Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Music Open Source

No, Open Source Audacity Audio Editor Is Not 'Spyware' (arstechnica.com) 125

Over the Fourth of July weekend, a number of news outlets, including Slashdot, ran stories warning that the free and open-source audio editor Audacity may now be classified as spyware due to recent updates to its privacy policy. Ars Technica's Jim Salter looked into these claims and found that that is not the case. An anonymous reader shares an excerpt from his report: FOSS-focused personal technology site SlashGear declares that although Audacity is free and open source, new owner Muse Group can "do some pretty damaging changes" -- specifically meaning its new privacy policy and telemetry features, described as "overarching and vague." FOSSPost goes even further, running the headline "Audacity is now a possible spyware, remove it ASAP." The root of both sites' concern is the privacy policy instigated by new Audacity owner Muse Group, who already published open source music notation tool MuseScore. The privacy policy, which was last updated on July 2, outlines the data which the app may collect [...]. The personal data being collected as outlined in the first five bullet points is not particularly broad -- in fact, it's quite similar to the collected data described in FOSSPost's own privacy policy: IP address, browser user-agent, "some other cookies your browser may provide us with," and (by way of WordPress and Google analytics) "your geographical location, cookies for other websites you visited or any other information your browser can give about you." This leaves the last row -- data necessary for law enforcement, litigation and authorities' requests (if any)." While that's certainly a broad category and not particularly well-defined, it's also a fact of life in 2021. Whether a privacy policy says so or not, the odds are rather good that any given company will comply with legitimate law enforcement requests. If it doesn't, it won't likely be a company for long. The final grain of salt in the wound is a line stating that Audacity is "not intended for individuals below the age of 13" and requesting people under 13 years old "please do not use the App." This is an effort to avoid the added complexity and expense of dealing with laws regulating collection of personal data from children.

The first thing to point out is that neither the privacy policy nor the in-app telemetry in question are actually in effect yet -- both are targeted to an upcoming 3.0.3 release, while the most recent available version is 3.0.2. For now, that means there's absolutely no need for anyone to panic about their currently-installed version of Audacity. [...] Although FOSS-focused media outlets including FOSSPost and Slashgear reported negatively on this issue over the holiday weekend, the contributors and commenters active on the project's Github seem to have been largely satisfied by the May 13 update, which declared that Muse Group would self-host its telemetry sessions rather than using third-party libraries and hosting. The same day the second pull request went live, Github user Megaf said, "Good stuff. As long as the data is not going to [third party tech giants] we should be happy. Collect the data you really need, self-host it, make it private, make it opt-in, and we shall help." It's a small sample, but the sentiment seems broadly supported, with 66 positive and 12 negative reactions. Reaction to Megaf's comment reflects user reaction to the updated pull request itself, which currently has 606 positive and 29 explicitly negative reactions -- a marked improvement over the original pull request's 4,039 explicitly negative reactions and only 300 positive reactions. We believe that the user community got it right -- Muse Group appears to be taking the community's privacy concerns very seriously indeed, and its actual policies as stated appear to be reasonable.

This discussion has been archived. No new comments can be posted.

No, Open Source Audacity Audio Editor Is Not 'Spyware'

Comments Filter:
  • I already uninstalled it and installed a fork!
  • No need (Score:4, Informative)

    by AndyKron ( 937105 ) on Tuesday July 06, 2021 @03:07PM (#61556581)
    They don't need to collect any data.
    • Re: (Score:3, Insightful)

      by Ostracus ( 1354233 )

      They don't need to bug fix, or improve either.

      • My location, username, and other browser data isn't required to fix or improve either.
        • by Xenx ( 2211586 )
          It doesn't collect browser data. They were using the privacy policy of FOSSPost's website as an example of how the data they DO collect is pretty standard. They cover what is collected in the /. link or anywhere else you care to look.
          • Audacity isn't a web browser and has zero need to collect age of user (how else do you think they'll know who's under 13 and using their software?), IP address or any information needed to send to the authorities. When installed via repository, it doesn't even need to know OS version or type as that's handled by the package maintainers. If I want to use an audio editor to increase the volume, merge audio clips, etc. why should they need to know anything at all except when their application crashes and even
            • by Xenx ( 2211586 )
              That's a different question than what I responded to. But, metrics are a thing companies like to keep track of. Knowing your user base means you know where to expend resources. That isn't to say I think they NEED to be collecting it, but there are legitimate reasons they would.
      • by Anonymous Coward

        They don't need to bug fix, or improve either.

