Alongside the Audacity changes, the Muse group has also performed some highly questionable actions in the context of MuseScore, such as falsely claiming that a downloader script was illegal, and that they owned copyright of all sheet music on their site. Going as far as to state that they will "cooperate with github.com and Chinese government to physically find you and stop the illegal use of licensed content." [0].
Unfortunately, I don't believe the general users of audacity will ever hear about the groups actions, and will continue to use the audacity without knowledge of what has changed.
> Going as far as to state that they will "cooperate with github.com and Chinese government to physically find you and stop the illegal use of licensed content."
Wow, that's low. It's one thing to send dumb threats, it's another to threaten someone with involvement of a government that frequently disappears people. This is how you turn your products into the PR equivalent of radioactive waste.
That thread is certainly not a good example of communication, but I cannot find any place where a representative from the Muse group says that they own the copyright to all sheet music on their site. They say (and that's to the best of my knowledge mostly correct at least here in Germany) that the arrangement for music is legally protected and even if someone else typed down the sheet, the rights to this sheet are still protected. And they point to the music industry enforcing restrictions (having worked with the music industry, I find that one entirely credible)
There's a thread on an AMA about ultimate guitar from a while back where the founder talks about when they made the decisions to start adding the features people complain about, and the impression he gives is exactly that; the rights holders of the music had them over a barrel and it was a sink or swim decision
The tone of the post from the Musescore developer at [0] is so bizarre I wonder if the people who manage the company's policies and communications even know about it.
This is now the 2nd "clarification" that Muse group, the new team in charge of Audacity, has recently put out - the first one being here[0]. At this point, it's clear that they are taking the product in an unpopular direction. So why keep pushing an online-first privacy policy and telemetry? Certainly it is not one of the pressing needs of the core product.
Honestly, it will take some convincing to make me think this isn't nefarious at this point. At a minimum, the community is not being listened to, just placated.
when this happens the product dies. in my mind it’s as if audacity never existed. hopefully a project emerges from a forked code base that’s useable going forward.
I'm not sure why the word "fork" is being repeatedly mentioned or why people are thinking this is making the code unusable. At most, I would expect a patched distribution similar to VSCodium to pop up, i.e. not a hard fork. If there was willpower in the community to fork the project and fix all the other long standing issues, that would have happened already, so there is no reason to expect a fork here.
I dont understand all the ruckus around this. Just fork the repo and remove the spying code (I dont want an audio editor to share my CPU and IP with anyone).
It has been done for larger codebases like OpenOffice and MySql.
The thing that isn't addressed. Their terms now say that people 13 and under cannot use their product. Yet this tool is taught in schools. They want to collect this data but do not want to follow COPPA laws.
Pretty laughable they have to post even more walls of text to convince folks that it's okay for an _offline_ application to spy on you. Frankly, this would have probably been tolerated or largely ignored if there wasn't a long history of Audacity not doing this and for the most part working well.
Time to either move to hard fork (if it happens) or find an alternative IMO, they can choose to die on this hill.
We're already tracked by so many apps (and at the OS-level for many) I think a lot of people are pushing back hard (maybe unfairly) because it's something they can control since it's FOSS.
Audacity has been around for over 20 years! It's takes some serious ego to drop in CLAs and telemetry on the community months after acquiring it.
Telemetry and error reporting are opt-in. Error reporting uses industry-standard Sentry (also an OSS), which is not a nefarious data seller. Auto-update checked are opt-count and send a very basic user-agent with less data than an average web browser HTTP request. There is no spying here.
Yeah maybe by modern software which doesn't respect the user's privacy and resource usage it's nothing to worry about.
I'd say this is a regression, and adding all that networking code makes it easier for them to push it further down the line, and adds more vectors for attacks.
At best it's bloat. Developers were able to write good software without pulling in user's data before, it says more about the devs if they think it's so necessary.
Okay say it's not spying—you now have another app on your system pinging hosts, and depending on how much you trust Muse, you have to check the changelog every time to ensure they haven't added more bloat or juiced up the telemetry.
I'd posit that spying has been normalised we don't even recognise it anymore. Opt-in isn't a get out of jail free card, since your avg user will just click whatever.
Can't you just turn off auto update and not get this?
