Audacity: Now Considered Spyware

by Paul Arnote (parnote)

Just when you thought it was safe to go back in the water ...

Over the last couple of months, the FreeNode IRC network has detonated or imploded (take your pick of which word to use, depending on your point of view), as we reported on last month. FreeNode was the IRC "home" of many FOSS projects.

Prior to that, we were embroiled in (and reported on) another "scandal" where the new owners of LastPass made the popular password manager a subscription-based service, after being a free service ever since its inception.

FOSS projects have taken a beating in 2021, and the year isn't but two-thirds done yet.

Now, another FOSS project is causing a "scandal." The project (which you are most likely already familiar with), the open source multi platform sound editor Audacity, was acquired by Muse Group on May 4, 2021. This Russian-based company is the same one that controls the open source music notation program known as MuseScore. On July 4, 2021, Muse Group published a new "desktop privacy notice" where data is collected from the end user's computer, and that data is transmitted back to servers run by Muse Group. Once there, that data is retained and may be handed over to "competent law enforcement agencies" upon request. You can read the entire updated "privacy" policy here. There are other "contentious" parts of the new "privacy" policy, as well, but this particular part was exceptionally disturbing.

For what it's worth, the new "privacy" policy appears to be a shorter version of the privacy policy that the Muse Group has applied to MuseScore. However, MuseScore doesn't have even a fraction of the number of users as Audacity, which is probably why it has flown under the radar. Audacity is one of the most popular FOSS programs on the planet, hence the outrage.

Whoa! Whoa! Whoa! Say WHAT?!

As you might imagine, the open source community reaction has been swift and very, very negative. Muse Group's data collection, and the subsequent "phoning home" with that collected data, is leaving many in the open source community feeling betrayed. The last thing open source users ... nay, any users ... want is to be spied upon by a program that phones home with various data that, if taken in a certain way, may incriminate users when in fact nothing wrong has been done at all. Plus, in an era when user privacy is increasingly under attack, someone else trying to collect user data isn't going to be taken lightly.

Besides the data collection that has users up in arms, the new "privacy" policy is in direct violation of the GPL (the license under which Audacity is currently released) by "restricting" its use to users 13 years of age or older. The GPL prevents any restrictions of any kind, including age.

Almost immediately, there were many calls to fork Audacity. One GitHub user, Cookie Engineer, stepped forward to do just that. One of the first orders of business was to select a new name for the Audacity fork, since the name "Audacity" is trademarked and "owned" by Muse Group. The new fork will be called "Tenacity."

Another important issue with the fork was to go through the code and remove all the telemetry/data collection and the "phone home" reporting routines. According to the Tenacity page on GitHub, this has already been accomplished.

The "discussion" section of the Tenacity page on GitHub is full of other considerations for the fork. One is whether to continue using the same wxWidgets framework that Audacity uses, or whether to port it to the Qt or GTK3 framework.

Other concerns were expressed by Cookie Engineer from the outset. He acknowledged that he would need help to maintain the fork, and that a team of coders would need to join him in the effort to maintain the fork. He also expressed a need for someone to build the fork for the Windows OS, MacOS and BSD, since he alone would not be able to provide those binaries.

Stay tuned. Source code for the Tenacity fork is already posted on the Tenacity GitHub page. While the fork is in the early stages, it shouldn't be long before Tenacity is available in most Linux distribution's software repositories. Tenacity is coming from a fairly stable code base, since Audacity has been around for over 21 years. Audacity was originally released in May, 2000 as version 0.8, by Dominic Mazzoni and Roger Dannenberg at Carnegie Mellon University.

The current version of Audacity (3.0.2) in the PCLinuxOS repository is free of the telemetry/data collection and "phoning home" privacy violations, so there's no need to uninstall it from your computer just yet. Newer versions won't be so lucky. Expect to see Audacity to be replaced (probably with Tenacity) in the near future on your PCLinuxOS installation.

Even if Muse Group were to back away from their telemetry/data collection scheme, it's now too late. User trust has been irreversibly destroyed. Users will wonder in the back of their minds if they might again attempt such shenanigans, or if they might have quietly slipped the telemetry/data collection/phone home code back into a subsequent release. And that doesn't even address the GPL violation of releasing software with NO restrictions, including age.

Just as with FreeNode and LastPass, user confidence and trust has been shattered, and it could very well spell the end of Audacity's reign as the best and most used FOSS sound editor. It is sad, indeed.

Thanks for the memories, Audacity. You served us well. Now, it's time to move on, away from underhanded owners collecting untold amounts of user data. You don't destroy the boat that has delivered you to the shore, in a manner of thinking, and that is exactly what Muse Group has done to the users of Audacity. With Audacity, the FOSS community delivered a high quality product, built upon sound FOSS pilings. It's time to say goodbye to Audacity, and hello to Tenacity ... or whatever else comes along to replace its niche in the software landscape.