        None of the data they are collecting is needed to fix bugs or make improvements.

      • Re:No need (Score:4, Interesting)

        by ArchieBunker ( 132337 ) on Tuesday July 06, 2021 @04:27PM (#61556851)

        At some point all bugs are fixed and functionality has peaked. Why can't programmers ever stop working on something? A hammer has had the same basic shape for centuries now. You don't see new shapes of hammers every year.

        • Says the guy who never used a hammer.

          https://www.businessinsider.co... [businessinsider.com]

          /s
        • Why can't programmers ever stop working on something? A hammer has had the same basic shape for centuries now. You don't see new shapes of hammers every year.

          Programmers shouldn't use analogies from engineering.

          I've recently purchased a battery powered electro-pneumatic (rotary) hammer. It doesn't look anything like whatever you're thinking of as a hammer, it looks like a drill. Feel free to keep using a drill and a drilling hammer to make holes in concrete, stone and masonry. It's nice to have someone keep

        • Adam Savage's Guide to Workshop Hammers! https://www.youtube.com/watch?... [youtube.com]
      • Faulty logic -- Linux fixes bugs just find without telemetry.

        Yes, telemetry makes that easier but it makes a lot of other thing easier too.

    • Re:No need (Score:4, Insightful)

      by quantaman ( 517394 ) on Tuesday July 06, 2021 @03:21PM (#61556643)

      They don't need to collect any data.

      No, but knowing the localities their users are in let them know where to focus their localization efforts.

      Knowing basic diagnostics like OS and CPU version let them make sure it runs smoothly.

      And uploading error reports and crash reports makes it way easier to fix bugs.

      And finally, sharing data with legitimate requests from law enforcement is really not an option whether you put it in the privacy policy or not.

      Sometimes the Internet freaks out because someone is doing something wrong, and sometimes it freaks out because someone else sees innocent behaviour through a highly distorted lense.

      This appears to be a case of the latter.

      • Re:No need (Score:5, Informative)

        by Berkyjay ( 1225604 ) on Tuesday July 06, 2021 @03:24PM (#61556651)

        A simple opt-in for sharing telemetry and other data would be pretty easy.

        • A simple opt-in for sharing telemetry and other data would be pretty easy.

          It's opt-in. I think people just freaked out that they were adding telemetry at all.

          • Re:No need (Score:5, Insightful)

            by rtb61 ( 674572 ) on Tuesday July 06, 2021 @07:01PM (#61557333) Homepage

            Do you know why people freaked out because psychopathically greedy tech corporation do exactly this all of the time. First the change the rules and everyone gets pissed off, then they say, see nothing changed in the software is was all our lawyers fault. They after it all changes, they FUCKING CHANGE THE SOFTWARE and put the bloody invasive stuff in, EVERY FUCKING SINGLE TIME.

            They change the rules because they fully intend to exploit those rule changes, which is exactly why they fucking changed them. What do they want to data mine, the music itself, publish before you do, the riffs and rhythms. How much is it worth, well over 100 Billion dollars all tied to copyright laws.

            Why else buy a FOSS company, either administer systems, custom distribution or mine data. The obvious data to mine, music as it is being created, how much is that worth well over 100 billion per annum, they wont get it all but they could steal hundreds of millions of dollars worth of music.

            When creating copyrighted content how much telemetry should be allowed or even written into the software, ZERO. It is like a vault manufacturer demanding access to the vaults it built for the bank, seriously, that bad (as in our vault not yours, you just have a licence to use it, and we can access it at any time).

            No corporation should ever be allowed to access the creative content of it's customers, any attempt to gain that should be criminalised, planned theft of copyrighted content, not even written into the software.

            • by Anonymous Coward

              Do you know why people freaked out because psychopathically greedy tech corporation do exactly this all of the time.

              Well the psychopathically greedy developers are the ones that sold it to the tech corporation in the first place, for a tidy profit, rather than giving it away to the community instead.