FFS, any time you connect to a website they know your IP address. A log will save it, perhaps, and they say they prune their logs after 24 hours which is reasonable.
Literally wget sends this sort of info, you can try it
wget -d example.com
unless now wget is spyware too. This whole thing is a nothingburger at best and just a pr disaster at worst.
You're comparing web tools/browsers to an offline audio editor.
Though I agree it's a PR disaster—people are upset, I don't think folks can be reasoned with since it's partly a backlash of yet another small community being taken over by corporate mediocrity.
People are not getting the point. If you have to download the software they will get this info, full stop. There is no way that they won't get your user agent. That's what this privacy policy refers to. Same if you download auto-updates, you have to download the updates from the internet which requires connecting to their webserver, and they'll get this information.
As for the telemetry, that's opt-in. May be the bloat and other things that are being mentioned are about that? But for the first two bullets on information that is mentioned as collected (IP addr and os info) that is mentioned in the linked github discussion, they are literally what they will get because you had to visit their site to download it or because you automatically download updates.
'Anyone who says "full stop" is an idiot, full stop.'
One of the more common ways to get audacity (via your distribution) happens to [often] not provide your/a user agent string to the audacity developers, nor do they get a copy of your ip. In the context of a distribution: the auto-update mechanism is also problematic and needs to be disabled at install time.
And all of this is
a) reinventing the wheel.
b ) breaks the assumption that the computer will only connect to the network with a human-in-the-loop.
c) completely unnecessary in the first place.
Let the distributions keep track of issues and report them upstream.
What about users who don't download it via their distribution package managers (for example because their distributions ship very old versions of Audacity)?
I’m sorry I really don’t get the privacy issue here. It automatically checks for updates, most apps do, and in doing so it appears in the logs for a webserver (and I’m pretty sure most sysadmins want to retain access and error logs)
The error reporting is by an open-source tool and is opt-in.
I don't understand the pettiness around this issue.
Audacity needed a maintainer to help with support and development. Developer, who has a pretty active YouTube channel covering design in music software, takes interest and leads the project. Said developer adds telemetry to help make more informed decisions. People lose their collective minds.
Can someone fill me in on what this person could have done better? Honestly, it seems like pearl-clutching from a select group of users who never gave a shit in the first place and just want to whine about something they never contributed to and get to use for free.
I think there's a misunderstanding: Tantacrul, the developer with a pretty active Youtube channel, works for the Muse Group, which acquired Audacity. This has nothing to do with him. A company acquired Audacity, not him, and he's not in charge of the Muse Group. Your portraying of the whole thing is inaccurate.
People didn't lose their collective minds.
The Muse Group acquired Audacity, then introduced:
- a CLA (which, between other things, allows them to make closed source versions of Audacity)
- telemetry
- a very controversial privacy policy
People aren't losing their minds. And please, do not spread misinformation.
Controversial? This looks extremely similar to most other privacy policies. I would urge you to read the privacy policy on any other web sites that you visit, or for any other services that you use, and compare and contrast. A good starting point might be the privacy policy on your phone's app store.
I'm not sure what you're suggesting the difference is, or what specifically here is a "mobile cartel?" FOSS projects and other related things also have privacy policies, and in fact you probably want them to so that they're clear what they're doing with the data they've aggregated. Here's some examples:
Those are all talking about interacting with those projects' websites and community events, not about interacting with the software those projects produce or package. It is absolutely not the norm that Free Software running on my machine reports my usage.
Do you expect to be able to receive updates and security fixes to your installed programs? Or send back a patch or bug report? If so, then it absolutely is the norm, because all that needs to be done over the internet and can generate PII. It probably shouldn't be assumed that a distribution platform can avoid having a clear and straightforward privacy policy because it calls itself a "FOSS repo" and not an "app store." Or did I miss something? Do some people only exchange security updates and crash dumps off of physical media given in person?
> Do some people only exchange security updates and crash dumps off of physical media given in person?
Sure it's not "the norm" but personally I run a Poudriere[0] server and build all my own software packages. One server syncs the FreeBSD Ports collection and downloads the needed software source distfiles, but then none of my other machines/jails are allowed to install software from anywhere outside my own network. A lot of them don't get any Internet access at all.
That still has nothing to do with in-app analytics though.
