Stop Using Audacity. It will give your data to the cops.

Everything except LibriVox (yes, this is where knitting gets discussed. Now includes non-LV Volunteers Wanted projects)
lethargilistic
Posts: 266
Joined: July 24th, 2018, 3:38 am
Contact:

Post by lethargilistic »

As of July 2, 2021, the privacy policy for Audacity's desktop app is unacceptable. The maintainers of Audacity sold it to a company that is trying to transition the freeware into something for-profit. On the path to doing this, they are going to start tracking and storing telemetry data about your computer and how you use the software. You can read more about this elsewhere, but I will summarize some big things.

I think LibriVox should stop recommending Audacity for use with this project.

This is the new desktop app privacy policy: https://www.audacityteam.org/about/desktop-privacy-notice/

1. Audacity will track telemetry data
Audacity lists two reasons it tracks and stores data. The first reason is for the purpose of "Improving our App," and it includes:
• OS version
• User country based on IP address
• OS name and version
• CPU
• Non-fatal error codes and messages (i.e. project failed to open)
• Crash reports in Breakpad MiniDump format
Most of this is not identifiable information, per se. However, elsewhere in the policy it discloses that they will store your IP address for one day, and then store a hash of it for a year. That means that the things you do with Audacity will have a link back to you. Which is concerning and dangerous because the policy is NOT clear about the extent to which it will collude with cops.

I should also say, point blank: this tracking is completely unnecessary for the development of Audacity. It has never been needed at any point in Audacity's history, and it is not now. They may intend to sell whatever data they harvest, within the bounds of whatever privacy law you happen to be covered by in your area.

2. Audacity will share your data with cops.

Audacity reserves the right for the software to track "Data necessary for law enforcement, litigation and authorities’ requests (if any)." It expands on this to say it may give data
to any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, or (ii) to exercise, establish or defend our legal rights
In the best case scenario, it could be exclusively the telemetry data. There aren't any specific limits to this, though. To whatever extent Audacity is already tracking you, or is asked to track you, the information it gets from your computer will be discoverable by the cops.

3. Audacity may send your data to Russia.
I am not interested in baiting people with "Russia Scary." And, to be fair, the privacy policy states that the data will primarily be stored in the European Union, where it will be subject to privacy regulation including the GDPR.

Nonetheless, the policy reserves the right to send your data to the parent company's servers in Kaliningrad, Russia. That means that, by "law enforcement," it includes the Russian government. Of course, that's in addition to the European Union and the United States.

3. You must be at least 13-years-old to use Audacity.
Obviously, this is less serious overall, and there are not many readers who are so young. Nonetheless, the privacy policy (because it is illegal to track young kids) says
The App we provide is not intended for individuals below the age of 13. If you are under 13 years old, please do not use the App.
So any children who read for LibriVox would technically be required to use a different audio editor anyway, because anybody who uses Audacity must agree to the privacy policy's data tracking provisions.
Last edited by lethargilistic on July 4th, 2021, 1:22 pm, edited 1 time in total.
Mike
lethargilistic
Posts: 266
Joined: July 24th, 2018, 3:38 am
Contact:

Post by lethargilistic »

To be clear, all currently available builds—v3.0.2 and prior—are from before Muse acquired Audacity in April. These should not include any telemetry code data harvesting. Don't update to any new versions; switch to an alternative when you can.
Mike
schrm
Posts: 4210
Joined: February 10th, 2018, 11:02 am
Location: Austria

Post by schrm »

i wanted to answer that every software company does this - but in german we say: the dog lies in the detail = it is the aspects, which are worrying.
and i have to say, that most details in this policy (based on this summary) seem really overdone to an extend, which... i will stop using it.
there are some problems, there.
cheers
wolfi
reader/12275
Kazbek
LibriVox Admin Team
Posts: 6466
Joined: April 24th, 2019, 12:06 pm

Post by Kazbek »

Here's an update from Audacity's owners:

https://github.com/audacity/audacity/discussions/1225

The admin team is keeping an eye on this evolving situation.

Michael
schrm
Posts: 4210
Joined: February 10th, 2018, 11:02 am
Location: Austria

Post by schrm »

thank you michael!
but it is rather clear when they write:
Who does Audacity share your Personal Data with?
We may disclose the Personal Data listed above (your hashed IP address) to the following categories of recipients:
1. to our staff members. We take precautions to allow access to Personal Data only to those staff members who have a legitimate business need for access and with a contractual prohibition of using the Personal Data for any other purpose.
2. to any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, or (ii) to exercise, establish or defend our legal rights;
3. to our auditors, advisors, legal representatives and similar agents in connection with the advisory services they provide to us for legitimate business purposes and under contractual prohibition of using the Personal Data for any other purpose.
4. to a potential buyer (and its agents and advisers) in connection with any proposed purchase, merger or acquisition of any part of our business, provided that we inform the buyer it must use your Personal Data only for the purposes disclosed in this Notice;
5. to any other person if you have provided your prior consent to the disclosure.
cheers
wolfi
reader/12275
ColleenMc
LibriVox Admin Team
Posts: 2785
Joined: April 9th, 2017, 5:57 pm

Post by ColleenMc »

As a retired police officer who had occasion to contact ISPs and cellphone providers for info, I find the github clarification useful.

