When we last signed up for the Audacity community, users thinking about the privacy of the free open source audio editor were concerned about proposed plans to add a telemetry report to decades-old open source audio editing software. More than 1,000 comments have been left on the GitHub download request that would realize this “home phone” feature, with many arguing that the best course of action is to create a new Audacity plug that removes any current or a future tracking code that is embedded upstream.
Our last post on the topic ended in a high toneas if the situation had improved. Although there was still a segment of Audacity’s user base that was skeptical about adding remote analytics to a program that had never needed it before, Muse Group representatives seemed to be listening to the feedback they were receiving. Keary assured consumers that plans to implement telemetry have been dropped and that if they are reintroduced in the future, it will be done with appropriate transparency.
Unfortunately, things only got worse over the months. Telemetry not only returns to the menu for a program that has never needed an Internet connection since its initial launch in 2000, but this time it has brought with it an alarming Privacy Policy that details who has access to the data collected. . Worse, Muse Group has made it clear that it intends to move Audacity from its current GPLv2 license, even if it means attracting longtime associates who will not agree to the switch. The company says this will give them more flexibility to list software with a wider range of package stores, a statement that has been met with great skepticism by those familiar with open source licensing.
License Shell Game
Just over a week after the release of our previous Audacity article, Daniel Ray, Muse Group’s strategy manager, launches new GitHub bomb in the form of a new CLA. He explained that past and future associates will be bound by the agreement, which gives Muse Group unlimited rights over how the code provided is used and licensed. The document clearly shows that the original contributor is still the technical owner of the code and that they were free to use it in other projects, but will have no bearing on his fate once they have joined the Audacity project.
The real trouble began when he admitted that Muse Group eventually intended to introduce a dual license on the code. This would mean that in some situations and at their discretion, Muse Group could offer a version of Audacity that is subject to a completely different and as yet unnamed license. Ray cites problems listing GPL-licensed projects in the Apple App Store as an example of why this clause is necessary because it would allow the Muse Group to use a more licensing license to meet the provider’s redistribution requirements.
If that wasn’t enough, the new CLA FAQs explicitly state that the code that contributed to Audacity could be used in future Muse Group closed source projects:
It is no exaggeration to say that this is the antithesis of what an open source community, or at least the GPL, is. Few people who want to submit their code for inclusion in a program that has spent more than 20 years licensed under the GPLv2 would approve of their work, which ends as part of a closed source commercial project. When a commentator asked Ray how Muse Group intended to get past contributors to agree to such a document, he replied that only the big participants should unsubscribe; the team decided that rewriting what he described as “trivial” contributions would be more effective than getting the original authors to agree to the new terms.
You have to be so tall to ride
While still agreeing with the CLA, The community was further annoyed by the release of a draft version of Audacity’s new Privacy Policy earlier this month. This document describes a still outstanding telemetry system and how the information it collects will be shared with outsiders. Of particular concern was the language in which Muse Group would share “Data required for law enforcement, litigation and requests from the authorities (if any)” while not clarifying the scope of the data collected or which authorities the company refers to. It is worth mentioning at this stage that Muse is based in Kaliningrad, Russia.
Another section of the Privacy Policy, entitled simply “Minors”, explains that Audacity should not be used by persons under 13 years of age. This clause is likely to be inserted so that their proposed data collection and reporting does not conflict with American children. The Online Privacy Act (COPPA) and the European Union’s General Data Protection Regulation (GDPR), which limit the age at which the user can consent to his information being used online.
Many commentators expressed concern that Audacity’s requirement for a new age would mean that the free tool could no longer be used in educational settings, forcing schools to find an alternative program. Others pointed out that both GPLv2 and GPLv3 explicitly prohibit restrictions on who can run the program. If the Muse Group intended to use the CLA to replace this GPL clause, this would be a dangerous precedent; limiting the age at which a user can start a program is a slippery slope to other forms of discrimination, another unforgivable insult to open source community values.
Wasted trust
Just as they claim with the request to withdraw telemetry from May, the official line of the company is that the publication of the draft Privacy Policy is a mistake and that the final document will be revised to bring it more in line with the company’s goals. Audacity from now on. According to a publication by Daniel RayAfter telemetry is enabled in Audacity version 3.0.3, the only data that will be collected is the user’s IP address, basic computer information, and optional error reports. Notwithstanding the draft, it also assured users that no additional data will be collected for law enforcement purposes and if users wish, they can work with Audacity offline, which exempts them from full compliance with the Privacy Policy.
The big differences between the draft Privacy Policy, which is currently on the Audacity website, and the theoretically revised version are hard to ignore. A reasonable observer would wonder why this draft was ever made public if the aim was to invalidate most of its controversial clauses on a second review. The inevitable conclusion is that some elements in the Muse Group are either dangerously naive about the realities of managing a large open source project, or more alarmingly, that they are actively trying to see how much the community can be pressured before they start to back down.
In the second case, we may have an answer. A branch of Audacity aimed at undoing the changes made by the Muse Group, with the appropriate name Tenacityhas already garnered more than 4,000 stars on GitHub. Of course, there is no guarantee of the longevity of such rebellious projects, or it is critical whether large software repositories will avoid the upstream version in favor of de-Mused compilations. But behind that is an undeniable momentum, fueled purely by the way the Muse Group has confused their interactions with the Audacity community since they took the reins just three months ago.
If this is really the beginning of a hard fork for the legendary open source audio editor, there is no question who should take the blame. In the end, however, if the new Tenacity crew takes the Audacity torch and runs with it, in a year’s time we may wonder what all the fuss is about.