          • >> It's opt-in.
            That is phase 1
            Phase 2 is opt-out
            Phase 3 is no option

      • Re:No need (Score:5, Insightful)

        by hazem ( 472289 ) on Tuesday July 06, 2021 @03:31PM (#61556667) Journal

        And finally, sharing data with legitimate requests from law enforcement is really not an option whether you put it in the privacy policy or not

        You can't be compelled to share data you don't collect in the first place. Why are they planning to collect data that might be of interest to law enforcement?

        • "Why are they planning to collect data that might be of interest to law enforcement?" - Who says that they are? All they say is that they will share the info that they do have with law enforcement, something that they or any one else have zero say in anyway.
      • by Joviex ( 976416 )

        They don't need to collect any data.

        No, but knowing the localities their users are in let them know where to focus their localization efforts.

        Man, how does it feel to bend over for your corporate shill friends? They dont need any data about anything "local" to make audio software.

        You think everyone living where they live are all FROM there? Even if that were true, its obtuse as hell to think you can generalize software while trying to gather specific information. This is info harvesting users, plain and simple, and you must love them corporate parties.

        • "They dont need any data about anything "local" to make audio software. " - they need to see if it's worth keeping the translation for language X up to date or to simply drop it to default English. Why is this so hard for some to understand?
          • by Joviex ( 976416 )

            "They dont need any data about anything "local" to make audio software. " - they need to see if it's worth keeping the translation for language X up to date or to simply drop it to default English. Why is this so hard for some to understand?

            No they dont. Its 20 years of wide use. Stop being an obtuse shill.

            • It's 20 years of wild use where this new owner have no idea what so ever where "their" software is being used, so they want to add telemetry to be able to figure out where in the world they have their largest user base so that they know which language/region to prioritize when it comes to change and where they need to put more focus on things like marketing. The only thing that makes this different is that they are open about it.
      • by swilver ( 617741 )

        Tell me, Mr. Audicity, what good is a collecting data when you are unable to network?

        This software has no business phoning home. Since I've blocked off the internet for anything that doesn't specifically have permission I've noticed that even the most innocent looking applications will phone home when given the chance. Ask my permission first, then I will decide if your application should be granted access to this resource.

      • As someone else said, give me the option to NOT partecipate in your data collection. Will i have bugs that aren't ever going to be fixed because I'm the only user to ever experience them? That's fine, i can live with the consequences of my choices.

        > sharing data with legitimate requests from law enforcement is really not an option

        You cannot be forced to share data you don't collect. Again, give me the option to opt out, it is easy to implement and it doesn't force you to comply with any request from law

      • No, but knowing the localities their users are in let them know where to focus their localization efforts.

        You can get this from Accept-Language header when people visit your website or... drumroll... you could just ask.

        Knowing basic diagnostics like OS and CPU version let them make sure it runs smoothly.

        If you want data about peoples systems for any reason you could ask first.

        And uploading error reports and crash reports makes it way easier to fix bugs.

        You could ask first.

        And finally, sharing data with legitimate requests from law enforcement is really not an option whether you put it in the privacy policy or not.

        Law enforcement can't ask you for data you don't have in the first place. They can't demand that you lace software products with malware.

        Sometimes the Internet freaks out because someone is doing something wrong, and sometimes it freaks out because someone else sees innocent behaviour through a highly distorted lense.

        Collecting data from people without asking IS WRONG. There is NO reason you can't simply ASK FIRST.

      • While sharing data with the government is not optional, collecting that data in the first place is completely optional.

        This is not an online service, the program should be entirely offline and not need or use the internet connection. Same with operating systems.

        Software development existed before the widespread use of telemetry and somehow the developers figured out what to do and, IMO, made better software.

        If the software crashes often, I can create a bug report manually. I have done this for zfs multiple

  • Some doublespeak right there.

    • by Luckyo ( 1726890 ) on Tuesday July 06, 2021 @03:17PM (#61556631)

      The whole thing is surreal to read. "It's not implemented yet, it's coming in the next version. And it's not going directly to third parties, instead it's going to get aggregated before it's packaged and sold to third parties".

      Best part is that such policies "appear to be reasonable" according to arstechnica. I know that arstechnica went full corporate retard a few years ago, but this is a bit too much even for corporate retard level of reporting.

