[SOLVED] Just in time for 15, Audacity becomes Spyware (maybe)

liberalchrist · 07-05-2021, 10:13 PM

So with today's Audacity news, I wonder how the Slackbuilds folks will want move forward? I understand there is now a fork, but you have to place a lot of trust in people handling such a complex program. Perhaps disabling telemetry at compile time?

astrogeek · 07-05-2021, 10:58 PM

I don't know about Slackbuilds, but for myself as a longtime Audacity user, if what I have seen about the coming change turns out to be true, it will no longer be installed on my machines.

It isn't always about disabling some nasty feature or blocking some unwanted access. It is about not using and therefore promoting software or other products from sources which have no respect for me as a Free and equal human being, but take something of value from me without so much as asking.

It has always been about the Freedom, not about the source code, and the only winning move when the game is rigged is to get up and leave the table. Bye.

I hope the fork can be successful, but I hope they will find a way to free themselves and produce a Free audio application in its own right and not simply become a downstream filter of the non-Free version.

LuckyCyborg · 07-05-2021, 11:10 PM

From what I known, the Audacity is not part of Slackware. Why should this Audacity be important for us?

Honestly, I own a pair of deaf ears, so I do not cared ever about Audacity.

FTIO · 07-05-2021, 11:52 PM

I never liked it anyway as I considered it bloatware years ago and just too much 'junk' to simply play my music. I've always been a fan of Audacious.

ponce · 07-06-2021, 12:30 AM

just to add some clarifications to the discussion for whoever isn't informed

https://github.com/audacity/audacity/discussions/1225

Quote:

In the meantime, the Privacy Policy doesn't actually come into force until the next release of Audacity (3.0.3). The current version (3.0.2) does not support data collection any data of any kind and has no networking features enabled.

FWIW ATM SBo and Alien Bob (both only for current) provide version 3.0.2.

igadoter · 07-06-2021, 12:33 AM

According to github telemetry is by default disabled https://github.com/audacity/audacity/pull/835

Alien Bob · 07-06-2021, 01:03 AM

Drama queens. The topic is more or less FUD. Pity.
If the software adds telemetry and phone-home but it can be disabled compile-time, all is still OK. So, the Slackware packages are not spyware.
I can understand that they would build these functions into their own binaries, it's their right to do so and your choice not to use those binaries.
My Audacity packages will not have any telemetry enabled. You can use those.

The point of ridicule is the age limitation Audacity will impose on those telemetry-enabled binaries (13+) based on European GDPR laws. Note that this "data privacy terms of service" will not apply to my binaries that do not collect your data in any case. It's just a big mis-step on their behalf.
My point of concern is the change from GPL to CLA (contributor license agreement) which is the company's way to gain control over all code with a demand that code contributors waive their rights to their own code.

ponce · 07-06-2021, 01:51 AM

another discussion on github that should help clarify the matter further

https://github.com/audacity/audacity/discussions/889

Quote:

Hi everyone,

I’m going to describe the actions we propose to take to address the concerns raised about PR #835 (opt-in Telemetry using Google and Yandex as 3rd party hosts):

We are dropping the telemetry features proposed in PR

Basic telemetry for the Audacity #835
Regarding features that require networking, we would like to include error reporting and the ability for Audacity to check for updates (details below)
We will self-host all collected data from error reporting and checks for updates, removing any need for Google or Yandex analytics

What happened?

The creation and subsequent discovery of PR #835 was a bad communication/coordination blunder that caught us completely by surprise. We're very sorry for causing so much alarm. Our intention was to make an initial announcement about our plans to introduce telemetry on the Audacity forum, similar to how we discussed the topic for MuseScore in 2019. In that instance, I think the fact that we introduced the issue openly resulted in a lot less suspicion.
What are we proposing now?

I have spent the last few days working with the heads of Muse to try and reach a solution that would accommodate the requests of the community as much as possible. Apologies about the delay. These decisions took time to arrive at because - despite my role as the lead on the project - calls on this specific issue are not mine to make.

