand what you mean.

 

If Audacity wants to collect other data, they also have to store the IP address because of legal reasons. If they collect any data, they also have to collect the IP. Is that what you're saying? If so, can you point to the law which specifically states that they have to collect the IP addresses?

 

[Quackers101]

just a rant

the reasoning behind everything that has been going on for a decade.

Everything being connected online, always online services, information gathering you can't opt out of, or didnt know to what extend it goes to.

So much gathering you just start accepting more of it. To how phones operate, and PC OS, DRM and anti-cheat software to anti-virus software.

 

When can we get ownership and just buy something we can use attach to a system without the need of "free" and online services.

*rolls in 1000 mobile apps*

[Sauron]

10 minutes ago, LAwLz said:

Sounds like circular reasoning to me but I think I understand what you mean.

I don't see why. If data (e.g. OS version) is collected then audacity needs to temporarily store its origin.

12 minutes ago, LAwLz said:

If so, can you point to the law which specifically states that they have to collect the IP addresses?

I'm no lawyer, I'm simply referring to Audacity's statement:

Quote

The list of data includes the operating system and version, the user's country based on their IP address, non-fatal error codes and messages, crash reports, and the processor in use. Under data collected "for legal enforcement," the software collects "data necessary for law enforcement, litigation, and authorities' requests (if any)," though no specifically what data is collected in such cases.

IP addresses are stored "in an identifiable way only for a calendar day," stored as a hash with a daily-changed salt. The hash is stored for one year before deletion, though the company also claims the salt "is not stored on any database and cannot be retrieved after it has been changed."

It is claimed the one day of storage is enough for a government entity to identify a user, with sufficient resources and legal authority.

I know for a fact that in many countries companies are forced to comply with user data requests from the government; for instance, here's microsoft's dedicated disclosure page: https://www.microsoft.com/en-us/corporate-responsibility/law-enforcement-requests-report

 

Someone also pointed out earlier that collecting data from minors is illegal in many countries and if suspicion arises that Audacity might be unwittingly doing it then a data request might be issued to determine where a given data set is coming from (within a day of collection).

 

I can't name the exact laws but I consider it plausible. Furthermore it's kind of impossible not to obtain someone's IP address when receiving telemetry from their system through the internet; the information would always potentially be available to them, even if they claimed not to store it, so if you consider that an issue you should simply avoid opting in to telemetry.

[spartaman64]

20 hours ago, Mark Kaine said:

yes, but it should be short and concise instead of lenghty without saying much. 

 

why does a small, basic audio app need to collect ip adresses? Thats one thing, the discrepancies between "only for a short time" and "or maybe longer for 'reasons' …" is another thing im not really happy about. 

they need to know your ip to receive data from you in the first place. thats how the internet works to send and receive data they need your ip address. the LTT forum is "collecting your ip address" right now and when you download audacity they "collect your ip address"

[LAwLz]

4 hours ago, Sauron said:

I can't name the exact laws but I consider it plausible. Furthermore it's kind of impossible not to obtain someone's IP address when receiving telemetry from their system through the internet; the information would always potentially be available to them, even if they claimed not to store it, so if you consider that an issue you should simply avoid opting in to telemetry.

2 hours ago, spartaman64 said:

they need to know your ip to receive data from you in the first place. thats how the internet works to send and receive data they need your ip address. the LTT forum is "collecting your ip address" right now and when you download audacity they "collect your ip address"

There is a very big difference between "your IP is exposed when you visit a website" and "the website stores your IP along with other information".

What Audacity is doing is collecting and storing that IP along with other information. They are not just having their router store the IP in working memory for the purposes of using it for routing. They are saving it to disk and binding it to other information stored.

 

Like I said earlier, I am not worried about Audacity collecting this, but let's not pretend like they have to store the IP for their service to function. They don't. Saving IP addresses to disk, which is what Audacity does, is not "how the Internet works".

What Audacity seems to be doing is not just collect it when you download the program. It also saves your IP when you run the program locally on your computer. That is not something that has to happen because "that's how the Internet works". That's something Audacity has chosen to implement and it would work without it, as demonstrated by the fact that you can apparently turn it off (or rather, you have to turn it on).