      • by cb88 ( 1410145 )
        I got banned for posting links to actual scientific studies that didn't fit their global megacorp hyper politics agenda... I that I didn't really loose anything there though since they were already so biased it was sickening.
        • I still read it from time to time, but it's a shell of what it was 20 years ago. And the comments are worthless blobs of political shit (one way or another). Of note, the forums have not been completely eaten by idiots.
          • by cb88 ( 1410145 )
            Well basically a mod practically cursed me out.... so yeah whatever I'm done with them I even added them to adblock as I sometimes go there by muscle memory and it's annoying when I can't post.
            • by MrL0G1C ( 867445 )

              Posting there seems kind of pointless, the stupid site won't give a notification of when your post is replied to, it just tells you that more posts have been made, which is obvious and so redundant. I'm surprised that people bother with the comment system there.

      • arstechnica seem to be required by contract to post monthly out-of-place ICE car reviews, made-up-sexism whines and out-of-date rocket news, but in between that dross are always sprinkled a few interesting items ( that will appear on Slashdot 10 days later ).
  • by Mononymous ( 6156676 ) on Tuesday July 06, 2021 @03:10PM (#61556601)

    Audacity doesn't need any privacy policy, because it doesn't need any kind of network accesss. They have no reason to have any user's IP address, let alone other data.

    • by sleepghost ( 5537556 ) on Tuesday July 06, 2021 @03:16PM (#61556625)

      Indeed, this software should be checked, any network access implies some spyware code has been inserted.

    • by davecb ( 6526 ) <davecb@spamcop.net> on Tuesday July 06, 2021 @04:17PM (#61556811) Homepage Journal

      Their privacy notice at https://www.audacityteam.org/a... [audacityteam.org] sets out in detail all the things they plan to collect in the next release... and reads like it was written by a failing first-year law-student.

      As an example, they say "The App we provide is not intended for individuals below the age of 13. If you are under 13 years old, please do not use the App." In fact, Audacity is used by by middle school science and music classes in Canada, and by interested students of music worldwide. Since there is no way for a minor to opt out of this collection, it explicitly breaches Canadian, European and US laws prohibiting Muse from collecting the information of minors.

      Oh, and just in case they don't know, the GDPR sets a general age of consent at 16, not 13. If the minor is younger than 16, Muse must seek permission from their parents or guardians.

      I could blather on, but I think you get the gist by now.

      My suggestion to them? Seek legal advice

      • by Rhipf ( 525263 )

        As an example, they say "The App we provide is not intended for individuals below the age of 13. If you are under 13 years old, please do not use the App." In fact, Audacity is used by by middle school science and music classes in Canada, and by interested students of music worldwide. Since there is no way for a minor to opt out of this collection, it explicitly breaches Canadian, European and US laws prohibiting Muse from collecting the information of minors.

        There is a very simple way for minors to opt out of the collection of this data and it is stated in the section I quoted.
        "The App we provide is not intended for individuals below the age of 13. If you are under 13 years old, please do not use the App."
        All the minor has to do to opt out of the data collection is to not use the program. Just because it is currently used in school programs in Canada doesn't mean that it can't become against the EULA to do so when this new update is released.

        • Yes, it does. Audacity is GPL-licensed. Unless the people writing this "EULA" hold copyright to 100% of the code, they can't take away Freeom 0.

        • by tlhIngan ( 30335 )

          There is a very simple way for minors to opt out of the collection of this data and it is stated in the section I quoted.
          "The App we provide is not intended for individuals below the age of 13. If you are under 13 years old, please do not use the App."
          All the minor has to do to opt out of the data collection is to not use the program. Just because it is currently used in school programs in Canada doesn't mean that it can't become against the EULA to do so when this new update is released.

          Sorry, but that's a

  • It's all good guys. It's not spyware because the spyware makers said it's not spyware. I already added it to my firewall rules to block all internet connections because why the hell would an audio editor need the internet anyway? Done.
    • Re: (Score:2, Flamebait)

      by Rockoon ( 1252108 )
      sigh

      youve decided that you can no longer trust their binary, the evidence of which is that you created firewall rules specifically for it...

      ..but you still intend to run their binary? really?
  • Tell me your lawyers told you to post this without telling me your lawyers told you to post this

    • by smchris ( 464899 )

      Why do I have "Excellent Karma" from the 90s and I can't score this up?