I'm still not sure what you're saying, you're still downloading the source from an external website on the internet, which I would expect would have a privacy policy, and would do things like comply with the GDPR. And presumably, the ports collection is getting the original source from upstreams, which could be on github or a similar service, so you can't sidestep that if you want to maintain your own ports tree.
It absolutely does have to do with analytics: in particular, Debian has an opt-in anayltics system called "popcon" which is mentioned in the privacy policy.
"none of my other machines/jails are allowed to install software from anywhere outside my own network. A lot of them don't get any Internet access at all."
Presumably the objective is to have machines that do not connect to the network without at least a human in the loop. This used to be the default, and is still very helpful in a lot of situations. For one, it keeps the noise down when you are trying to debug network issues.
I think if you read the comments in the link, it's pretty clear: changes regarding personal information were dumped on the community along with a bunch of legalese without warning, an announcement, or context. Had the new maintainers given the community a heads up via a simple blog post explaining the reasoning behind this, we wouldn't be where we are. Hopefully they can chalk this off as a learning experience and move forward to gain trust of the community.
An example of the problem is that in the UK those below 13yo cannot give consent to telemetry.
Audacity is used in their public schooling system.
Newer versions of Audacity will not be usable by those students anymore.
Asked not to is different from forbidden though, no? I’m not a legal expert but I doubt this clause is one they wanted to put in and is probably driven by some legal counsel with an eye on international law.
The specific situation being pointed out here is that the software is/was used in public schools. It doesn't really fit in the category of "if nobody knows, nobody cares, and nobody wants to know" that you'll find on your on personal device.
The school installing software that has terms not allowing those under 13 to use it, because those kids don't have the legal right to consent to the software collecting information from them, has a very real chance of becoming an issue - both for the school and whoever made the decision.
It sounds like any Internet use by children in schools would be a legal issue, then. If IP addresses are considered personally identifiable information subject to consent policies, then ordinary web logging is data collection that a child can not consent to.
A more direct example would be in Chrome/Firefox/etc automatically checking for updates, which is the equivalent of what Audacity describes in the linked post.
> It sounds like any Internet use by children in schools would be a legal issue, then. If IP addresses are considered personally identifiable information subject to consent policies, then ordinary web logging is data collection that a child can not consent to.
It's not going to happen for all kinds of reasons, but there's a lot that could be said in favour of prohibiting _unsupervised_ Internet access to children 12 and under.
In this case, children 12 and below cannot give consent but they can use the app if parental consent is given.
Having children in that age range use the app would require Audacity to seek parental consent by "[making] reasonable efforts (taking into account the available technology and risks inherent in the processing) to verify that the person providing consent holds parental responsibility for the child."1
While they wrote to minors "please do not use the App", they also wrote "The App we provide is not intended for individuals below the age of 13."2 Not being a lawyer, I cannot talk about the implications of these passages.
Seems to have only picked up in the last decade or so. Before that it wasn't really practical, and everything seemed to work fine without it.
When I was a kid, computers weren't connected to the internet. The first time I had a connection it was at 33.6 kbit/s (at 25 cents per minute).
Can you imagine if I had had all these 'modern' programs on my computer that would suddenly try to talk over that tiny straw of a connection? It'd be unusable!
There are still a lot of reasons why you would like to maybe hope that a computer doesn't try to randomly talk to everyone and everything on the intertubes on a whim.
For instance: said computer might be acting as a firewall, or it's being used for SCADA, needs to comply with corporate or government security policy, or is otherwise supposed to be something-gapped.
I guess for regular consumer technology that hope has long fled. You'd think that floss software could automatically be trusted to be quiet-by-default, but I guess that time is now past as well.
Possibly software that is quiet-by-default needs to start explicitly noting that it is so; so that if you have a particular task that really needs a quiet-by-default machine, you can draw from that subset.
You are right that audacity probably doesn't need to be in the quiet-by-default category. But ...eh... somehow this feels like a retreat.
It's only common in certain bubbles. Someone who primarily uses FOSS could easily say this. Someone who prefers software created in the era before online telemetry was widespread could also say this.
> Said developer adds telemetry to help make more informed decisions. People lose their collective minds.
Their ability to make decisions doesn't matter. It is does not justify putting spyware into previously trusted software.
