In a cycle echoing a controversy earlier this year, Audacity’s new parent again released new legal terms which were then seized upon by social media users. Muse Group have clarified those issues publicly and to CDM.
When legal and social media experience phase cancellation
Muse Group, the company that began Ultimate Guitar and acquired MuseScore, acquired popular free and open-source software Audacity this year. As acquisitions of well-liked products are apt to do, that spurred some concerns and mistrust. But in and of itself, there is nothing unusual about “acquiring” free software – software under open-source licenses can be owned (under various forms of governance) and can represent big business. The broader concerns around those acquisitions do have some context, of course – and free software licenses by design protect the contributions of the community and enable forks with good reason. But from a user standpoint, the question remains of the state of a popular software tool, right now, today. And that’s where the confusion has arisen.
In May, Muse triggered some controversy by updating their Contributor License Agreement (CLA) and switching to a GPLv3 license. If your eyes glazed over, that’s fine – there’s nothing especially exciting about any of this, and it’s well-explained in an FAQ and statement. The problem is, they released that information after updating the CLA – so, while the CLA changes were in fact bog-standard for software being released across multiple platforms (including Apple’s iOS store) and multi-licenses, people freaked out. (Without an Apple App Store, it makes less sense, but this suggests release on new platforms in the future.)
The lesson to communications here – and Muse are far from the first developer to discover this – is that you might want to release the explanation at the same time if not before the confusing and potentially incendiary legalese your lawyers came up with.
But now this month, Muse did the same thing again – this time, releasing an updated privacy policy (still in draft form, for an unreleased version) before they explained to anyone what it actually meant.
As a result, you may have seen various freakouts, like this article on a site called FOSS Post:
Audacity is now a Possible Spyware, Remove it ASAP
Now, understandably, FOSS Post were thrown by language like “potential buyers” for data and the mention of “law enforcement.” This afternoon European time, Audacity Team and Muse released a statement explaining what the legal agreement was saying, and admitted the privacy policy needed some fixes:
Clarification of Privacy Policy #1225
What Audacity data collection is about
Let me put this bluntly: at least based on what we know about the version in question, they’re not tracking anything you need to worry about, they’re not selling any data, there are strict controls over how the data is used, and the software hasn’t even shipped yet. (Suffice to say I’ll download 3.03 when it arrives to double-check – trust but verify and all that jazz.)
That doesn’t mean you shouldn’t worry about the future of Audacity at Muse, the governance of the project or the software itself. But more narrowly speaking, this was clearly a communications snafu, not a crisis that should cause people to delete an audio tool they rely on.
Muse also responded to CDM’s queries with further clarification. The appearance of those answers would indicate that this is basically just collecting what systems are in use and optionally where crashes are occurring:
- Version 3.03 will introduce the changes, says Muse; the current downloadable stable build 3.02 has no data collection. (This means the cries to delete the software now were simply wrong.)
- Muse says they have no plans to use the Google or Yandex SDKs for user telemetry, contrary to what some outlets reported earlier today. (That appears to respond to earlier criticism of proposed plans to use a Google SDK, though I should also note that SDK should not be confused with the one for the Web.) You can read a discussion on GitHub on implementation.
- The test collection mechanism will be opt-out, though Muse says “actual mechanics are still being defined.”
- The data they’re collecting is IP address, basic system info (your OS and CPU), and (optional) error report data.
As with updating the CLA, there’s nothing there that is broadly any different from other software that collects crash data. And I can’t emphasize this enough – from a user standpoint, the reason I might hesitate to recommend Audacity is that it’s buggy, not that it’s some kind of privacy hole. Developers I spoke to had a similar analysis. There is also a puzzling mention of age restrictions under 13 which appears to be a ham fisted attempt to comply with recent, and controversial, US so-called child protection laws. But the other elements largely circle around capturing test data.
That could represent a gap between some FLOSS advocates who want to eliminate this kind of telemetry entirely, and other developers (even open source developers) and users who want this data to be sent if it helps software reliability.
Audacity also say in the clarification regarding user data: “We do not and will not sell ANY data we collect or share it with 3rd parties. Full stop.”
The other element was the mention of law enforcement, and it’s clear that part of what set people off was the mention of data storage in the Russian Federation. But hashed IP data with your OS is not particularly useful private information, especially in contrast to the reams of data shared on social media and the like. Essentially, some of this text agrees in the policy agreement because of legal compliance issues in different countries, according to Muse. At the very least, this would only be cause for concern if Audacity started collecting more sensitive data than an unidentified Windows 7 user.
I think it’s also unfair to single out companies based on their country of operation – not unless you’ll also be balanced in that analysis. Note that just last month the House Intelligence Committee let slip that the US Justice Department had subpoenaed data from Apple. That’s not to ignore other major tech nations like Russia or China; on the contrary, it suggests being vigilant (and accurate) about data usage absolutely everywhere in the data landscape in which we currently find ourselves.
Data on the Web
I’m sorry, as this is a bit too easy and possibly mean, but let’s review the privacy policy at FOSS Post – the site that wants you to delete Audacity and contribute to a fork. You may have noticed you already had to click past a GDPR banner if you live in the EU as I do. (The German GmbH I own that legally publishes what you’re reading now is very much obligated to this same legal standard.) From their policy, just part of what they collect as you use their site (among other things):
When you visit fosspost.org, we receive your IP address, browser user-agent and some other cookies your browser may provide us with. Some of this data is stored at our backend servers and some of them are stored remotly [sic] at 3rd-party services or the hosting company and CDN we use.
In other words, just reading the article on FOSS Post means you gave them essentially the same data a future, non-shipping version of Audacity would collect – IP address and OS. That’s even before taking into account cookies and ads. Obviously, this site (CDM) does the same, as we are all, like it or not, part of the same basic regimen of how advertising currently works on the Web.
With all due respect to various critics today, I think their desire to advocate for a fork has gotten ahead of their responsibility to share information that is accurate. A fork might well be a good idea – and it’s part of the freedom in open source software. Forks don’t have to be motivated by misdeeds; a community effort might go a different direction than Muse Group does.
But if you use Audacity and you’re worried you need to delete it, don’t – not for now, or at least not because it’s “spyware.”
Meanwhile, yes, if you’re a developer, maybe try to avoid your legal team sharing information before communications looks at it, and think of your audience.
From the user standpoint, though, mainly we will just be keeping an eye on Audacity and see how it evolves as a tool under Muse’s ownership.
Previously:
I’m still interested to hear more about your experience with Muse – particularly with MuseScore or its subscription service, as it inhabits a different space than Audacity does.