[Arika]

7 hours ago, Sauron said:

Someone also pointed out earlier that collecting data from minors is illegal in many countries and if suspicion arises that Audacity might be unwittingly doing it then a data request might be issued to determine where a given data set is coming from (within a day of collection).

But is any of the data collected actually the minor's data? 

The Internet service will be paid for by the parents, so the IP address is not personal information of the minor, and the rest of it is related to the PC which might also be the parent's. 

 

While I don't like data collection, the "think of the children" argument that keeps popping up in this thread is a bit disingenuous, otherwise you could make that claim simply because there is a minor in the house that any data collected from a particular household could include said minor's information even if it's not them using the device at the time. 

[Sauron]

10 hours ago, LAwLz said:

What Audacity seems to be doing is not just collect it when you download the program. It also saves your IP when you run the program locally on your computer. That is not something that has to happen because "that's how the Internet works". That's something Audacity has chosen to implement and it would work without it, as demonstrated by the fact that you can apparently turn it off (or rather, you have to turn it on).

I don't understand why you insist on the fact that the program can work locally without you opting in or even having an internet connection. Nobody is arguing that Audacity needs any sort of telemetry just for the program to work. This is an optional functionality you can enable to help with development, nothing more or less than that.

 

As far as I can tell the IP address is only saved in relation to your telemetry data, do you have reason to believe otherwise? I really don't see what novel information would be gained by sending it on its own every so often.

10 hours ago, LAwLz said:

There is a very big difference between "your IP is exposed when you visit a website" and "the website stores your IP along with other information".

What I meant is that you can't ever really be sure it's not being stored and if you consider it sensitive information then you should probably avoid using the internet without a vpn or tor (and not enable this opt-in telemetry).

8 hours ago, Arika S said:

But is any of the data collected actually the minor's data? 

This would have to be determined by an investigation if it was ever brought up. Since the disclosure request would have to come within a day of the data being collected I would assume the local authorities would already have determined that it was likely the case.

 

Don't get me wrong, I don't think this scenario is very likely to occur - but if it does and Audacity was found to not follow the requirements it could be a big problem for them.

8 hours ago, Arika S said:

While I don't like data collection, the "think of the children" argument that keeps popping up in this thread is a bit disingenuous, otherwise you could make that claim simply because there is a minor in the house that any data collected from a particular household could include said minor's information even if it's not them using the device at the time. 

I didn't say Audacity's telemetry is dangerous to children or anything like that, I'm simply saying they need to comply with existing laws on the matter.

 

Again I'm no lawyer, I'm simply going off what was claimed by Audacity and other similar policies from other companies. If you know for a fact that this isn't a legal requirement anywhere, let me know.

[Arika]

8 minutes ago, Sauron said:

I didn't say Audacity's telemetry is dangerous to children or anything like that, I'm simply saying they need to comply with existing laws on the matter.

 

Again I'm no lawyer, I'm simply going off what was claimed by Audacity and other similar policies from other companies. If you know for a fact that this isn't a legal requirement anywhere, let me know.

oh, i have no doubts, what i said was more of a general comment as opposed to a direct reply to yours.

[Video Beagle]

22 hours ago, Avocado Diaboli said:

The same one that decides on any kind of licencing, contract or copyright: the courts. Licenses don't need to be signed off from on high, they are just a contract like any other, you and the contract party are free to negotiate contracts to a fairly unlimited degree (yes, I'm aware that there are limits to contracts) and if both of you agree to the terms defined in the contract, even implicitly, i.e. "by using this software you agree to XY" and you violate that contract, any old court will be the arbiter over what happens because of that.

 

21 hours ago, dalekphalm said:

Same as anything else: you sue them in a court of law (which court depends on a lot of factors, including the country the body suing is from, where the defendant is from, etc). 
 

Most likely the US or EU court systems. 

 

But who is the "you" in this case? A contract is between two (or more) legal bodies.  There's the company that owns Audacity and....who? Who has the power to enforce GNU/GPL? Are they enshrined in law and treaties like Copyright is? Is there some corporate body that says "you violated this" like a Terms of Service? To sue, you have to have legal standing to do so. You have to be actually involved. So who has the legal standing to say "you violated this public license"?

