Users of the popular free and open-source audio editor Audacity are accusing the software’s new owner of transforming it into “spyware” and working on alternatives after a privacy notice announced that it would be collecting user data such as IP addresses.
In May, Audacity was acquired by Muse Group, which also owns Ultimate Guitar, and is itself owned by the Russian company WSM Group. The company stated that it is now in charge of managing Audacity, which the Audacity team confirmed.
Videos by VICE
According to a GitHub post by Muse Group Head of Strategy Daniel Ray, Audacity will “remain free and open source” and the code will continue to be made available under an open-source license. In a phone call with Motherboard, Ray said that the company is introducing a new contributor license so that it can distribute Audacity on a wider array of channels, including Apple’s App Store, but that the contributor license will not replace its open source GPL license.
Audacity posted the privacy notice to its website on July 2. The notice explains that the desktop version of the app collects a user’s operating system name and version, IP address, as well as crash reports, for the purpose of “improving our app.” It also notes that the app will collect “[d]ata necessary for law enforcement, litigation and authorities’ requests.”
While data will be stored on servers in the European Union, the notice states that Audacity is “occasionally required to share your personal data with our main office in Russia and our external counsel in the USA.”
Many Audacity users expressed outrage online following the move, with some arguing that collecting IP addresses from an offline app is unnecessary and wades into the territory of “commercial-company-data-tracking fuckery,” according to one Reddit poster. Meanwhile, numerous other people on Twitter described Audacity as possible “spyware,” with one viral blog post encouraging users to remove the software.
Ray told Motherboard that Muse Group was expecting a reaction to the change, but that it was “overblown.” He emphasized that user data is not sold and claimed that the only reason the company would check an IP address is if it was detected engaging in a denial-of-service (DoS) attack. He also explained that the privacy policy doesn’t apply to offline use of the software.
“Part of the problem here is that privacy policies are written in legal language,” Ray said. “There was a communication breakdown. Take the line about Russia, for example. We have to say that under the GDPR [The European Union’s General Data Protection Regulation] because our system admin guy is physically in Russia.”
“These changes are only so we can improve the app,” he added. “It shouldn’t be controversial to make free software better.”
Ray also said that the company was working on possibly uploading an annotated privacy policy that explained the provisions in plain language.
But for some users, Muse Group’s explanation for the changes was not enough, and they decided to take matters into their own hands instead. A number of users have simply forked the open source code on Audacity’s GitHub repository, essentially just cloning the code and removing any unwanted changes.
One of the more popular forks was created by a cybersecurity analyst who goes by “Cookie Engineer” online. They told Motherboard that they were concerned by how the new privacy notice allowed data to be handled on servers outside the European Union, “where the Wild-West of cyber espionage is legitimized.” He stripped all networking related code and update checks from the forked repository, he said.
Cookie Engineer said he was overwhelmed by all the positive feedback he is receiving and pointed to the scenario as an example of the strengths of open-source development.
“So far it’s been amazing,” Cookie Engineer, who asked to remain anonymous to protect his privacy, told Motherboard over Telegram. “Lots of like minded people taking part in the discussion, and I got lots of valuable feedback on twitter, reddit, hackernews and in private chats. I hope that we can now keep the spirits up so that we can make a democratically governed project out of it.”
Users are currently voting on what to rename Cookie Engineer’s new repository, with “AudioBakery” taking the lead so far.