Also, nobody believes that excuse for a second. They couldn't care less about "improving" anything but their bottom line. They are merely capitalizing on the trustworthiness of an open source project in an attempt to extract maximum value out of its users.
If they wanted to improve the software, they would have hired somebody with good taste to work on it. People with good taste do not tolerate abusive spyware.
> Can someone fill me in on what this person could have done better?
They could have not collected any "metrics" in the first place. That way, this ridiculous privacy policy would never have been necessary.
How about just asking people for their opinion instead of trying to somehow conclude on usage patterns and stuff from telemetry data, which is not opt-in, but opt-out, which is quite sneaky in itself?
"Just ask those people!" Is what I think every single time, when this kind of issue pops up. Ask the people what they find annoying about the product, ask them what they like. There are many questions you can ask and which yield a much more direct result than telemetry data, without upsetting a community and without coming across as sneaky and disrespectful of user privacy.
Exactly! And if you really need any sort of "telemetry" to get the data that you need, then do what so many other FOSS software I've seen with any sort of "phone home features" does, and simply ask the user during the first run if it's okay to send <such and such data> for development purposes. (Also, a toggle in the preferences is always nice, too, so that I can enable such a feature on days I'm feeling particularly helpful, and still easily disable it on days I'm feeling like there's no need for my software to be sending data anywhere outside my network.)
It's not uncommon for me to approve such features when I'm dealing with software I trust, and when I'm thoroughly informed of exactly what data they're collecting and why. If I see a list of reasonable data points and it's not too intrusive or overreaching (and if I can examine the data before it's sent) then I'm quite often okay with it (again, with software I already trust for other reasons).
> Said developer adds telemetry to help make more informed decisions. People lose their collective minds.
I don't understand the reaction either. It's hard to talk about this stuff here because of the anti-analytics groupthink. Everyone seems to jump to the worst possible conclusion whenever it's brought up.
I can't help but wonder if the people screeching about it have ever actually put analytics in their own products. Understanding how your software is used in the real world by real users is absolutely invaluable!
The reason people jump to the worst possible conclusion is the same reason that people often do: because abuse is rampant. And sometimes that's why we can't have nice things, because too many people have misbehaved while using them.
Assuming integrity, I think the people complaining about it would indeed do unto others as they would have others do unto themselves. That is to say: not include telemetry.
Microsoft popularised telemetry in otherwise-offline applications with Windows 10. Now every other trendchasing company thinks they should do it too.
They always claim it improves software, but all that seems to happen is it just gets dumbed down and features removed, making it worse for experienced/power users.
Logs, maybe abuse protection? For better or worse, the musescore-downloader affair has probably made them a bit pensive and defensive around potential abuse from clients.
They may also simply think that it's just plainly required if they're going to run an online service that the app connects to by default.
That's all speculation though, hopefully they'll answer that question on the GitHub discussion.
It certainly looks that way. Though in fairness, gaslighting implies the intent to deceive. I fear that these folk could actually be more of the kind that simply doesn't see anything wrong with their way of "making" money.
While technically legal (although the last about that might not have been said either), I think they are going to find out how their grubby ideas of right-and-wrong might not align at all with a substantial part of the user base of the product they now own.
I believe that they are already doing actual practical harm in some places, which might end up costing them dearly if it would trigger some kind of organized revolt. With their behavior so far, that can/will only end in escalation. I very much doubt that the plans of this new owner will become the financial success they may have imagined.
Sadly, Audacity as a product will no doubt suffer as a consequence. Still makes me wonder if there hasn't been some kind of financial support/injection by a commercial vendor involved, somehow. Of course it doesn't have to, but the idea just does not want to leave me alone.
How could it be nonconsensual? The policy is provided when installing the software. This may certainly be a bad decision for the Audacity team, but nobody is being forced to use their product.
Nobody reads much less agrees to these idiotic policy texts. I don't care who made the software or their "conditions" for using it. If it's running on my machine, it answers to me and me alone. This "we put it on the terms and conditions so it's fine" bullshit needs to go away.
I wonder if this is what the folks on the Copilot team thought, shortly after cloning all those licensed repos to their machines.
If you’re not concerned with the licensing on software once you’ve managed to get a copy, I guess Audacity’s behavior shouldn’t be an issue: just compel it to behave differently on your machine.
