Audacity’s New Privacy Policy

Iran power company warns of cuts due to illegal cryptocurrency mining
October 13, 2021
[P] Denoising Diffusion Probabilistic Models implementation with annotations
October 13, 2021

Audacity’s New Privacy Policy

Tim Hardwick:

Two months ago, Audacity was acquired by Muse Group, which owns other audio-related projects including the Ultimate Guitar website and the MuseScore app. According to Fosspost, changes to the privacy policy section on the Audacity website indicate that several personal data collection mechanisms have since been added by the parent company.


Personal Data we collect

  • OS version [I presume they mean App version.]
  • User country based on IP address
  • OS name and version
  • CPU
  • Non-fatal error codes and messages (i.e. project failed to open)
  • Crash reports in Breakpad MiniDump format
  • Data necessary for law enforcement, litigation and authorities’ requests (if any)

The first four are pretty common for Mac apps to collect without opt-in, as part of a software update check. I don’t think IP addresses really count as personal data if they are not linked with other identifying information. Otherwise, anyone with a Web site who didn’t disable logging would be considered to be collecting personal information.

I don’t think error codes or crash reports should be collected without the user opting in.

The last item has people worried, but I’m not really sure what it means. You could imagine that Audacity is collecting information about which audio files you’re editing and making that available to companies who want to sue for copyright infringement. Or it could just be boilerplate saying that Audacity will comply with lawful requests for the not very personal information that it is collecting anyway. Whether or not it’s spelled out in a privacy policy, most companies probably don’t have a choice about that.


We believe concerns are due largely to unclear phrasing in the Privacy Policy, which we are now in the process of rectifying.

See also: Reddit, Hacker News, 2, 3.

Update (2021-07-07): Syenta:

I have already uninstalled it and cleared out the %AppData% folder where I found the LastLog which listed:

Kalk = A calculator

None of which are in
folder Why would you list things not used by Audacity like Kalk

Shoshana Wodinsky (via Nick Heer):

First came plans to add telemetry capture. Then came a new contributor license agreement. Then last week came a privacy policy update that some Audacity die-hards say turns the software into “spyware.” But Audacity isn’t “spyware”—if only because virtually every app we use is some form of spyware these days.


Ray adds that its data collection is “very limited” and only includes “pseudonymized” IP addresses that are “irretrievable after 24 hours,” system information that includes “OS version and CPU type,” and optional error report data—not users’ microphone recordings or personal details.


Also worth mentioning here is that some of the other products under the Muse Group umbrella—like the music notation software MuseScore—feature nearly identical privacy policies, which suggests the parent company just updated Audacity’s policies for some consistency across its catalog. But that doesn’t excuse the piss-poor wording on its original draft, which Ray swears will be “revised” soon enough.

cookiengineer (via Hacker News):

Stepdown as Maintainer of this Fork

Disclaimer: I really thought long about this, and I haven’t slept in two days due to ongoing harassments of 4chan.

As the first people were literally arriving at my place of living, where they knocked on my doors and windows to scare us, I am hereby officially stepping down as a maintainer of this project.

I don’t understand how this escalated.

Update (2021-07-14): Tom Nardi (via Hacker News):

While there was still a segment of the Audacity userbase that was skeptical about remote analytics being added into a program that never needed it before, representatives from the Muse Group seemed to be listening to the feedback they were receiving. Keary assured users that plans to implement telemetry had been dropped, and that should they be reintroduced in the future, it would be done with the appropriate transparency.

Unfortunately, things have only gotten worse in the intervening months. Not only is telemetry back on the menu for a program that’s never needed an Internet connection since its initial release in 2000, but this time it has brought with it a troubling Privacy Policy that details who can access the collected data. Worse, Muse Group has made it clear they intend to move Audacity away from its current GPLv2 license, even if it means muscling out long-time contributors who won’t agree to the switch. The company argues this will give them more flexibility to list the software with a wider array of package repositories, a claim that’s been met with great skepticism by those well versed in open source licensing.


Comments are closed.