[SOLVED] Just in time for 15, Audacity becomes Spyware (maybe)
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I don't know how trustworthy this site is with their information or how they get their info, but it was a interesting article I came across.
Quote:
However, the company collects much more data than it should, such as IP addresses and even complete memory dumps from our system. And all this data can be transferred to third parties
I dabble in audio/video a little, but never used Audacity. But even if this article is wrong, I trust MuseGroup about as much as I trust Microsoft (FYI: I don't allow Windows PC's on my network at all).
I don't know how trustworthy this site is with their information or how they get their info, but it was a interesting article I came across.
Quote:
However, the company collects much more data than it should, such as IP addresses and even complete memory dumps from our system. And all this data can be transferred to third parties
I dabble in audio/video a little, but never used Audacity. But even if this article is wrong, I trust MuseGroup about as much as I trust Microsoft (FYI: I don't allow Windows PC's on my network at all).
Definitely pushing FUD.
IP Addresses:
Quote:
Regarding IP addresses, when Audacity checks for updates, we use the IP address to determine the country the user connected from but nothing more detailed than that. We have set up our systems in such a way that IP addresses are immediately anonymised (technically speaking, we truncate the IP address to 3 bytes out of 4 and then hash it).
For the memory dumps, I can't verify whether these occur, but if they do, it would only be a part of the voluntary error reporting, which you can view everything that would be submitted before you actually submit it:
Quote:
If an application error occurs, a popup appears asking you whether you want to send us the details of that error, which you can review before sending.
--snip--
We were already filtering out file paths from non-fatal error reports within Audacity, but now we have configured our Sentry server to filter file paths from crash reports too. We do not store an IP address for any kind of error report.
As for the sharing of information:
Quote:
To be clear, any organisation, if ordered by the court, is required to cooperate with an investigation, and doing otherwise is considered to be an obstruction of justice. These are not the rules we create, these are the requirements we must follow. However, we would only be able to provide the specific information mentioned in the privacy policy (outlined below) and nothing more. In addition, the steps we have taken to anonymise all stored data means that it would be of extremely limited use to anyone.
This is the information they state is sent for error reporting (which I imagine would've already been verified in the code itself by people untrusting of Muse but wanting to continue to use Audacity):
Basic technical data (CPU info, Audacity version, OS name and version)
Error codes
Stack trace
Is a memory dump the same thing as a stack trace? If so, then the article is correct, but only if the user chooses to send that error report (which requires that functionality to be compiled in).
And in case you ain't boned up on recent history lately, the problem is not that companies see my ip address and other info. The problem is that companies collect and save this data forever. In a distant past this was just transient data. That is the problem nowadays.
If you can not understand that some of us are concerned about all this, then so be it. But you could at least try to understand why some of us are concerned about freedom and privacy. Even if you do not agree with it.
The above also applies to the discussion about secure boot.
You seem to have a hard time accepting that not everybody thinks like you do.
Some people care about freedom and privacy.
Wow... that's some impressive reaching. What does that have to do with this?
Please prove my conclusions incorrect. They are not logging any IPs as they log a hash of a truncated IP (they drop 1 byte and only use 3 bytes to generate the has) and any "memory dumps" (if that is the same as a stack trace) are only sent when a user chooses to submit an error report, and the user has the ability to view everything before choosing to send it.
On top of all this, that functionality is disabled by default if you compile it and you have to specifically pass the option to the builder to even enable it.
So, are they collecting IPs? No, but hashes of partial IPs. I suppose someone could reach and still say they're logging IPs since they're hashes of partial IPs. Are they collecting memory dumps? If they're stack traces, they are if the user decides to submit an error report, which they have the ability to view the full data before sending. So, is this article telling the truth? Kinda, but only the bits of it that lead to an interesting, but incomplete, narrative and they're purposefully leaving out things to make it seem more scandalous or to purposefully mislead their readers.
So yes, this article is strictly for FUD. They do nothing to properly inform the reader of what's happening and are just inserting fear, uncertainty, and doubt into its readers.
This has nothing to do with what the NSA is building here (which if I had my say, it wouldn't be built at all, let alone here -- for some reason, they neglected to consult me on the construction) or what the Taliban is doing in Afghanistan (that whole situation is sad). It's distasteful you're trying to compare them. They're far different than optional functionality that logs a hash of a partial IP when checking for updates or allows someone to choose to send in an error report that includes a stack trace with the full ability to view that report before submitting.
Do you work for the audacity public relations department?
Quote:
Trust takes years to build, seconds to break, and forever to repair.
I guess you didn't read any of the articles I linked above.
Data collected in the past may not be so innocent anymore nowadays or in the future. Governments & Companies change. Current example Afghanistan - I linked to two articles above.
And that new rulers are using data collected in the past for nefarious purposes is nothing new really - it has happened in recent history already.
And if you believe that this can and will not happen in the usa. Well - just keep living in your dream world.
Quote:
Originally Posted by bassmadrigal
It's distasteful you're trying to compare them.
This is only about data collection and its consequences.
Calling me distasteful gives me the feeling you feel guilty about something.
You do not know my other thoughts beyond what I wrote above.
Do you work for the audacity public relations department?
I guess you didn't read any of the articles I linked above.
Data collected in the past may not be so innocent anymore nowadays or in the future. Governments & Companies change. Current example Afghanistan - I linked to two articles above.
And that new rulers are using data collected in the past for nefarious purposes is nothing new really - it has happened in recent history already.
And if you believe that this can and will not happen in the usa. Well - just keep living in your dream world.
This is only about data collection and its consequences.
