Over the fourth of July weekend, several open source news outlets began warning readers that the popular open source audio editing app Audacity is now “spyware.”
This would be very alarming if true—there aren’t any obvious successors or alternatives which meet the same use cases. Audacity is free and open source, relatively easy to use, cross platform, and ideally suited for simple “prosumer” tasks like editing raw audio into finished podcasts.
However, the negativity seems to be both massively overblown and quite late. While the team has announced that Audacity will begin collecting telemetry, it’s neither overly broad in scope nor aggressive in how it acquires the data—and the majority of the real concerns were addressed two months ago, to the apparent satisfaction of the actual Audacity community.
The claims
FOSS-focused personal technology site SlashGear declares that although Audacity is free and open source, new owner Muse Group can “do some pretty damaging changes”—specifically meaning its new privacy policy and telemetry features, described as “overarching and vague.” FOSSPost goes even further, running the headline “Audacity is now a possible spyware, remove it ASAP.”
The root of both sites’ concern is the privacy policy instigated by new Audacity owner Muse Group, who already published open source music notation tool MuseScore. The privacy policy, which was last updated on July 2, outlines the data which the app may collect:
| Personal data collected | Why collect it | Legal grounds for processing |
| Operating system name and versionUser country (geolocated by public IP address)CPUNon-fatal error codes and messages (e.g. project file failed to open)Crash reports in Breakpad MiniDump format | App analyticsImproving the app | Legitimate interest of WSM Group to offer and ensure the proper functioning of the app |
| Data necessary for law enforcement, litigation and authorities’ requests (if any) | For legal enforcement | Legitimate interest of WSM Group to defend its legal rights and interests |
The personal data being collected as outlined in the first five bullet points is not particularly broad—in fact, it’s quite similar to the collected data described in FOSSPost’s own privacy policy: IP address, browser user-agent, “some other cookies your browser may provide us with,” and (by way of WordPress and Google analytics) “your geographical location, cookies for other websites you visited or any other information your browser can give about you.”
This leaves the last row—”data necessary for law enforcement, litigation and authorities’ requests (if any).” While that’s certainly a broad category and not particularly well-defined, it’s also a fact of life in 2021. Whether a privacy policy says so or not, the odds are rather good that any given company will comply with legitimate law enforcement requests. If it doesn’t, it won’t likely be a company for long.
The final grain of salt in the wound is a line stating that Audacity is “not intended for individuals below the age of 13” and requesting people under 13 years old “please do not use the App.” This is an effort to avoid the added complexity and expense of dealing with laws regulating collection of personal data from children.
The things left out
The first thing to point out is that neither the privacy policy nor the in-app telemetry in question are actually in effect yet—both are targeted to an upcoming 3.0.3 release, while the most recent available version is 3.0.2. For now, that means there’s absolutely no need for anyone to panic about their currently-installed version of Audacity.
The new privacy policy was first submitted as a pull request on May 4. In that original version, the policy stated that Audacity would use libcurl to transport telemetry and that Google Analytics would track the following:
- Session start and end
- Errors, including errors from the sqlite3 engine, as we need to debug corruption issues reported on the Audacity forum
- Usage of effects, sound generators, analysis tools, so we can prioritize future improvements
- Usage of file formats for import and export
- OS and Audacity versions
The original version of the telemetry PR went on to state that session identification was via a UUID, generated by and stored on the client machine, and that Yandex Metrica would be used to estimate daily active users. Finally, it stated that “telemetry collection is optional and configurable at any time” and that “[if] data sharing is disabled – all calls to the telemetry report functions are no-op.”
This is pretty standard modern application telemetry, of the sort that even other open source applications—such as Mozilla Firefox—include. The biggest problem with this original telemetry statement is that it implies opt-out rather than opt-in data collection; although it’s worth noting that even Firefox’s telemetry is currently opt-out.
Despite the fact that the original PR was pretty vanilla, open source users tend to be extraordinary privacy mavens. There was immediate pushback—which Audacity developer crsib responded to officially three days later on May 7 by updating the original PR.Advertisement
The May 7 update states that “telemetry is strictly optional and disabled by default” (emphasis crsib’s), that telemetry only works in builds made by GitHub CI from the official repository, and that anyone compiling Audacity from source will be given a CMake option to enable the telemetry code—but that the option, and therefore building the telemetry functions, would be off by default.
This three-days-later update to a still-provisional telemetry policy removed the only reasonable sticking point: whether users’ data might be collected without their specific approval. Not only is the data collection opt-in, the functions used to collect that data in the first place are extremely easy to remove, are designed to be easy to remove, and are in fact removed automatically for anyone building the source code themselves (which would include Linux distribution repositories).
The entire pull request has since been revoked, and it was replaced with a new PR #889 intended to clarify all telemetry-related issues. The new PR states “we have absolutely no interest in harvesting or selling personal data and Audacity will always be free and open source,” and this document goes on to note that the response to the original pull request “brought about a realization at Muse that the convenience of using Yandex and Google is at odds with the public perception of trustworthiness, so we will be self-hosting instead.”
Community response
Although FOSS-focused media outlets including FOSSPost and Slashgear reported negatively on this issue over the holiday weekend, the contributors and commenters active on the project’s Github seem to have been largely satisfied by the May 13 update, which declared that Muse Group would self-host its telemetry sessions rather than using third-party libraries and hosting.
The same day the second pull request went live, Github user Megaf said, “Good stuff. As long as the data is not going to [third party tech giants] we should be happy. Collect the data you really need, self-host it, make it private, make it opt-in, and we shall help.” It’s a small sample, but the sentiment seems broadly supported, with 66 positive and 12 negative reactions.
Reaction to Megaf’s comment reflects user reaction to the updated pull request itself, which currently has 606 positive and 29 explicitly negative reactions—a marked improvement over the original pull request’s 4,039 explicitly negative reactions and only 300 positive reactions.
We believe that the user community got it right—Muse Group appears to be taking the community’s privacy concerns very seriously indeed, and its actual policies as stated appear to be reasonable.