    • Why would Slashdot's lawyers care? All they did was post a story from someone else. They aren't located in India and didn't upset a politician.

  • Much damage has been done by running a story without collecting all the facts and throwing a flamebait/clickbait title like what was done on this site.
    Really , i did say so earlier , there's no way past or present releases can be characterised " spyware "

    I hope Slashdot moderates and checks facts before damaging further Audacity and this great audio tool needlessly.

    Damage is done.

    • Your reading skills are quite poor, franly.

      The ONLY "fact" that wasn't recollected is this: "ALL THIS PRIVACY ISSUES will be ON the next release 3.0.3".

      So, sorry if you deem better to let users be eaten alive and then scream wolf.

      • Don't be dumb, there are no privacy issues about something entirely opt-in. Be less moron and more clever person.

        • Don't YOU be dumb, there ARE privacy issues that will SHOVE DOWN YOUR THROAT SOONER OR LATER.

          I can point you thousands of companies that have done that before and NONE that hasn't.

          Last example is from Facebook (condemned for illegally selling private information of its users) who first, tried to shovel down the throat of EU WhatsApp users their new rules. Because of the outcry, they said "they would allow users to op-in" BUT, if you wanted to keep using the tool to contact any company, YOU HAD TO ACCEPT THO

    • by fermion ( 181285 )
      What concerns me and why dont think this is flamebait is the explicit statement that they will comply with all law enforcement requests. Compare this to Ring now require a legally binding request, instead of just freely making all videos available. Consider this in light that in the US any bus company can for a police. Once they do that, a yahoo that owns two vehicles can just wander into the audacity office and request all your data, with no probable cause or warrant.
      • Well it's open source so any entity under the thumb of a totalitarian government can be easily relocated.

    • I hope Slashdot moderates and checks facts before damaging further Audacity and this great audio tool needlessly.

      One of the good things about Slashdot is that the discourse in the comment sections generally quickly set the record straight, as happened with the story yesterday. The bigger problem is "media" which claims to be speaking somewhat authoritatively and yet has no comments or discourse on their articles.

      • The previous story was wrong in that the program hadn't been turned into spyware (though that might be only because the battle had already been fought over telemetry) but that there was a new, insultingly broad corporate privacy policy full of unnecessary insulting clauses (like that the purpose of storing your IP address is to give it to courts) and unacceptable GPL breaking license limitations.

        And since the company refuses to get rid of the latter, preferring legal mumbo-jumbo the project looks like it's

        • The previous story was wrong

          Something which was immediately obvious to anyone with a 1080p monitor who would see the incorrect story and the first modded up comment pointing out how wrong it was.

          That's my point. Yes the story was wrong, but the page including comments set the record straight.

    • The damage was done by Muse and they're not even addressing one of the main issues, use by children.

      I think the result is that people are moving to a fork.

    • Really , i did say so earlier , there's no way past or present releases can be characterised " spyware "

      Technically true, but only because 3.03 hasn't been released yet. But git master is spyware, and it doesn't appear like Muse Evilcorp is going to remove it.

  • by Gravis Zero ( 934156 ) on Tuesday July 06, 2021 @03:57PM (#61556745)

    It's not spyware, it's just software that happens to spy on you. See, totally different. Glad we got that cleared up. -_-

  • by Cafe Alpha ( 891670 ) on Tuesday July 06, 2021 @04:01PM (#61556765) Journal

    There hasn't been a single word from the company about taking out the children can't use it clause and their contributors or defenders dance around legal interpretations of the GPL instead of admitting violation. Nor dealing with the fact that if they really thought merely the updater was a problem for children to use in just a few countries, they could have warned about using the updater in those countries - or made the updater a separate project.

    They have satisfied NO ONE on this issue and it looks like an angry mob is just giving up and moving to another fork - partially because this isn't the first thing that alarmed people and the fork was there before this issue even existed.

    Look, it's even gotten a new name, Tenacity.

    https://github.com/tenacitytea... [github.com]

    • This is the irony of telemetry. They need the data to improve their product and better serve the community. However, they never seem to talk to their communities about how telemetry should be implemented, because everyone has an unreasonable sense of entitlement and basic communication is totally worthless!