First, it is important to stress that we have absolutely no interest in harvesting or selling personal data and Audacity will always be free and open source. The response to PR #835 has brought about a realisation at Muse that the convenience of using Yandex and Google is at odds with the public perception of trustworthiness, so we will be self-hosting instead.

The next item is telemetry. I believe our communication mistake contributed to a lot of misunderstanding about our intentions here. Telemetry is a practical tool that tells us a lot about how an app is performing or underperforming (is this new feature being used a lot? Is this button being discovered? etc.) We assumed that making it opt-in would allay privacy concerns but since this isn't the case, we are dropping it. In the future, we may want to determine if there are any acceptable alternative solutions that could achieve the same goal. Feedback would be appreciated on this point. In the meantime, I will continue user testing, interviewing, reading feedback and conducting surveys to learn more about what our users want. I will happily discuss this in the comments section.

Before delving into the specifics, it is important to mention that we have been asked a lot of different questions. For the purposes of not muddying the conversation, I have stuck only to the most pressing issues raised about PR #835. There will be a lot more communication from Muse about its goals in the near future. I will be continually talking about Audacity and discussing what we are working on over the coming weeks and months. Please ask questions here. We're ready to answer.

Below is more specific information related to error reporting and update checking.
Error reporting

We are currently interested in SQLite errors, application crashes, and non-fatal exceptions. If one of these events is detected, a dialog will appear that explains the nature of the problem and offers to send an error report to us, the Audacity developers. This dialog will contain:

An option to view the complete error report data before it is sent
For crashes and errors, it will send the OS used
For crashes it will send CPU data, like number of cores
Equally prominent buttons to “send” or “don’t send” this particular error report
A checkbox (unchecked by default) offering to remember the user’s decision and do the same for future error reports without asking
The decision for future error reports can be changed in Preferences at any time

Error reports of course take place over the internet, which naturally allows us to see an IP address. The error report is stored in our self-hosted Sentry database on a server located in the EU. No information will be sent to any third parties unless required by law. Sentry stores crash data and system/hardware specifications. Here is a link to their source code: https://github.com/getsentry/sentry
Update checking

When the program starts, Audacity will check whether a newer version of the program is available for download. If there is a new version, the user will be shown a dialog to notify them.

There will be an option to disable automatic checking
This decision can be changed in Preferences at any time

Update checking reveals three things: the IP address, the OS version and the Audacity version. We will use a self-hosted geolocation database to determine the country the IP address is located in and nothing more. The raw IP address will not be stored or logged, but we will store and log a non-reversible hash of the IP address to improve the accuracy of the daily statistics. The server is located within the EU to comply with the GDPR. No information will be sent to any third parties unless required by law.
Compiling from source and Linux distribution packages

The behaviour described above for error reporting and update checking would only apply to official “release” versions of Audacity available from our website or GitHub page. In other builds, the error reporting and update checking code will be excluded by default via CMake options.

so I can assure you that in the audacity.SlackBuild at SBo those CMake option will be kept at "OFF" (I am the maintainer of audacity there).

igadoter · 07-06-2021, 02:10 AM

Thanks for clarifying matter.

astrogeek · 07-06-2021, 03:10 AM

Thanks ponce, that casts it in a completely different light than the reports I had seen previously. I like Audacity and would certainly like to see it continue as Free software!

Skaendo · 07-06-2021, 07:34 AM

Quote:

Originally Posted by ponce

another discussion on github that should help clarify the matter further

https://github.com/audacity/audacity/discussions/889

That quote that you took from there seems to me to be nothing more than, "Woops, we got caught now it's time to try and save some face." I never used Audacity, and being able to turn off telemetry at build time seems like a nice idea but it feels too little too late. The only way in my eye is to completely patch out anything related to telemetry. That would be the only way I would feel "safe" enough to use it.

