Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Open Source Privacy

Is Open Source Audio Editor Audacity 'Spyware'? (pcmag.com) 203

Anyone deciding to download the free and open-source audio editor Audacity is being warned that the software may now be classified as spyware due to recent updates to its privacy policy. From a report: Audacity has been around for over 21 years and classes as the world's most popular audio editing software. On April 30, the Muse Group acquired Audacity with the promise that the software would "remain forever free and open source." However, as FOSS Post reports, last week the Audacity privacy policy page was updated and introduced a number of personal data collection clauses. The data collected includes OS version and name, user country based on IP address, the CPU being used, data related to Audacity error codes and crash reports, and finally "Data necessary for law enforcement, litigation and authorities' requests (if any)." The personal data collected can be shared with Muse Group employees, auditors, advisors, legal representatives and "similar agents," potential company buyers, and "any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, or (ii) to exercise, establish or defend our legal rights."
UPDATE: Ars Technica's Jim Salter disagrees, pointing out that "neither the privacy policy nor the in-app telemetry in question are actually in effect yet," and that the company now plans to self-host its telemetry sessions rather than using third-party libraries and hosting.
This discussion has been archived. No new comments can be posted.

Is Open Source Audio Editor Audacity 'Spyware'?

Comments Filter:
  • It's open source (Score:5, Insightful)

    by micksam7 ( 1026240 ) * on Monday July 05, 2021 @05:03PM (#61553634)

    So you mean it's time for a fork?

    • by Registered Coward v2 ( 447531 ) on Monday July 05, 2021 @05:05PM (#61553638)

      So you mean it's time for a fork?

      That's what I'm thinking. Fork it and remove the reporting code. My guess is once it became corporate lawyers decided to CYA so the new agreement clauses.

      • Re:It's open source (Score:5, Interesting)

        by AmiMoJo ( 196126 ) on Tuesday July 06, 2021 @03:31AM (#61554694) Homepage Journal

        Already done, problem is which fork do you follow? There is a risk that some of the forks will be malware.

        Similar thing happened when TrueCrypt died. Multiple forks emerged as well as the last known good version of TC. In the end Veracrypt became the preferred, trusted replacement but it took a while and in the meantime there was a lot of uncertainty.

        • by jwhyche ( 6192 )

          Already done, problem is which fork do you follow?

          Easy answer to an important question. Just keep using the older version that you are using and let it get sorted out. Just like, Veracrypt, a winner will float to the surface, and that will be the one we all run with.

          Audicity has been a mature and functional piece of software for well over a decade. An recent version in the last few years should due till forked issues get sorted out.

    • by Tom ( 822 )

      I was about to ask where the repository of the fork is. There are probably 3 already.

    • Re:It's open source (Score:5, Informative)

      by silentbozo ( 542534 ) on Monday July 05, 2021 @05:10PM (#61553652) Journal

      Sounds like it.

      Someone already did a fork, but they haven't renamed it yet:

      https://github.com/cookiengine... [github.com]

    • Re: (Score:3, Funny)

      russia bought it, it seems.

      so, not fork, but spoon. better for borscht.

      (did not know its now russian owned. whatever the previous version was, that will be the last to be installed. its audio sw, probably not many updates needed really)

    • Re:It's open source (Score:5, Interesting)

      by sound+vision ( 884283 ) on Monday July 05, 2021 @05:11PM (#61553666) Journal

      Shouldn't be hard, this software reached maturity a decade ago. It does exactly what it needs to do (basically the digital version of a Tascam cassette multitrack) and there's not much else to add.

      The only place it could go from here is to a full-fledged DAW that lets you compose with virtual instruments and such. Unless they were planning on pouring millions into development, that's not where they were going with this. This smells more like "cash extraction" to me.

      I look forward to the fork.

      • You mean Ardour?

        That's free and open source too, by the way. with a quite good business model.

        • Exactly this - I like Audacity the way it is.