    • Uh, Tenacity is a fork of Audacity designed to address the exact issues that everyone's complaining about.
  • Because the reporting was pretty over the top.

    That being said, the ability of a company to come and essentially take over an open source project is fairly disturbing. Just the name alone is worth a lot and any fork will have an uphill battle to gain that name recognition.

    As for Muse Groups intentions, they seem pretty suspect to me. A suspicion that is not helped by BeauHD comparing it to the IP address collection of a web server because a server needs the IP to serve the page, Audacity does not. Or by
    • I don't feel like they ever made the PROGRAM do anything wrong, but they've got this attitude like "our corporate law team is always right, shut up!"

      And it's kind of offensive that they have a law team to go after dumb things like people using their name and serving a copy of their software. Oh and they slander people who do that as spreading malware. They even lie about it. They called one site a malware site, but someone downloaded a copy and did a byte by byte compare and the software is unchanged.

      And

      • by HiThere ( 15173 )

        It's currently said that their release version hasn't done anything wrong yet. But that the git master already has the spyware embedded in it. So, it's not spyware *yet* as long as you use the release version.

        This is based on information from prior posts by various people, but it sounds plausible to me. I sure wouldn't trust them.

  • This software is spywar ! Errm spiwar, erm spiware ! Erm, no it's not yet spiware ! Allthough it's T&C's mean it culd be. But it's not. Plis dunt su us. Signed, The shittest editors in the world.
  • Sure, collect the data you really need.
    For an offline audio editor? That's nothing. Boom, problem solved.
  • The data collection is opt-in, and they dropped the use of third-party Google and Yandex cookies, so in my opinion the behaviour of Audacity is OK now. They really seem to be in good faith.

    However, I have some issues with Ars Technica "nothing to see here, move along" article. It feels like gaslighting to me. I'm talking in general, let's leave aside the fact that we were talking about Audacity who, I'll say it again, are in good faith.

    If an open source application collects:
    (1) the real-life location of

  • It doesn't matter if our data isn't going directly to big tech giants. Muse can still secretly sell the data it collects on to 3rd parties without declaring so to anyone. That they're concerned about not contravening child data protection laws (COPPA) is also telling.
  • by devslash0 ( 4203435 ) on Tuesday July 06, 2021 @06:54PM (#61557309)
    Does anyone else also think that this whole article appears to be just a poor, double-speak-loaded attempt at manipulating the public opinion? "Oh, no no no. You did not understand us at all. This is what you should think...". I wouldn't be surprised if someone paid Slashdot to "correct" the state of affairs.

    Just as someone said in another comment, Audacity should have no need to connect to the Internet at all. Let alone collect any data.
    • Yes.jpg

      Maybe this is all a precursor to the owner turning the Windows version commercial or closed source (making a tiny bit of money off metadata).

      Face it, people would still use his version even if everyone in the open sourced community stopped.

  • If it collects date, then it's spyware. Full stop. The only question is what data is being collected, and for what purpose.

    "data necessary for law enforcement, litigation and authorities' requests (if any)"

    Yeah... fuck off.

    This is an effort to avoid the added complexity and expense of dealing with laws regulating collection of personal data from children.

    IF user.age < 13 THEN cfg.telemetryenabled = FALSE

    See? Even BASIC code monkeys can figure out a solution!

    • by flirek ( 1000761 )
      i cannot see reason why GPL-ed sound editing desktop application must know 'user.age' in any way/shape/form in first place ?!?
    • by Striek ( 1811980 )

      And just how do they know user.age if they collect no data?

  • A quick subpoena will take care of that..

    If they're even thinking about it, they're gonna do it. Best to just move to the forks if they do and forget about them

  • The number one problem with telemetry: once the cat is out of the bag, there is no retrieving the data regardless of who holds the data. There are other proven ways to help with bug fixes, shortcomings, etc. ('bugzilla' and 'github reporting' come to mind) Adding telemetry to Audacity - if you owned the rights to audacity, would you add telemetry if it suited your needs? Would you make telemetry an opt-in or opt-out option? One should put one's self in the shoes of the people who make these sort of decisio
  • I would sooner get my tech news from the fucking Onion.

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol

Working...