Audacity - Privacy Concerns (Article on Synthopia.com)

Any truth to this?

Well the title is definitely a click bait, but it’s true that the shit hit the fan in this case. Similar to the Freenode crap that just happened.

Now I’m waiting for the fork so that I can continue using that tool…

There’s zero reason for an open source project to be collecting any of the data they collect, and it’s completely outside the norms of the community. The limitation on the age of the users is also a direct violation of the code’s license.

The part that should actually concern you is the bit on collecting data for law enforcement. Note that there are no limits at all on the type of data that they will collect if directed to by Russian law enforcement. Now, this leaves me with a lot of questions about how they’ve actually implemented the analytics toolkit, and how they have code updates set up to work. It is in theory possible that this is fine, but (having read many privacy policies professionally) that clause is not worded in the way that I would expect from an organization interested in putting any really effort into protecting user privacy.

The core of it, though, is that this entire policy and practice is out of line.

Oh! Also, I realized that that policy doesn’t have an opt out process, which is required, nor do they have a subject access request and subject deletion request process. Because they’re receiving crash dumps which can include abitrary parts of system memory, they don’t have a way of claiming that they’re never receiving PII. As IP addresses are also PII under the GDPR, they are explicitly receiving them with the reports, even if they don’t store them long-term (and I doubt they purge server logs). IANAL, but this is not the privacy policy of an organization attempting to do anything other than cover it’s ass.

Microsoft/Apple/Google/Facebook treatment of private data is way worse than that, and everybody here is using several of their products.

I don’t say it’s ideal, but all this seems like anti-russian propaganda to me.

Also, they haven’t correctly managed the different categories of data. Data that the police request they collect is also data that they can sell to third parties, under the “potential buyers” clause. It’s worth noting that on the social media side, the Russian government is incredibly aggressive around the data that it mandates companies collect. While there is not that I know of a law requiring specific categories of data be collected by non-social software, there’s a very easy avenue for them to collect and sell arbitrary data should they want to.

No, it really isn’t. I look at stuff like this for a living and this is entirely out of line, especially for an open source project.

Nope.

Not quite all the way thanks to the ipad and my email, but once I figure out what to do about them I’ll be completely severed from big tech.

Edit: there’s been a few threads where nauts have been aiming for the same thing.

From the bottom of the linked article:

“ Update: Muse Groups’s plans appear to be evolving – a May 17 Tech Radar article says that the company reversed their initial plans for data collection, but their Privacy Policy was updated July 2,.”

Seems strange about the PG13 thing though, lots of schools media depts use it, ironic that they appear to not know this.

This bit’s deep. Thanks for the heads up.

“Not all 'nauts”. Ok, change “everybody” for “most people”, but I think the idea is clear.

So they reversed their reversal? Or one part of the company didn’t get the memo?

I don’t know… The whole thing looked suspicious to me. How can a company “acquire” an open-source project? Did they hire all the core maintainers? Who did they pay for the name/logo/brand?

Excuse me, I’m just rambling my uncertainties out loud…

This is the position we call privacy nihilism in the industry, and it’s pretty unfounded. Yes, there are absolutely real problems with many company’s products, but e.g. even with Apple and Windows, you can opt out of this kind of usage-sharing. There are both legal structures that are standard across the industry, and while there are companies like this that play fast and loose and we absolutely need stronger protections, they’re much better than nothing. There are also many things you can do, like using ad-blockers (I recommend uBlock Origin) that will make a real difference, and they’re not really that time-consuming.

Giving up and assuming there’s nothing you can do helps to normalize abuses by companies like this that (seem to be trying to) skirt the laws around privacy, and makes it harder for civil society organizations to push for stronger privacy and human rights protections.

The “PG-13” part is almost certainly because minors are not able to agree with the terms of the privacy policy, because they are not considered able to make such decisions in some European jurisdictions. So the company can’t collect data from users under 13. So they just say “you can’t use it”.

They should really have an opt-out for any data collection, so they don’t collect it from minors or from people who want to opt out. Then children under 13 could use it again.

Yup, that’s US law.

Part of what’s weird about this is that they’ve got a hodge-podge of restrictions instead of clearly spelling out what rights and restrictions apply in which jurisdictions. Honestly, there’s a pretty good chance that they’re just getting terrible legal advice and are deeply confused about the whole thing, although it sounds like they’ve maybe not been the best stewards of the ecosystem in other ways since they took over.

The y-combinator/HackerNews thread on this subject:

https://news.ycombinator.com/item?id=27727150

Someone’s already forked it and taken out a load of the networking code, and made their version available. Apparently it was disable-able by environment flags.

AGE=12 /usr/bin/audacity

I only use audacity from my Linux distro’s package management system, so I’ll just make sure the distro builds it without the telemetry stuff enabled. I bet distro packages are already looking into it

I didn’t say there is nothing to do. I use Linux and free software most of the time, opt-out of most usage tracking options, use an ad-blocker, etc.

I’m well informed, and I have even trained local activists in anti-tracking measures.

But, you shouldn’t have to be a tech savy in order to be protected from tracking by big (and small) companies.