          I use Ardour when I need a full-fledged DAW, but there's a lot to be said for a quick tool like Audacity when I need to do something simple and quick.
      • by rtb61 ( 674572 )

        Taking in to account, modern developments and the entire music industry, that data mining, smells of planned theft of music. Telemetry from your machine sounds good, record and publish it before you do. It really does sound like they bought it to steal original music and publish it before you can. It's music editing software, that is what you get from it, that is the telemetry it delivers and what you can data mine off that, only one thing, original music creations.

        Pretty typical of modern tech companies,

    • Re:It's open source (Score:5, Informative)

      by lactose99 ( 71132 ) on Monday July 05, 2021 @05:15PM (#61553678)

      FWIW here are some useful links to the last non-spyware versions: https://blog.fosshub.com/audac... [fosshub.com]

      • Re:It's open source (Score:5, Informative)

        by mysidia ( 191772 ) on Tuesday July 06, 2021 @02:48AM (#61554616)

        The current versions are apparently not Spyware either; they just potentially send back to the developers some very basic info in crash reports In the event of a program crash using a sentry.io API with an API URL and credentials that are chosen when compiling the binary... (So if you compile the current repository from source yourself, and possibly if you use an OS other than Windows, then you will not even have that feature).

        If the above fits your definition of Spyware, then Windows itself, and even the stock Notepad.exe can be considered Spyware.

        Someone clearly just overreacted to legal CYA the developers added to their privacy policy documents by coming up with some bullshit that Audacity are currently Spyware.

        Perhaps whoever brought up this label were being too lazy and did not want to review the code or look for actual evidence, OR they are just stating that they anticipate the developer will make future versions into Spyware --- In either case, it would appear to constitute reckless publication at best and malicious / libelous conduct at worst for journalists to label them Spyware.

        The fact is that even if the devs did not add the information to "Law enforcement" - They would still be legally required to comply with law enforcement requests. Putting that info in the privacy policy is just important to avoid being sued or penalized by regulatory enforcement authorities for not complying By failing to disclose.

    • Chutzpah [wikipedia.org] now has the connotation of brash and audacious, but originally carried the connotation that someone has overstepped the bounds of society. Seems like an appropriate rebuke to the new owners.

    • Re:It's open source (Score:5, Interesting)

      by mysidia ( 191772 ) on Monday July 05, 2021 @07:23PM (#61553974)

      I'm sure forks are coming, but they seem unwarranted.

      Whoever used the "Spyware" label to describe Audacity should go to jail. JMHO. It seems like a malicious mischaracterization of the software's use of the senttry.io API to send crash reports.

      • Personally I like the fact that basically every site that is running this story telling you to uninstall Audacity has so far collected far more user information just for privilege of reading about how Audacity is "spying" on you.

    • So you mean it's time for a fork?

      Yeah. Fork 'em.

    • by Barny ( 103770 )

      No. The opt-in telemetry idea has been dropped (according to their git discussion).

  • Fixed in Linux (Score:5, Informative)

    by JBMcB ( 73720 ) on Monday July 05, 2021 @05:10PM (#61553654)

    Ardour did something somewhat similar. In Gentoo Linux, you just:

    USE="-phonehome" emerge media-sound/ardour

    And it's fixed. You can turn off all the telemetry stuff for KDE and Gnome the same way. I think it's off by default. I'm guessing Audacity will get the same treatment.

    • Sounds like Ardour did an optout whereas Audacity is doing an opt in. No need to even change flags or fix anything. The developers have been quite clear that the *opt-in* telemetry is only in the binaries and not if you build from source.

  • Audacious move. Good luck with that.

  • Not baked in yet (Score:5, Insightful)

    by marcle ( 1575627 ) on Monday July 05, 2021 @05:11PM (#61553664)

    This concern is overblown. For one thing, these terms are proposed, not part of the current version (3.02). For another thing, the info proposed to be collected is no more than the average website, including Slashdot, collects.
    If you're really worried about this, just download the current version now. It's really an excellent program for basic audio recording and editing, with plenty of features for all but the most advanced of users.

