Gone are the days when Audacity users and enthusiasts thought this powerful free and open source audio editing program’s only real problem was its clunky user interface; the project, now under new ownership, is being accused by some as no less than acting as “spyware.”
Specifically, the updated terms are found in the Contributor License Agreement (CLA), meaning contributors need to sign on to participate in the development community. There’s also the question of opt-in telemetry (OS, country-based IP address, non-fatal error codes, crash reports) data collection.
This sounds a bit like the long-term controversy surrounding one of the best known and most widely used open source operating systems, Ubuntu, and the company behind it, Canonical, who also in the past faced backlash for introducing opt-in telemetry collection with new installs.
Muse Group, the new owners of Audacity, who also have Ultimate Guitar, MuseScore, and Tonebridge in their portfolio, are facing similar criticism now from vocal online communities.
What would make Muse Group’s case more difficult – in the current climate – is that one of the places it was sending data to is Russia. Never mind that another is the US, where the company has its “external counsel” – and these two locations are mentioned as “occasional” destinations for collected telemetry, while the data itself is stored in the European Economic Area (the EU, plus Iceland, Liechtenstein and Norway.)
The controversy is typical of how free and open source (FOSS) dramas often unfold: companies and groups behind such projects offering their products free of charge want to have some idea of what their market share is (since “sales” figures don’t exist and hence obviously can’t provide that information) and so they choose to obtain telemetric data. Which should generally be fine as long as it’s opt-in (so, not on by default).
But FOSS communities are very sensitive to any, even tiny possibility of unwanted user data collection and privacy violations – they are prone to reacting so the rest of the tech/online world, numbed by abuses of closed source and proprietary software – don’t have to.
In any case, Muse Group sought to clarify its position by saying that, “no data will be shared with third parties (‘full-stop’)” and that only very basic data – IP address (revealing country of origin) and “system info like OS and CPU type and error reports – will be collected (for any purpose, including passing on to any government or law enforcement agency).”
“What’s more, (Muse Group) says that data will only be shared if a court compels it, and that IP addresses are only held for 24 hours.”