This would be very alarming if true—there aren’t any obvious successors or alternatives which meet the same use cases. Audacity is free and open source, relatively easy to use, cross platform, and ideally suited for simple “prosumer” tasks like editing raw audio into finished podcasts.
However, the negativity seems to be both massively overblown and quite late. While the team has announced that Audacity will begin collecting telemetry, it’s neither overly broad in scope nor aggressive in how it acquires the data—and the majority of the real concerns were addressed two months ago, to the apparent satisfaction of the actual Audacity community.
|Personal data collected||Why collect it||Legal grounds for processing|
||Legitimate interest of WSM Group to offer and ensure the proper functioning of the app|
||Legitimate interest of WSM Group to defend its legal rights and interests|
The final grain of salt in the wound is a line stating that Audacity is “not intended for individuals below the age of 13” and requesting people under 13 years old “please do not use the App.” This is an effort to avoid the added complexity and expense of dealing with laws regulating collection of personal data from children.
The things left out
libcurl to transport telemetry and that Google Analytics would track the following:
- Session start and end
- Errors, including errors from the sqlite3 engine, as we need to debug corruption issues reported on the Audacity forum
- Usage of effects, sound generators, analysis tools, so we can prioritize future improvements
- Usage of file formats for import and export
- OS and Audacity versions
The original version of the telemetry PR went on to state that session identification was via a UUID, generated by and stored on the client machine, and that Yandex Metrica would be used to estimate daily active users. Finally, it stated that “telemetry collection is optional and configurable at any time” and that “[if] data sharing is disabled – all calls to the telemetry report functions are no-op.”
This is pretty standard modern application telemetry, of the sort that even other open source applications—such as Mozilla Firefox—include. The biggest problem with this original telemetry statement is that it implies opt-out rather than opt-in data collection; although it’s worth noting that even Firefox’s telemetry is currently opt-out.
Despite the fact that the original PR was pretty vanilla, open source users tend to be extraordinary privacy mavens. There was immediate pushback—which Audacity developer crsib responded to officially three days later on May 7 by updating the original PR.
The May 7 update states that “telemetry is strictly optional and disabled by default” (emphasis crsib’s), that telemetry only works in builds made by GitHub CI from the official repository, and that anyone compiling Audacity from source will be given a CMake option to enable the telemetry code—but that the option, and therefore building the telemetry functions, would be off by default.
This three-days-later update to a still-provisional telemetry policy removed the only reasonable sticking point: whether users’ data might be collected without their specific approval. Not only is the data collection opt-in, the functions used to collect that data in the first place are extremely easy to remove, are designed to be easy to remove, and are in fact removed automatically for anyone building the source code themselves (which would include Linux distribution repositories).
The entire pull request has since been revoked, and it was replaced with a new PR #889 intended to clarify all telemetry-related issues. The new PR states “we have absolutely no interest in harvesting or selling personal data and Audacity will always be free and open source,” and this document goes on to note that the response to the original pull request “brought about a realization at Muse that the convenience of using Yandex and Google is at odds with the public perception of trustworthiness, so we will be self-hosting instead.”
Although FOSS-focused media outlets including FOSSPost and Slashgear reported negatively on this issue over the holiday weekend, the contributors and commenters active on the project’s Github seem to have been largely satisfied by the May 13 update, which declared that Muse Group would self-host its telemetry sessions rather than using third-party libraries and hosting.
The same day the second pull request went live, Github user Megaf said, “Good stuff. As long as the data is not going to [third party tech giants] we should be happy. Collect the data you really need, self-host it, make it private, make it opt-in, and we shall help.” It’s a small sample, but the sentiment seems broadly supported, with 66 positive and 12 negative reactions.
Reaction to Megaf’s comment reflects user reaction to the updated pull request itself, which currently has 606 positive and 29 explicitly negative reactions—a marked improvement over the original pull request’s 4,039 explicitly negative reactions and only 300 positive reactions.
We believe that the user community got it right—Muse Group appears to be taking the community’s privacy concerns very seriously indeed, and its actual policies as stated appear to be reasonable.
Listing image by Catherine Falls Commercial via Getty Images / Jim Salter