    • At first blush I thought the same thing. Unless you're browsing with a VPN or other protection this is pretty basic stuff to be collecting. The information on error/crash reports is pretty common too.

      What I thought was a orange/red flag was this:

      Data necessary for law enforcement, litigation and authorities' requests (if any).

      No idea what that is supposed to mean.

      I did get a chuckle out of this part though

      any competent law enforcement body, regulatory, government agency, court or other third party...

      How are they supposed to tell?

      • by Sebby ( 238625 ) on Monday July 05, 2021 @05:48PM (#61553748)

        any competent law enforcement body, regulatory, government agency, court or other third party...

        How are they supposed to tell?

        They don't have to, because no such thing exists.

      • by mspohr ( 589790 ) on Monday July 05, 2021 @05:56PM (#61553770)

        Probably RIAA.
        If you try to incorporate or edit some copyrighted music, Audacity can send your info with the offending clips to the authorities.

        • That is actually funny, not insightful. There are legitimate reasons why any music can be on anyoneâ(TM)s audio editor. But, maybe audacity will be integrated with all of the licensing and music store platforms of the world then. Maybe it will adjust your credit scores according to the music it founds on the timeline. Maybe. (Free use is also possible.)
      • by znrt ( 2424692 )

        Data necessary for law enforcement, litigation and authorities' requests (if any).

        No idea what that is supposed to mean.

        it means that if you use copyrighted sounds and samples they will not hide that fact from any authority that wants to know, so use at your own risk. yeah the risk is pretty low, but they are covering their butts just in case.

        any competent law enforcement body, regulatory, government agency, court or other third party...

        How are they supposed to tell?

        competent:
        (of a court or other body) accepted as having legal authority to deal with a particular matter.

      • How are they supposed to tell?

        If you get a judge to sign a piece of paper you've competently done your job as law enforcement. If you come up saying pretty please then time to go back to law enforcement school.

      • I agree it's a bit open ended. My guess is some lawyer said "what if the authorities want this data, we should put it in the agreement", not meaning for it to give open slather to collect data, but to make plain in the agreement that a legal request for data could sent it to the authorities. Hopefully they'll wake up and tone this bit down.

      • But this is valid for any software located in the US, EU, UK, and many other countries. If the party is in that legal jurisdiction due to organization registration, or physical location of data retention or admins of such, or even copyright protection.... they are obligated to follow any court ruling within.

        Most companies don't say this outright because it's fairly obvious and assumed.

      • Re:Not baked in yet (Score:5, Informative)

        by Barny ( 103770 ) on Monday July 05, 2021 @11:01PM (#61554346) Journal

        Except that was incorrect too. That article had an Agenda with a capital A.

        The data they were going to be collecting was:
        1) opt-in
        2) basic telemetry
        3) only through pre-compiled versions (if you downloaded source and compiled yourself, it wouldn't be in unless you used specific compiler options)

        Here's the listing [github.com] of what they were planning to obtain.

        And here's [github.com] them saying "You know what, people are fucking crazy, let's put this hot potato down for now."

        Storm in a teacup, and everyone cites this one "news" page that was only playing Chicken Little for the clicks. Guess what, you gave it to them, /.

      • I did get a chuckle out of this part though

        any competent law enforcement body, regulatory, government agency, court or other third party...

        How are they supposed to tell?

        In this context "competent" is a synonym for "having the legal authority". Whether the competent authority can actually wield it's authority with competence, well, that's another question.

    • Re:Not baked in yet (Score:5, Informative)

      by haus ( 129916 ) on Monday July 05, 2021 @05:51PM (#61553758) Journal

      Whitney Merrill has been attempting to address this on Twitter, sadly it seems to be a thankless job.

      https://twitter.com/wbm312/sta... [twitter.com]

      For those who are not aware, she is someone who has been working in the interest of privacy for quite some time.

    • by Improv ( 2467 )

      It's better to do the fork now, when the fork is small. Any moves like these are a sign of bad faith by the new owners of the name, and it's important that it remains that - just a name.