To clarify, based on my US-based law enforcement experience, some companies will provide info to law enforcement either without request (example: they see something of concern going through their software/servers, like sex abuse info, suicide threats, terrorist planning etc. Rare but it happens.) or on request which can be as little as a written request from an official source. Generally to obtain info for imminent risk purposes we had to make an official request like this -- this is when we needed to know, for example, the location of a phone right this minute because someone was kidnapped or something. In our department, we had to get it cleared by chain of command so individual officers couldn't just invoke this, the department had to know what was being done. Rarely used.

Otherwise, for routine investigation purposes, like a suspect in a crime, we had to do a formal request signed by a judge, which was a step below a subpoena. We had to show the judge how it was directly related to an investigation but it wasn't a formal subpoena with a court hearing. In those cases, it was generally a detective and they went to the judge on their own; the department didn't have to clear it as it was a routine procedure.

At some point in the last few years, most companies and most departments have moved to requiring a formal subpoena in all cases to curtail possibilities of abuse -- abuse can still happen, in terms of claiming something is an urgent need-it-now situation and doesn't require formal request and it turns out it isn't -- but it's a lot harder and it's a lot easier to track who did what and have consequences for it.

Now, I agree that the original notice was phrased in a way that was concerning, particularly in how they described potential cooperation with law enforcement. It felt very open-ended and to me, read like something that had been cut/pasted from a TOS for some other type of app where there is a lot more info and a lot more potential interaction with law enforcement. The github clarification is reassuring because they are saying basically that they WON'T respond to anything less than a formal subpoena, no informal requests/urgent need (there really wouldn't be any situation that I can think of for urgent need anyway) -- it's gotta come from a court with a formal review, which means any investigator would have to go before a judge and describe in a sworn affidavit exactly what data they need and why they think it's relevant to their investigation. That all takes some time.

The time frame is relevant because, if I'm reading correctly, the only info they are collecting is an IP address and even that is only kept for 24 hours so by the time there is some kind of full legal process to request the data, the data would almost certainly have expired anyway. And if investigators need an IP address, chances are there is a more direct way to get that anyway.

To sum up, compared to the gratuitous data collection of much more widely used apps like all social media apps and your phone in general, there isn't really anything of interest to law enforcement you would be doing in Audacity in the first place -- if you live under a regime that is coming after people for say, recording protest songs or podcasts, you have bigger issues and more ways that your government can get you for that, and I can't think of any other potentially criminal use of Audacity; AND even if you were, the data collected (most likely, a letter from the Audacity people saying, sorry, we got nothing, we only collect IP addresses under certain circumstances and even then only keep them for 24 hours) would not be worth the trouble an investigator would have to go through to get it.

Yes, keep an eye on anything weird the new Audacity owners might be doing, but it looks like using the current versions of Audacity and not upgrading will work for now, and with the discussions of forking the software I'm seeing on the github comments, there will be an Audacity-like open source version that is comparable to the current one in the near future. Use your own judgment of course, and if you are someone who keeps your data more locked down than the average person, this may continue to be of a concern, but most everyday users are throwing far more identifiable data freely out into the environment in a multitude of apps everyday to get to worried about Audacity.

Colleen
Colleen McMahon

No matter where you go, there you are. -- Buckaroo Banzai
schrm
Posts: 4210
Joined: February 10th, 2018, 11:02 am
Location: Austria

Post by schrm »

that is the normal usage which i wanted to say is ok and totally normal. such things are even witten in the laws of the usa or the eu - but this policy isn't.
We collect very limited Personal Data about you...
WSM Group with registered office at Moskovsky pr-t,40-1301, Kaliningrad, Russia, 236004...

...
Personal Data we collect
OS version
• User country based on IP address
• OS name and version
• CPU
• Non-fatal error codes and messages (i.e. project failed to open)
• Crash reports in Breakpad MiniDump format
Data necessary for law enforcement, litigation and authorities’ requests (if any)

...
Minors
The App we provide is not intended for individuals below the age of 13. If you are under 13 years old, please do not use the App.

...
Who does Audacity share your Personal Data with?
...to any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary...
to a potential buyer...
to any other person if you have provided your prior consent to the disclosure...