Calling me distasteful gives me the feeling you feel guilty about something.
You do not know my other thoughts beyond what I wrote above.
I see no connection between Afghanistan, Audacity and Slackware - you are kind to stop with this galloping paranoia?
And BTW, The Audacity is NOT part of Slackware!
Last edited by LuckyCyborg; 08-26-2021 at 10:36 AM.
This is only about data collection and its consequences.
Your remarks are completely off-track here. The discussion was about telemetry in Audacity and the fact that the audacity packages provided by Slackware 3rd-party packagers do not even have this feature enabled, so the discussion is moot anyway.
Dragging Taliban into the discussion is just not helpful and only aims to derail this topic.
Quote:
Calling me distasteful gives me the feeling you feel guilty about something.
This remark of yours is actually distasteful and disrespectful, as well as stoking division. Perhaps you should just stop right here.
I guess you didn't read any of the articles I linked above.
You do not need to read them just look at the source. https://github.com/audacity/audacity
I maintain a build. And try to send feed back. I enable it so they can see issues.
This all has been blown up.
Just nothing to hide.
Do you work for the audacity public relations department?
Nope. I rarely use Audacity (but I do have it installed on my computer for the occasional time I need to work with it). However, when situations like these arise, I like to inform myself. That means researching things. I did a lot of research on this, which is how I came to my conclusions -- you have yet to refute any of them.
Quote:
Originally Posted by MadMaverick9
I guess you didn't read any of the articles I linked above.
I did read them, but they didn't have anything to do with this. What does Afghani people deleting their profiles to prevent the Taliban from targeting them have to do with the optional, anonymous, and partial data collection being accomplished by Muse for Audacity?
Quote:
Originally Posted by MadMaverick9
Data collected in the past may not be so innocent anymore nowadays or in the future.
Absolutely true, but the data collected here is *optional* and partial. If you don't want it, don't compile it with explicitly enabling the option (since it's disabled by default). If you do have it compiled in *and* enabled update checks, the full IP isn't even being used and only 3/4 of it is being hashed (anonymized) and saved to prevent it being tied to a person. If you decide to send an error report, the IP isn't even included and all file paths are removed from the report.
If you want to talk about some future thing, that's fine, but that's speculation about some future event. It is not in place now and may never get put in place. If it does get implemented in the future, then it is worth it to readdress the issue and make sure people are aware of the changes. But it is deceptive to discuss potential future implementations (that are not currently planned) as if they're in place right now.
Quote:
Originally Posted by MadMaverick9
And if you believe that this can and will not happen in the usa. Well - just keep living in your dream world.
I'm not saying it's not happening in the US, but it is not happening to the levels being claimed with Muse via Audacity. Please, prove me otherwise.
Quote:
Originally Posted by MadMaverick9
Calling me distasteful gives me the feeling you feel guilty about something.
What?! How does that make any sense? First, I didn't call you distasteful, just your comparison. Second, I'm not feeling guilty about anything. However, I think it's outright disrespectful to compare what's happening in Afghanistan to an optional, partial, and anonymized data collection being accomplished when they document it all in their privacy statement and make it disabled by default when compiling.
Even this forum collects your *full IP addresses along with your email, username, and password (hopefully the password is hashed and salted, but this isn't specified in their privacy policy). In addition, even though it isn't covered in that privacy statement, they're collecting your OS/distro based on the user agent sent to LQ (as can be seen by the OS used next to each post). The source for LQ isn't open source like Audacity's, so it's possible even more is being collected without anyone having the ability to verify it like they can with Audacity.
So please get off your high horse when you're using a site that collects full IPs and emails without making it optional... plus you probably use a LOT of sites that collect even more data than that without any way to opt out (although, I don't know your life and maybe you only use LQ and nothing else).
Quote:
Originally Posted by MadMaverick9
You do not know my other thoughts beyond what I wrote above.
Of course I don't. I never said I did. You still have not provided any information that counters what I covered in my post. You are contributing to the FUD of Audacity.
I rather like Audacity and am glad that it is a small matter to disable the nastiness at build time.. it would be unfortunate to be stuck using an ancient release for the long term. Apart from licensing concerns I find the rest of this drama to be noise.
Distribution: Slackware/Salix while testing others
Posts: 1,718
Rep:
Wow, I'm all for connecting the dots but MadMav that was like trying to connect all the stars in the sky so it spells "They are Watching". Eric (Alien) already said his packages wont have telemetry enabled, if you don't trust his packages then that also means you can build your own without it enabled.
PS: referencing the stars and Eric's username being Alien are completely coincidental unless its not.
Why are y'all so apologetical when it comes to discussions about data collection (e.g. audacity), secure boot, etc.?
And no - I will not stop when it comes to discussing about data collection, freedom & privacy, etc.
To be honest - all your comments make me more determined.
I always thought that most Linux users care about freedom & privacy. Guess I was wrong.
And - I am not connecting the stars in the sky. I am just reading the news and reading about the consequences of data collection.
People much smarter than me have talked about things in the past that are actually reality now.
Enough ... That's all Folks ...
Again, collecting partial IPs that were hashed and optional error reporting that you can view what would be submitted before you decide to submit.
I don't see why you're so up in arms about this... while posting on LQ which logs your whole IP, email, and distro/OS (the last not even being on their Privacy Statement).
And another problem is that software nowadays is so complex, that it is impossible for one developer alone to verify the source code. The audacity source code (.tar.gz) is 60 MB.
So - This is why. Unless we speak up and change our ways after reading such news, nothing will change.
Quote:
Trust takes years to build, seconds to break, and forever to repair.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