    • Is it one of those "we would like to collect these data, please check here to allow us to do that." or is it a microsoft "we collect stuff. you can't stop us." Because, for me, the point isn't that the data they collect is harmless, it's the "Why are they doing that at all?" Also, legally (not a lawyer, can't talk about that aspect), it may not be harmless, but the data collected combined with other's can be used to ID you. If this hadn't been tracking, if it was that they changed it so audacity sends the w
    • The problem is that the privacy policy that you will have to agree is written as if they're taking real information, which they're not.
      And because of that it doesn't allow children to use the program, which is dumb and against the GPL.

      So it isn't that the program is spyware, it's that it has a spyware privacy policy.

      They need to delete that policy.

      Imagine if they start taking enough data to make that policy necessary in the future.

    • For another thing, the info proposed to be collected is no more than the average website, including Slashdot, collects.

      A website is running on a remote computer. I know I'm connecting elsewhere.
      Audacity runs on my computer. It doesn't need a network connection, and shouldn't use one for anything at all.

  • the promise that the software would "remain forever free and open source." However...

    "Forever" is a long time but they didn't break their promise (yet?).

    The source code is available here https://github.com/audacity/au... [github.com]
    It is still being maintained
    Don't like the spyware or anything Muse Group does with it, fork it. It is GPL, and for the current version of Audacity, it will not change until it becomes public domain (that means never)

    • Yes you could just fork it. On a related note there is a discussion [github.com] on github about the new CLA for dual licensing purposes and the ability to have Audacity on platforms that fundamentally do not support the GPL like iOS:

      "Unfortunately, some platforms have policies or technical processes that make it difficult or impossible for Audacity to exist on them while it is licensed solely under the GPL (v2 or v3). Apple's App Store on iOS and macOS is one example of this, which is the reason that VLC Media Player w

      • by tlhIngan ( 30335 )

        On a related note there is a discussion on github about the new CLA for dual licensing purposes and the ability to have Audacity on platforms that fundamentally do not support the GPL like iOS:

        "Unfortunately, some platforms have policies or technical processes that make it difficult or impossible for Audacity to exist on them while it is licensed solely under the GPL (v2 or v3). Apple's App Store on iOS and macOS is one example of this, which is the reason that VLC Media Player was removed from the store ba

  • LibreAudio? LibreSound? Erm... someone here's gotta have better ideas than me!
  • No it fucking hasn't (Score:5, Informative)

    by urbster1 ( 871298 ) on Monday July 05, 2021 @05:43PM (#61553734)
    "Audacity makers clarify data usage – and there’s not reason to dump the editor yet" https://cdm.link/2021/07/audac... [cdm.link]
    • It's kind of a mean-spirited post, but the underlying argument seems solid. Collecting even the most basic of telemetry data means you need a legally-compliant privacy policy, and that's exactly what has (or rather, will be) happening.

      • by Cafe Alpha ( 891670 ) on Monday July 05, 2021 @09:27PM (#61554188) Journal

        The policy says that children under the age of 13 can't be allowed to use their software while it's online - yet the software doesn't CURRENTLY transmit any data that could get them in trouble with child privacy laws. Also this is incompatible with the GPL.

        The policy says that they will comply with any court orders to turn your data over to law enforcement - yet the software doesn't CURRENTLY transmit any data to turn over - less than the average web page.

        The arguments they give for why this is necessary are totally wrong.

        And the arguments they give for how this doesn't violate the GPL are totally wrong.

        So either they setting up to invade privacy in the future or they have a clueless corporate lawyer who is completely out of control. Probably the latter, but that doesn't make it acceptable.

        • Currently they don't collect any kind of telemetry. That is going to change. And I don't begrudge them for it given how useful even the most basic information is.

          Past that, everything else is establishing a privacy policy for how to handle that information. Saying they'll comply with court orders is hardly scandalous. Otherwise the 13 year old thing is a bit more unusual since the COPPA only applies to personally identifiable info. But dealing with the COPPA in general is a giant pain in the butt, so I don'

    • by The Evil Atheist ( 2484676 ) on Monday July 05, 2021 @10:33PM (#61554306)
      Are nerds stupidly naive? Redhat promised many things on the CentOS mailing list. Look at what happened.

