While there is room for arguments whether these changes to Audacity actually constitutes spying, I believe it's rather their vague wording (and potential reach) that worries people. Rightfully so, I would say. More often than not, developments like these don't end up well. Also the relative little info there is known about this new owner (or backers) appears worrisome.
Anyone knows if there is more known about this new owner, their history and or financial backers?
When this news initially broke, I remember there was a lot of mystery (with some few red flags) surrounding this new owner. I got an uncomfortable feeling that this could even be a front or proxy for a commercial entity that sees Audacity as competition. Not sure how much was payed, but this could be a relatively cheap way of knocking out an open source alternative. On the other hand, abusing an existing install base for any kind of intelligence harvesting also is a popular business model these days (actually criminal in many countries, but sadly hardly ever enforced as such).
Either way, after reading several pages of back and forth on this issue a while ago, I'm convinced that these new owners either don't quite get what they bought (or what it means) or that they do but simply can't really care (and therefore can't be trusted).
Until there's a fork, I'm not toughing this with a ten feet pole.
> Anyone knows if there is more known about this new owner
They are a known entity (owners of the well-known Ultimate Guitar site), and their previous purchases make it clear what their likely motivation is with Audacity: to make money in a somewhat standard way among startups these days.
They are likely adding trackers so that they can sell ads within audacity and improve their ad targeting on their actual sites. They will likely add premium features to Audacity and sell some kind of subscription service. I wouldn't be surprised to see the same kind of dark patterns/false urgency that you see in the Ultimate Guitar app.
I think that people should be legitimately concerned, but their behavior is no worse than 90% of the startups discussed on HN (not to say that's a good thing, but just to give perspective)
It sure sounds plausible, as much as I dislike it. It's one thing to see startups involved in questionable business practices with their own/new products. Quite another seeing existing useful software be destroyed by it. Looks like all that talk about the GPL being too restrictive doesn't mean that much in practice, if stunts like these can still be pulled.
Is it like, Audacity is widely used by whistleblowers, so by tracking down its users, authorities could prevent human rights violation from being uncovered?
What else are these features useful in context of “law enforcement”?
There's a chance that it's just the wording for CYA situations. They will cooperate with LE either way, so maybe the lawyers decided to put it clearly in the t&c-s.
This really applies to almost every company, since barely anyone will fight LE in your name. It's just rarely spelled out clearly in public.
I will nevertheless move to a fork, but that makes a ton more sense than the conspiracy explanation. Maybe just the word choices are different from typical Western ones as the corporate is in Russia.
3-letter agencies will explore and exploit any and all available avenues for obtaining information on anyone of interest. you can rest assured it has come to their attention.
I believe the issue is that the update to the T's & C's is worded in a very wide and vague way. If I interpret that in a generous way, it's because their lawyers told them to be generic so as to be "always in compliance". The thinking being, no-one ever reads the conditions anyway. I've seen the same thinking in previous companies where I worked.
The problem arrives when people start actually reading these vague and wide conditions. It's a bit like when you tell your son or daughter to take some money to go to the movies, and when you find out they have taken 500$ they say "don't worry, I won't use it all, but at least I'll be sure to have enough".
If they would have explicitly stated what they were logging, and for what purpose, I think reactions would have been much less.
Personally, I would have asked for permission upon crashing, with a button to show what is being sent.
One possible reason would be to "group" reports: if 95% (or even 100%) of a certain error come from a single computer then there's either a very obscure bug or something wrong with that computer. If all reports come from different computers then it's a much more serious issue.
IP addresses aren't really super-reliable for this (corporate networks, ISP NAT), but many people still are under the misapprehension that they are, and it's probably reliable enough for this purpose.
I don't know if that's the reason; but it could be.
Consider multiple similar crash reports from one IP address or subnet - that could indicate, that there is something odd ie. with DNS resolution in particular network (corporate or whatever). But that's the case only for apps, that rely on internet connectivity heavily.
Who would aquire a piece of pretty niche software to use strategically as a spying platform? Is the information that can be gained really worth that much?
At least from my anecdata, a lot of people who want to do some basic sound editing without buying an audio editor (those are often quite expensive) at least try using Audacity at some point.
Doesn't matter. All that matters is if someone can be made to think it matters, enough to pay for access to whatever information it is.
I feel like HN folks often look for underlying meaning, a structure or purpose through which transactions like this can contribute to greater progress in line with the promise of capitalism. But that's only true when channeled by the constraints of rule systems, which aren't a given.
In the absence of other meaning, it doesn't matter what the 10k user information is. That userbase can still be cannibalized if there's somebody who can be fooled into thinking that act is useful/profitable. Rules saying 'this sort of destructive community-pillaging will cost you more than you gain' aren't necessarily there.
In the absence of them, you don't need to prove harming the 10k community will be profitable over the long or even short term: you only have to find somebody with money who can be persuaded they'll benefit, even if that's not true. If they think that, then you definitely can benefit from selling out the community. You can know it's a doomed exploit, but if you get paid, you're out of it by the time the truth comes out.
I remember reading blog posts from browser extension maintainers, at least 3 or 4 times, who spoke out about regularly being approached by shady buyers for exactly that reason. Unless they were all making things up, I'd say it may indeed be something that is happening. I don't remember the sources, but I guess you're capable of using a search engine too.
Why would anyone acquire it except to turn it into malware? I can't recall a project that wasn't built for commercial success from the start being bought for any other reason. I guess sourceforge stopping malware bundling could count.