Just my

liberalchrist · 07-06-2021, 05:12 PM

Thanks for all the maintainers kind attention to these matters. I really didn't mean to cause a ruckus. I've been using Audacity for some time and wouldn't want to see anything bad happen to it. Watchfulness is always good, though. Peace!

bassmadrigal · 07-06-2021, 05:25 PM

It seems like there's three different issues here, but many on the internet are lumping them together as one.

The first issue, telemetry, was discussed back in mid-May and the developers ultimately decided against introducing it to audacity (see ponce's comment with the developer's statement).

Then we had the changing of licensing from the GPLv2 to GPLv3 and requiring past and future contributors to sign a CLA at the end of May. Some people believe this implies that there's likely some future move that's going to either take Audacity closed-source or they'll offer some of Audacity in a closed-source form that would require payment (like Android/iOS apps being closed-source or paid apps), but they've stated in the previous link that Audacity will remain 100% free and open source. However, they state they're looking to add features that are not compatible with GPLv2 like VST3. They're also planning to start offering "separate cloud services" to help fund the development. I haven't found what these cloud services will include. Possibly online storage of files allowing easy working of files between multiple computers or users?

The new and third issue is the adding of the privacy policy due to them adding "checking for updates" and "error reporting" in the next version. These options are disabled by default when compiling, but when using pre-built binaries by Audacity, the check for updates is enabled by default and the error reporting is disabled by default. Some may consider this telemetry, but it's very limited compared to what they were adding before (they were going to track clicks within the program to see what features were being used and how frequently). This new privacy policy is required due to the IP address being seen by the server when connection attempts occur via the above update check or error reporting and the additional information sent to the server, all of which is below:

The data they'll collect from update checking or error reporting is:

IP address - which is pseudonymised and irretrievable after 24 hours.
Basic System Info - OS version and CPU type. (They don't mention it initially, but also Audacity version.)
Error Report Data (Optional) - Sent manually by users as part of an Error Report.

As mentioned, the logs with the pseudonymised IP addresses are destroyed after 24 hours (it's likely used to determine rough geolocations of users). Here is what "basic system info" is collected:

Code:

GET /feed/latest.xml HTTP/1.1
Host: updates.audacityteam.org
Accept: */*
Accept-Encoding: deflate, gzip
User-Agent: Audacity/3.0.3 (Windows 10_0_19042; x64)

Due to laws like the GDPR, the privacy policy needs to limit online use of Audacity to users 13 and older. If Audacity is used completely offline, then the privacy policy does not apply.

Based on my reading on reddit, it seems a lot of people think this privacy policy is due to the initial telemetry plans, which is not the case (currently... who knows if there's plans to try and reintroduce it later). It only applies to the checking for updates and error reporting.

=========================

Now, to me, the privacy policy update is a non-issue (once they explained it better) and they're working on an updated privacy policy to better explain the intent. I don't like that the update check is enabled by default on pre-built binaries, but plenty of software, including FOSS, do that and are probably collecting similar data. As I mentioned above, those two items will remain disabled by default when compiling and need to be enabled by a cmake flag.

However, when you combine all three things, trying to implement telemetry, changing the license, and updating the privacy policy, it's understandable that people are hesitant to believe that this software is not heading down a questionable path. I have no personal beliefs I'm willing to share right now on the future of this project. I will continue to watch it as it develops and will adjust my opinion and any usage as needed.

Regnad Kcin · 07-10-2021, 07:09 AM

Audacity is a useful audio editing and extraction and modification tool and I use it rather frequently. I think of the Audacity people as being "good guys" and I would not like to think of them as doing things that are nefarious. I have version 2.4.2 installed and I believe I will upgrade as this version is a year old.

lovemeslk · 07-17-2021, 10:51 AM

After forking both branches. And then actually see that telemtry has been disabled in the release
think the community made it known how they feel.

I my self like the fact to opt in on crash info.
I believe a good crash data base for the ever changing cpu's is a good thing.

I think more people should opt in on this. I do for Mozilla products.

Not all of us have the trust of Mozilla to give up info.
Trust is earned through transparency held to a high standard of the GPL.