      This is what it comes down to among nerds - assume everyone says what they mean and mean what they say. So if they don't outright say "we're going to do evil things/incite insurrections", then assume there is no problem. If you're a fauxtistic nerd who has trouble understanding how human communication works, all the implicit things said or not said, maybe leave it to those of us who do.

      Does Audacity need to collect any data? No. Nothing about the program requires any data to be sent elsewhere. So however benign it starts out as, it simply has no reason to do so and is obviously a stepping stone to something more invasive.
    • by Barny ( 103770 )

      Further info at these two git discussions:

      What they were planning to obtain. [github.com] (purely as opt-in and only with specific compiled options set)

      And here is them deciding to drop this hot potato because one "news" site wanted a bunch more clicks this week. [github.com]

    • Re: (Score:3, Insightful)

      by nagora ( 177841 )

      they’re not tracking anything you need to worry about, they’re not selling any data

      Data collected will be sold. Always. You're a fool if you think otherwise.

      there are strict controls over how the data is used

      Right up until there aren't.

      Seriously, that PR puff you linked to isn't worth the paper it's not written on.

  • Data necessary for law enforcement, litigation and authorities' requests (if any).

    ... why they thought this was a good idea?

    Pressure from the copyright crowd, perhaps? But doesn't LE and their masters understand the meaning of 'open source'? And realize that they will have to chase forks of this app around the 'Net until the end of time?

    And what happens if a user (of Audacity or a forked product) doesn't provide the application with a network connection? AFAIK, Audacity (previous versions) didn't need this. So even if I'm playing nice with copyrights, I'm going to be pissed if this th

  • by Cafe Alpha ( 891670 ) on Monday July 05, 2021 @09:04PM (#61554140) Journal

    document.

    I've been arguing over on Github and I finally came to the conclusion that the problem is entirely that they have an inappropriate privacy document.

    They're not doing anything wrong (other than the fact that the privacy document restricts the use which is against GPL).

    They're paranoid that if they even keep your IP address for a while, then they could get in trouble for violating the privacy of children (they can't). So they said that children aren't allowed to use the program while they're online. That's against the GPL.

    They also said that they can give your information to the authorities. Once again, what information? Temporary IP address? No more than any web server has? ... But agreeing to a privacy policy that's too broad allows them to do bad things in the future. They need to tell the lawyers to calm down and should probably just get rid of the document altogether.

  • https://github.com/temporary-a... [github.com]

    While I think the title of this is a bit clickbait - the program is not spyware, it just has a new license AS IF it were spyware, this is the third time this new owner has alarmed and harmed the user base. Fourth if you count buying the project as if it were an asset.

    So there's already a fork going strong.

  • I'd make it 'Opt In' by law for all software developers.
    • by Alumoi ( 1321661 )

      In civilized countries it is opt-in by law. But it's pre-selected for your own convenience.

  • This is why God invented Firewalls ...

    • by Megane ( 129182 )
      So firewalls help against privacy policies? If you were paying attention instead of trying to sound smart, you would know that you could compile it from source, which by default disables the telemetry that they decided not to include anyhow. This is literally clickbait about a policy that you can ignore if you build it from source.
  • Someone pointed out that MuseScore has almost an identical privacy policy.
    So maybe they're not trying to pull a fast one, maybe they just have a lawyer who screws up GPL licenses and pisses people off with paranoid, unnecessary clauses.

  • by jemmyw ( 624065 ) on Tuesday July 06, 2021 @03:32AM (#61554698)
    Well the best thing about it is that I didn't realize how good audacity was now. My anti protest to this ridiculous "controversy" is that I'll start using it. I already use musescore.

Business is a good game -- lots of competition and minimum of rules. You keep score with money. -- Nolan Bushnell, founder of Atari

Working...