Business profit doesn't have to be a global value. If Audacity is purchased at value X and pillaged in such a way that you can get a third party to pay you value Y for what you did to/with it, and Y > X, that's profitable depending on how much effort/expense you had to go to during that process.
Doesn't have anything to do with even Audacity's users, much less the sustainability of the Audacity ecosystem. If there exists somebody somewhere who would pay more to see Audacity scuttled than it'd cost to buy, that becomes a potential profit motive to a facilitating third party if they know of that dynamic out there to be exploited.
This is of course subject to whether it's allowed to just wreck stuff for your benefit, and how. In cases of simple property, it's generally not: you can't just burn down a rival store to benefit yourself because that's against the rules.
I don't think such limitations currently apply to businesses past a certain level of abstraction, and what's happening to Audacity is not in the least meant as 'just burn it down', even if that's what happens: it's meant as 'get more control over this property', for whatever reason. That may or may not be a wise business decision, but in terms of being able to extract profit, it's a good business decision if in any way, for any reason, it works to get them more money than they paid for the property.
I think it's a very bad decision in the larger sense of things in the world, ability to trust in the things we know about, ability to function within larger systems of known properties and build order out of chaos for the sake of real progress. But that wasn't the question.
What you need is a fork which is sustainable, trustworthy and manages to pulls users towards itself.
On the last point: just a few weeks back I ran into somebody still using OpenOffice instead of LibreOffice. Audacity is referenced from many magazines and targets non-geeks to a large part.
Shouldn’t DARPA or the National Security Agency fund 3-4 developers full-time to fork it and start improvements that will be so sexy that the russian version fades away? If they are so concerned about national security… that seens like a low hanging fruit.
DARPA funding open source projects seems like a pretty decent idea to avoid them being influenced by foreign interests. They already provide a lot of funding to Tor so it's not completely out of the realm of possibility.
I think the argument is that things like Firefox need to share some data with third parties to function correctly. The remote web server needs to know what page you want, your login details etc. That's not to say there's other things that Firefox does that isn't privacy focused, but it's accepted that Firefox has to share some data at some point to function.
Audacity, however, doesn't. It's a standalone application. It works on local files. It has worked perfectly fine like this for decades. And now a new owner has come in and changed that within weeks. That's not okay.
The same complaints are being made about other software doing similar. For example, Microsoft's attempt to make all Windows accounts online. We've had 30+ years of Windows without online accounts. Why should that change? and most importantly, why must it be forced upon unsuspecting users?
I do agree with you, though, that anybody can call it anything they want, and that doesn't make it true. But it's also fair to be suspicious of unnecessary changes that, on their own may seem innocuous, but together lead to something far worse.
What the GP was saying was that there was no essential technical reason for Firefox to send telemetry data to Mozilla (unless you're connecting to Mozilla).
Yes, and I agreed with that in my comment. My point is that the software already hands out some data by its core function, so users are generally accepting of losing a little more data as long as it seems reasonable.
It's the psychology of "well, it's already sharing some data. what's the harm in a little more?" There will always be people that want minimal data sharing, and I'm one of them, but the vocal minority are exactly that - the minority. The majority of users don't actually care, which is why the data harvesting industry is as big as it is - plenty of data out there to harvest.
Agreed, we are conditioned to have different expectations from software which inherently deals with the network, like a web browser, than software which is inherently offline like a audio editing program.
They don't care until it directly affects them personally somehow, and then suddenly they instantly forget that it happened because they allowed it to happen, and they make a huge noise about it as if it's the first time they heard about it.
1) that's whataboutism
2) people complain about Firefox as well and many are avoiding Firefox as a result, blocking Firefox's connection to Mozilla with various tools, etc.
If Firefox had told people they would collect data for law enforcement there would be more noise there as well.
There are good and legitimate reasons for collecting user data, but many of us think it should be voluntarily, minimal and at least not shared with anyone for anything but its original purpose.
In fact we had a very interesting court case in Høgsterett (kind of Supreme Court) here last week where it was finally decided that the police could not aquire biological samples from the university of Oslo to help in a missing person investigation as the person in question had not agreed to it, so obviously some very influential judges in one civilized country do agree.
-----
That said, between the I Robot extension, mandatory data collection and the gutting of the extension system Mozilla seems to be on a multi year marathon effort to play all their cards into Googles hands.
Firefox is still my main browser though but to a large degree because the alternatives aren't quite there for me as a power user.
Yes it certainly seems as though Mozilla (or at least their executives) have been bought and sold by Google.
At this stage they seem to be toeing the line for plausible deniability of Google's monopoly, while being thoroughly defanged from doing anything to reduce the actual monopoly.
Firefox is tracking users pretty aggressively by default, though. Telemetry on by default, experiments on by default, opening a "you've updated Firefox" page with trackers unless you've gone into about:config, the list goes on.
Firefox tries better to anonymize the data collected and is a more reliable company than whoever really owns Audacity these days, but as a Firefox user, I'm pretty annoyed with the amount of settings I need to change to my Firefox installs to keep my data out of the hands of Mozilla of all people, who claim to value my privacy so much.
I can only assume those Mozilla pages telling me I've pressed the update button collect my full IP address for at least logging purposes, as every website does by default. This stuff doesn't need to be on the web, they could easily launch a local HTML file with the same contents.
And more: https://hn.algolia.com/?dateRange=pastWeek&page=0&prefix=tru...