Audacity Announces Data Harvest Plans: What Kind?
What kind of data will Audacity collect? The types of data to be collected seem pretty innocuous. Namely, OS version, user country based on IP address, OS name and version, CPU. Also, non-fatal error codes and messages, and crash reports in Breakpad MiniDump format. I don’t see any personally identifiable information here, except for the IP address.
Who gets to see it? The desktop privacy notice reads “Data necessary for law enforcement, litigation and authorities’ requests (if any).” Legal grounds for sharing data are “Legitimate interest of WSM Group to defend its legal rights and interests.” That said, we also find language that reads such data may be shared with “…a potential buyer (and its agents and advisors) in connection with any proposed purchase, merger or acquisition of any part of our business…”
What has the user community most up in arms is that Muse asserts the right to occasionally share “…personal data with our main office in Russia…” This contravenes requirements of the GDPR, and could potentially violate data sovereignty requirements in certain EU countries (e.g. Germany) and elsewhere.
Does This Mean It’s Time to Bail on Audacity?
Not yet. These new provisions don’t take effect until the next upgrade to the program (version 3.0.3, one minor increment up from current 3.0.2) take effect. But a lot of people, including me, will be thinking long and hard about whether or not to upgrade. At a bare minimum, it might make sense to run Audacity in a VM through a VPN connection, to obscure its origin and user.
Note Added July 23: Audacity Updates Policy