[Avocado Diaboli]

1 hour ago, Video Beagle said:

But who is the "you" in this case? A contract is between two (or more) legal bodies.  There's the company that owns Audacity and....who? Who has the power to enforce GNU/GPL? Are they enshrined in law and treaties like Copyright is? Is there some corporate body that says "you violated this" like a Terms of Service? To sue, you have to have legal standing to do so. You have to be actually involved. So who has the legal standing to say "you violated this public license"?

I think it's important to make a distinction here. When people say that Audacity violate the GNU/GPL, it just means that they're trying to enforce restrictions that are inherently covered by the license itself, so their additional requirements contradict it. But as I've mentioned earlier, the Version 2 of that license doesn't seem to have the same clauses that Version 3 has in terms of guaranteeing unregulated and unimpeded access to the software covered by the license. At least, if I understood the jargon in both versions correctly. However, if Audacity were to theoretically violate a stipulation in the GNU/GPL after they already released their software under that license, any such restriction would be null and void immediately and not enforceable in court. But again, this whole stipulation in their terms of service about being 13 or older to use the software is just a measure to cover their asses in case they ever happen to collect data from people younger than that, in order to appease COPPA regulations. They're not going to sue 10-year-olds for recording something in Audacity. At least I hope not.

 

As for who the legal bodies are regarding license disputes, it's the people involved, either collectively as a group or individually for the parts they wrote themselves, since even though they released the source code under the GNU/GPL, they still always retain copyright on the code they wrote. If Person A writes code for a project that's released under GNU/GPL, then if Person B uses said code in a project and doesn't distribute it under GNU/GPL themselves, that's a violation and can be sued over. GNU/GPL has been recognized as a valid contract by a US federal judge.

 

But again, GNU/GPL is just a generic license written up so that open source developers don't have to reinvent the wheel every time someone tries to create a piece of software and guarantee that it stays open source. If you write code (or create anything at all, really), you can dream up any license you want. That's what Apple did when they wrote their EULA (end user license agreement, so it's also just a license) where it mentions that you're not allowed to use iTunes to develop nuclear warheads.

[dalekphalm]

4 hours ago, Video Beagle said:

But who is the "you" in this case? A contract is between two (or more) legal bodies.  There's the company that owns Audacity and....who? Who has the power to enforce GNU/GPL? Are they enshrined in law and treaties like Copyright is? Is there some corporate body that says "you violated this" like a Terms of Service? To sue, you have to have legal standing to do so. You have to be actually involved. So who has the legal standing to say "you violated this public license"?

Since I'm not a lawyer, I'm not going to be able to give you a comprehensive legal analysis of the GNU/GPL licensing system and how it's enforced.

 

I would assume that a relevant party (a party with some kind of stake in the game) - either the original developers who released the code under GNU/GPL, or perhaps a group of users could do so.

 

Frankly I have no idea how enforceable the GNU/GPL license is. I assume most cases involving GNU/GPL violations are the developers suing someone who stole part or all of their code and used it in some way prohibited. When the developers themselves are the ones potentially violating the license, I really don't know how that would proceed.

 

I do not believe that GNU/GPL violations would be criminal law - but rather civil law instead. Meaning, someone has to sue them to enforce compliance or penalties. Whoever that "someone" ends up being.

[spartaman64]

22 hours ago, LAwLz said:

There is a very big difference between "your IP is exposed when you visit a website" and "the website stores your IP along with other information".

What Audacity is doing is collecting and storing that IP along with other information. They are not just having their router store the IP in working memory for the purposes of using it for routing. They are saving it to disk and binding it to other information stored.

 

Like I said earlier, I am not worried about Audacity collecting this, but let's not pretend like they have to store the IP for their service to function. They don't. Saving IP addresses to disk, which is what Audacity does, is not "how the Internet works".

What Audacity seems to be doing is not just collect it when you download the program. It also saves your IP when you run the program locally on your computer. That is not something that has to happen because "that's how the Internet works". That's something Audacity has chosen to implement and it would work without it, as demonstrated by the fact that you can apparently turn it off (or rather, you have to turn it on).

well there can be very good reasons to do this other than tin foil hat NSA stuff. like for ddos protection etc