Hacker News new | past | comments | ask | show | jobs | submit login
New [July 2, 2021] Audacity Data Collection Policy (audacityteam.org)
56 points by prvc 6 months ago | hide | past | favorite | 35 comments

It is beginning to look like Audacity and MuseScore were both purchased for the purpose of extending the domain of copyright-infringement to the act of using these tools in an unsanctioned manner.

To quote:

• For legal enforcement • Data necessary for law enforcement, litigation and authorities’ requests (if any) • Legitimate interest of WSM Group to defend its legal rights and interests

It is unclear from the above what kind of legal enforcement they have in mind. A telemetry advanced enough for copyright-enforcement is also advanced enough to be abused to steal the work of people without the means or knowledge required for legal recourse.

Will instruments start listening in on what's being played at the campfire to ensure that college students don't infringe on the "rights" of copyright-holders? Will construction tools start snitching on people who don't call in the appropriate union help for the job to be done?

Where does this end?

> Where does this end?

It could maybe be ended in the bugtracker if enough people complain - there is an entry for this already:


> Where does this end?

In the context of Audacity, wherever a community-managed fork begins (à la LibreOffice)—at least until it gets bought out (à la CentOS).

> The App we provide is not intended for individuals below the age of 13. If you are under 13 years old, please do not use the App.

This is farcical.

Audacity has a GPL2+ license. Is it legal to add an age restriction to the compiled version?

GPLv2 says:

  Activities other than copying, distribution and modification are not
  covered by this License; they are outside its scope.  The act of
  running the Program is not restricted, and the output from the Program
  is covered only if its contents constitute a work based on the
  Program (independent of having been made by running the Program).
  Whether that is true depends on what the Program does.
I can see several possible readings. The first sentence seems to regard "use" as out of scope, and therefore, MuseScore could be well within their rights to restrict it. But the second sentence then seems to grant an unrestricted right to run the program, which this policy denies for people under 13.

edit: GPLv3 says:

    All rights granted under this License are granted for the term of
  copyright on the Program, and are irrevocable provided the stated
  conditions are met.  This License explicitly affirms your unlimited
  permission to run the unmodified Program.  The output from running a
  covered work is covered by this License only if the output, given its
  content, constitutes a covered work.  This License acknowledges your
  rights of fair use or other equivalent, as provided by copyright law.
I can't see this being allowed under GPLv3. And the GPL is pretty clear that in "GPLv2 or later" situations, it's the user who chooses.

Copyright holders have complete freedom to license tehir work under any terms they like. I believe it's actually legal to sell commercial use licenses for GPL'd code for example. Or to switch licenses for all future releases.

You just cannot revoke existing license terms.

The GPL is a contract/license; it cannot trump the law itself. You can’t slap a GPL license on porn and then distribute it to minors.

It may mean you can’t distribute at all if you can’t comply with the law and the license.

I agree that the license doesn't make it legal. But if the law says X and the license says not X, then you can not use the license.

Many states and jurisdictions (like the EU with GDPR) severely limit what personal data of minors you can store.

good thing there's absolutely no reason to store any data about users of an offline desktop app!

I can use ffmpeg from sources for most use cases, but this non-privacy policy taints my impression of the project.

There was a really nice blog post and intro from the new product manager for Audacity some months ago talking about the new governance, and he seemed very earnest and positive, but looking at this privacy agreement, I'd wonder how much executive power earnest people could have in it.

Thinking the solution to this may be a privacy patch that carves out this data collection code. I really don't want to have to comb through sources or binaries for watermarking features and other spy tools.

One thing that does not appear mentioned in the table of data they collect is When they collect your OS and IP address, and what other metadata about your project files gets collected.

Let's say I am processing some sensitive media, or even analyzing politically provocative materials, do hashes of it or identifiable information about my content get sent to Audacity that can be compared online?

Given the Data Controller in that privacy agreement is regstered in Russia, if I use Audacity to do audio forensics on purported Russian propaganda media, does that mark out my IP/OS and identifiers to them? This seems like an extreme question, but the tools that are going to be used to fight deepfakes are going to (or were going to) include tools like Audacity.

Under what they collect about you:

> "Data necessary for law enforcement, litigation and authorities’ requests (if any)"

So an unspecified blob of law enforcement data, which is anything they want. This is not a privacy commitment. I can see why there was some controversy on the project.

The obvious question is, "we're a commercial service who is now responsible for this, and things are complicated, so what would you have us do?"

The answer is: facilitate completely offline, and anonymous use of the open source parts of the code, potentially by allowing users to flag privacy invading code as off at compile time.

> There was a really nice blog post and intro from the new product manager for Audacity some months ago talking about the new governance, and he seemed very earnest and positive, but looking at this privacy agreement, I'd wonder how much executive power earnest people could have in it.

IIRC the new guy wants telemetry to help improve the program; and if you grant that telemetry is a thing this seems pretty bog standard.

> I can use ffmpeg from sources for most use cases

Did you confuse the project or they are related somehow?

Both ffmpeg and Audacity can be used to convert sound data from one format to another.

If you're looking for a good alternative to Audacity for doing audio recording/production I recommend Ardour. (https://ardour.org/)

Sadly you have to pay to download it from their site, but if you compile it yourself on Windows/MacOS or install it through the repositories of your Linux distro, the full version is available. Or download builds here: https://archive.org/download/ardour-6-builds (I haven't tested these so proceed with caution.)

Ardour's fantastic, and I second the recommendation.

Some Linux distros allow you to install Ardour from their package manager.

On Gentoo it's as simple as typing "emerge ardour"

Is there a team out there who is willing to maintain a fork of Audacity? They could call it "Temerity".

That was previous try, which was abandoned due to critics.

But now its goes further.

So kids under 13 can’t use Audacity? Such nefarious software!

Those 13 year old may end up using audacity for the development, design, manufacture, or production of nuclear, missile, or chemical or biological weapons. Kids are up to crazy things these days.

Worse than that! Those kids can use audacity to facilitate COPYRIGHT INFRINGEMENT!

Damn too-young-to-sue kids, get off my software before I give you both barrels of DMCA!

When I uninstall in Windows, I get this dialog:

"Audacity uninstall complete.

Some elements could not be removed. These can be removed manually."

Anyone aware of what elements and where? I see it left some configs in AppData.

This is often just the directory in 'Program Files' and 'Program Files (x86)' and possibly a few files or directories under it that for some reason the uninstaller was not expecting. It might also be worth looking in ProgramData and it is possible that the uninstaller left some Registry data. In terms of impact it is not likely to be significant.

Thanks for the reply, that's kinda what I thought. I can see the advantages keeping some things around, but man I like a complete remove all option and not something vague.

> Data necessary for law enforcement, litigation and authorities’ requests (if any)

I'm not sure this really tells me what "Personal Data they collect". It feels more like a restatement of the purpose for collection ("Why we collect it - For legal enforcement"), and hardly in the spirit of the "very limited types of Personal Data that we may collect"

It's "very limited types of personal data" until you become a despicable copyright violator.

These new terms don't appear to be anywhere in the current source repo on Github, so maybe fork while the forking's good.


It's GPL, so I expect a fork in about 3, 2, 1...

If Muse Group end up owning a project that no one touches any more, do we say that they "Freenoded" themselves?

I'd say Oracle did it first with OpenOffice.

Oracle took over OpenOffice in 2010, so a possibly relevant earlier example is X.Org forking from XFree86 in 2004.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact