Dang! I just came across a news item that indicates one of my favorite audio recording and editing apps may be going over to the dark side. I’m talking about the long-time, well-known open source freeware program Audacity. Following its April acquisition by the Muse Group, the program’s privacy policy updated on July 2. Alas, in that policy, Audacity announces data harvest plans. These include include telemetry data, and sharing of such data.
Audacity Announces Data Harvest Plans: What Kind?
What kind of data will Audacity collect? The types of data to be collected seem pretty innocuous. Namely, OS version, user country based on IP address, OS name and version, CPU. Also, non-fatal error codes and messages, and crash reports in Breakpad MiniDump format. I don’t see any personally identifiable information here, except for the IP address.
Who gets to see it? The desktop privacy notice reads “Data necessary for law enforcement, litigation and authorities’ requests (if any).” Legal grounds for sharing data are “Legitimate interest of WSM Group to defend its legal rights and interests.” That said, we also find language that reads such data may be shared with “…a potential buyer (and its agents and advisors) in connection with any proposed purchase, merger or acquisition of any part of our business…”
What has the user community most up in arms is that Muse asserts the right to occasionally share “…personal data with our main office in Russia…” This contravenes requirements of the GDPR, and could potentially violate data sovereignty requirements in certain EU countries (e.g. Germany) and elsewhere.
Does This Mean It’s Time to Bail on Audacity?
Not yet. These new provisions don’t take effect until the next upgrade to the program (version 3.0.3, one minor increment up from current 3.0.2) take effect. But a lot of people, including me, will be thinking long and hard about whether or not to upgrade. At a bare minimum, it might make sense to run Audacity in a VM through a VPN connection, to obscure its origin and user.
Note: Here’s a shout-out to Anmol Mehrotra at Neowin whose July 6 story “Audacity’s privacy policy update effective makes it a spyware” brought this chance of circumstances to my attention.
Note Added July 23: Audacity Updates Policy
If you check this story from Martin Brinkmann at Ghacks.net, you’ll see that Audacity has retreated from all of its controversial or questionable privacy policy language. Seems like the resulting user reactions caused them to revisit, reconsider and move away from data harvest that could touch on user ID info and addresses. Frankly, I’m glad to see this: I like the program, and am happy to understand its new owners have decided to leave its prior policy positions unchanged.