Data storage, retention and deletion
The IP address will be stored in an identifiable way only for a calendar day. IP addresses are stored as a hash, the salt for which is changed daily. The salt is not stored on any database and cannot be retrieved after it has been changed. We store the hash for one year, after which, it is deleted. Other information we collect, such as OS version or CPU information is not identifiable...
you are right, that it makes an impression of being copypasted from another software. but even then, these rules like:
"or other third party where we believe disclosure is necessary...
to a potential buyer...
to any other person if you have provided your prior consent to the disclosure..."

are for sure illegal in the eu, rather than being claimed for by the laws.
cheers
wolfi
reader/12275
schrm
Posts: 4210
Joined: February 10th, 2018, 11:02 am
Location: Austria

Post by schrm »

what i saw, the last 20 hours was a worldwide uproar going on.
there are several forks prepared, also on github - and reditters, youtubers tech guys and so on are expecting a working fork within afew weeks.
cheers
wolfi
reader/12275
ItsThatRick
Posts: 24
Joined: May 24th, 2021, 7:35 pm

Post by ItsThatRick »

I was just reading this article over at Gizmodo
https://gizmodo.com/audacity-s-privacy-policy-doesn-t-make-it-spyware-bec-1847235025

Seems that Gizmodo doesn't classify Audacity as "spyware" because everything else is. They say "if you’re worried about Audacity being spyware then you should also be worried about... every other app being spyware"

When you read Muse's response, they seem to be in mix of damage control and standing firm.

An interesting point from the article "The new privacy policy update doesn’t come into effect until Audacity’s next update (3.0.3), and the current version (3.0.2) doesn’t have these data-sharing features enabled." But I wonder if they would be able to activate it remotely? IDK.

If any of the new forks don't work out, does anyone have an alternate to recommend?
schrm
Posts: 4210
Joined: February 10th, 2018, 11:02 am
Location: Austria

Post by schrm »

ItsThatRick wrote: July 6th, 2021, 9:00 pm I was just reading this article over at Gizmodo
https://gizmodo.com/audacity-s-privacy-policy-doesn-t-make-it-spyware-bec-1847235025

Seems that Gizmodo doesn't classify Audacity as "spyware" because everything else is. They say "if you’re worried about Audacity being spyware then you should also be worried about... every other app being spyware"
the restriction of age is violating the license what i read
and with some phŕasing like we can give your data to anyone if you agree- we have european union wide aws against data sharing. this is way to general.
maybe americans rate this otherwise, but for european nion, this makes the whole thing invalid.
ItsThatRick wrote: July 6th, 2021, 9:00 pm When you read Muse's response, they seem to be in mix of damage control and standing firm.
i was watchng some free open source developer tech guys videos. it is an ongoing provocation more than a rational and careful step by step change.
ItsThatRick wrote: July 6th, 2021, 9:00 pm
An interesting point from the article "The new privacy policy update doesn’t come into effect until Audacity’s next update (3.0.3), and the current version (3.0.2) doesn’t have these data-sharing features enabled." But I wonder if they would be able to activate it remotely? IDK.
for sure, its just a matter of what and how they integrate it.
what i was watching, the change in the software didn't happen. on the other hand, the fork did remove some code, already.
ItsThatRick wrote: July 6th, 2021, 9:00 pm
If any of the new forks don't work out, does anyone have an alternate to recommend?
at the moment, no - but i'm using ubuntu.
ease of use, ability mix, quality of the results made audacity wat it is: one of the most top best and so on open software,
one of the forks will work, i hope.
cheers
wolfi
reader/12275
SunnyG
Posts: 35
Joined: September 14th, 2020, 12:46 pm
Location: Greensboro, NC, USA

Post by SunnyG »

I ran across this yesterday... I guess it came up in my google feed.

https://hackaday.com/2021/07/13/muse-group-continues-tone-deaf-handling-of-audacity/

I don't see what the cops are going to want with recordings from early 20th C and 19th C books, anyway. I'm not doing anything that they are going to come and get me for.
schrm
Posts: 4210
Joined: February 10th, 2018, 11:02 am
Location: Austria

Post by schrm »

SunnyG wrote: July 14th, 2021, 6:10 pm I don't see what the cops are going to want with recordings from early 20th C and 19th C books, anyway. I'm not doing anything that they are going to come and get me for.
that is not the data they are storing
cheers
wolfi
reader/12275
ScottinTexas
Posts: 15
Joined: July 14th, 2021, 9:42 pm

Post by ScottinTexas »

Thank you for this information.
Roger
Posts: 4253
Joined: December 1st, 2007, 6:59 pm
Location: U.S.

Post by Roger »

Troubling; but the subject line is misleading. Rather than "Stop Using Audacity", it would be more accurate to state "Beware of Updating Audacity".
-- Roger .... pushing on the door of life marked "pull"
Post Reply