Audacity 3.0 called spyware over data collection changes by new owner

article thumbnail

Audacity, the well-known open-source audio-editing software, has been called spyware in a report, with privacy policy changes revealing the tool is collecting data on its users and sharing it with other firms, as well as sending the data to Russia.

Audacity was acquired by Muse Group in May, a company that also controls Ultimate Guitar, MuseScore, and Tonebridge. Since the purchase of Audacity, changes have been discovered in online support documents indicating that it is being used to perform data collection on its users.

The privacy policy page for Audacity was updated on June 2, reports Fosspost, with some additions relating to the collection of personal data. Specifically, that the app collects a variety of details relating to the users Mac.

The list of data includes the operating system and version, the user's country based on their IP address, non-fatal error codes and messages, crash reports, and the processor in use. Under data collected "for legal enforcement," the software collects "data necessary for law enforcement, litigation, and authorities' requests (if any)," though no specifically what data is collected in such cases.

IP addresses are stored "in an identifiable way only for a calendar day," stored as a hash with a daily-changed salt. The hash is stored for one year before deletion, though the company also claims the salt "is not stored on any database and cannot be retrieved after it has been changed."

It is claimed the one day of storage is enough for a government entity to identify a user, with sufficient resources and legal authority.

The data is said to be stored within the European Economic Area, though the language of the policy also mentions that the company is "occasionally required to share your personal data with our main office in Russia and our external counsel in the USA."

The personal data may also be shared with a long list of entities, including "advisors" and "potential buyers," as well as law enforcement bodies, regulators, courts, and other third parties.

While previously the app was available for all ages to use, as per the GPL license, the privacy policy also includes language that says people under 13 years old to "please do not use the app." This is considered a violation of the GPL license that Audacity is released under.

Conversations on both Reddit and GitHub have include talk of a fork of Audacity into a new project, in a bid to eliminate it of the data collection and licensing alterations.

While the privacy policy changes have caught the most attention, it seems that performing data collection has been a plan of the company since its purchase. On May 4, a GitHub update revealed the app was supposed to include opt-in anonymous analytics data collection, handled through Google and Yandex, with the developers stressing it was "strictly optional and disabled by default."

A later update on May 13 attempted to answer complaints and outcry about the telemetry, including dropping the proposed telemetry features. At the time, it was determined that data collected from error reporting and checks for updates would be self-hosted, taking Google and Yandex analytics out of the loop over perceived trust issues.

AppleInsider has confirmed that the telemetry is still being sent in testing on July 4 and July 5.

Update June 5, 7:25 AM Eastern: Details of earlier telemetry proposals and AppleInsider test results added.

Keep up with everything Apple in the weekly AppleInsider Podcast — and get a fast news update from AppleInsider Daily. Just say, "Hey, Siri," to your HomePod mini and ask for these podcasts, and our latest HomeKit Insider episode too.

If you want an ad-free main AppleInsider Podcast experience, you can support the AppleInsider podcast by subscribing for $5 per month through Apple's Podcasts app, or via Patreon if you prefer any other podcast player.