> just compel it to behave differently on your machine
Oh I will. The thing is I shouldn't have to do this. We're all tired of these obnoxious companies forcing this sort of crap on us. Why can't they just release their stupid thing with no strings attached? If this is their "contribution" I'd rather they just did nothing.
That’s some serious mental gymnastics. I’ll be sure file a complaint at the supermarket for nonconsenual collections: I wanted to take the vegetables home, but they don’t let me opt out of paying.
Given that the context here is “a producer of something setting the terms under which they’ll give it to somebody else”, my grocery store hardly sounds like an extreme example.
Imagine if your grocery store terms were that you have to pay to take them home... and also that you must consent to a grocery store employee following you home and sitting in your kitchen, watching your vegetables. They'd take note of how and where you store them, when you use them, how you prepare them, how much you eat in each sitting, what meals you eat them with, and how satisfied you seem to be with them. They'd report all of this information back to the grocery store. They'd also report anything else they see or hear and decide they might be interested in later on.
I don't think it's always that easy. Once people are committed to a certain product, quitting or switching to an alternative isn't always simple or even possible. There can even be substantial financial damage involved. Maybe not in a way that the producer can be held legally liable for, but damage nonetheless.
I believe this argument of "users have a freedom to either take it or leave it" has been repeatedly debunked many times over. It just isn't accurately describing reality.
It does reflect reality, as evidenced by what’s about to happen for Audacity: if they keep the terms as-is, people will either use the software as the terms are written or they’ll stop using it.
As an example, UK schools are likely to have to either negotiate an alternate license or switch products.
What’s been “debunked” is that products die off because of things like adding telemetry, because plenty of people don’t consider that a dealbreaker
There are lots of non-FOSS but effectively-free alternatives. Ocenaudio is way better than Audacity in gobs of ways, except it's not multi-track. Reaper is pretty great but if you're hoping for commercial use with $20K+ gross/year, you need to pay $200+ USD.
In FOSS land, Zrhythm, Qtractor, LMMS...but these are DAWs so again it depends on what you were using Audacity for. You could even learn sox and maybe benefit from some command line use, like writing scripts for things you need to do all the time.
My advice: List the specific tasks you need to do, and aim to find 2-3 apps that will fill the gap. Then any extras on top of that will be gravy.
Edit: Oh and you can also use FOSS like Blender and render edited sound to mp3, or KDEnlive, or other software that's video or animation related. So if you already know those tools, or like how they work (in some ways they are pretty slick!) then they may fit better than other audio-only software.
It looks like just info you pick up if you visit the site for download. May be the initial communication was an issue but this doesn't make it spyware necessarily. They also say it has nothing to do with "offline use."
May be the story is as I said the initial communication now, not with the privacy policy changes, no? I'm starting to feel had, there is literally no telemetry here, that's just internet hype and rumors.
EDIT: there is telemetry for bug reporting...okay that's optional so I'm still seeing no fire.
As a linux user, I have absolutely no need for an auto-update feature. Hopefully that is something that can be disabled at both build time and run time.
depends on someone actually paying the developers because I don't think development is community driven but done by Muse.
People need to keep in mind that open source software doesn't automatically develop itself just because you can fork the code. Audacity is a pretty big, complicated piece of software.
As in Ye Olde "G(ood) Audacity". Intentional misspelling of "gouda" (but sounds the same), has original name as a substring, and should come with appropriately cheesy wedge located between the headphones. Bonus points: reference to plugging one's ears with cheese.
ardour may have worded that better than the audacity folks, but make no mistake, as per it's privacy policy ardour will phone home (to check for new versions), store information about bugs and comply with requests from law enforcement.
If you download and use a ready-to-run version of Ardour from ardour.org, the program will attempt to contact ardour.org at startup to determine if you should be notified about a new release of the software. If the computer where you use Ardour is connected to the internet, this process will store the computer's internet address and an identifier for its operating system.
If you report a bug to our bug tracker, we will store whatever information you provide as part of the bug report.
When Do We Privately Share Personal Data?
Never, unless required to by law.
Unfortunately, I don't believe the general users of audacity will ever hear about the groups actions, and will continue to use the audacity without knowledge of what has changed.
[0]: https://github.com/Xmader/musescore-downloader/issues/5