Another misstep for Audacity

By Jonathan Corbet
July 8, 2021

While it has often been said that there is no such thing as bad publicity, the new owners of the Audacity audio-editor project may beg to differ. The project has only recently weathered the controversies around its acquisition by the Muse Group, proposed telemetry features, and imposition of a new license agreement on its contributors. Now, the posting of a new privacy policy has set off a new round of criticism, with some accusing the project of planning to ship spyware. The situation with Audacity is not remotely as bad as it has been portrayed, but it is a lesson on what can happen when a project loses the trust of its user community.

On July 2, the Audacity web site acquired a new "desktop privacy notice" describing the privacy policies for the desktop application. Alert readers immediately noticed some things they didn't like there; in particular, many eyebrows were raised at the statement that the company would collect "data necessary for law enforcement, litigation and authorities’ requests (if any)" as part of the "legitimate interest of WSM Group to defend its legal rights and interests". What data might be deemed necessary was not defined. The fact that WSM Group, the listed data controller, is based in Russia did not help the situation. And a statement that anybody under the age of 13 should not use Audacity at all was seen as a violation of the GPL by some.

A full-scale Internet red alert followed, with headlines that Audacity was becoming spyware and users should uninstall it immediately. A fork of the project was promptly launched, promising: "No telemetry, crash reports and other shenanigans like that!". Alerts were sounded in various distributions, including Debian, Fedora, openSUSE, and others, suggesting that Audacity should be dropped or at least carefully reviewed. Audacity, it seemed, had gone fully over to the dark side and needed to be excised as soon as possible.

It only took a few days for the project to issue a "clarification" to the new privacy policy, stating that "concerns are due largely to unclear phrasing" that would soon be updated. The data that is collected was enumerated; it is limited to the user's IP address, operating-system version, and CPU type. The IP address is only kept for 24 hours. The company's compliance with law enforcement is limited to what is actually required by law. The update also pointed out that this policy does not even come into effect until the upcoming 3.0.3 release; current releases perform no data collection at all.

Meanwhile, others have actually looked at the code to see what data is being collected. That is, after all, one of the major benefits of free software: we can see what a program is doing rather than depending on the assurances of some corporation. The conclusion was quite clear:

Almost every mature desktop app you have ever used does at least two if not all three of these things. I cannot emphasize enough that it's difficult to impossible to even enable these features right now, and they're completely harmless besides.

Since then, the situation would appear to have calmed down somewhat; the mob with the flaming torches broke up and went home prior to reaching the gates (though some of them appear to have found their way to the Tenacity fork instead). Audacity, it seems, has not quite become the evil menace that some people thought it might.

It is worth thinking about how this situation came about, though. Nobody who runs a free-software project, regardless of whether they are building a business around it, wants to be the subject of this sort of attention, after all. Sadly, this episode demonstrates one important aspect of life in this era: if the Internet decides that you are the entity that it is going to hate next, there is little to be done about it. The claims that Audacity is "spyware" far outpaced any efforts to correct the record, and that association will remain in the minds of many for a long time.

But it must also be said that the Muse Group has mishandled the acquisition of this project in ways that have made this kind of blowup more likely. The early attempt to add telemetry, which would have sent significant amounts of user data to third-party servers, understandably upset a lot of users and was eventually withdrawn. The disagreement over contributor license agreements has not helped either. All of this adds up to an impression, whether merited or not, that the Muse Group is looking to exploit a longstanding free-software project in unethical ways. When that is the lens through which your users see you, your actions are likely to be interpreted in the worst possible ways.

Hopefully the Muse Group will learn from these missteps and proceed a bit more carefully from here on out. A focus on real improvements for users and better communication with the user community would help to rebuild trust. It would also be nice if the Internet would learn to damp its reactions a bit — but there seems to be little hope of that. If the Audacity project can find a way to reconnect with its wider community, though, at least one thing will have gotten a little better.

Another misstep for Audacity

Posted Jul 8, 2021 20:15 UTC (Thu) by flussence (guest, #85566) [Link] (2 responses)

IIRC Filezilla went down a similar path by bundling adware a few years ago. That resulted in one passive-aggressive fork that got about a week of attention then swiftly forgotten, but at least nobody got death threats for it.

(I'm sure it's just coincidence but everything big built in wxWidgets seems to end in disgrace. RIP pgAdmin3…)

Another misstep for Audacity

Posted Jul 8, 2021 21:00 UTC (Thu) by mtu (guest, #144375) [Link]

/me pets wxHexEditor

Another misstep for Audacity

Posted Jul 9, 2021 12:48 UTC (Fri) by wbartczak (guest, #140298) [Link]

wxWidgets were never a pleasant experience for developer. They were created when C++ was still half broken and people tried hard to figure out how to do universal UI with callbacks (in C++). I also have strange feeling that wxWidgets were borrowing a lot of ideas from MFC for Windows, which is another abomination (as usually in case of Micro$oft). I still wonder, if there's a core of Audacity that can be used to create something user interface agnostic (lib). So it can became something like gstreamer with plugins and app itself. The there could be a 1000 forks for UI and just one good library.

Another misstep for Audacity

Posted Jul 8, 2021 23:09 UTC (Thu) by willy (subscriber, #9762) [Link] (5 responses)

I think this needed a bit more highlighting.

> (though some of them appear to have found their way to the Tenacity fork instead)

That's a pretty mild way to describe harassment of the Tenacity maintainer to the point where they felt their safety was at risk and resigned!

Another misstep for Audacity

Posted Jul 9, 2021 9:14 UTC (Fri) by excors (subscriber, #95769) [Link] (2 responses)

> That's a pretty mild way to describe harassment of the Tenacity maintainer to the point where they felt their safety was at risk and resigned!

"felt their safety was risk" also seems pretty mild, when the Tenacity maintainer says (in the linked GitHub issue) "I was slit in the arm" and "It was attempted murder with an illegal butterfly knife" as the result of a 4chan harassment campaign.

(Pseudonymous GitHub comments aren't necessarily proof of anything, but the maintainer does have a long history there and on other social media and doesn't hide his real identity and sounds like a reasonable person, and provides links to 4chan threads full of wildly offensive abuse against him (which seemingly started when he rejected 4chan users' vote for a stupid meme name for the fork), so his claims seem plausible. Even without the assault, the online harassment is totally unacceptable.)

Another misstep for Audacity

Posted Jul 9, 2021 11:32 UTC (Fri) by ale2018 (guest, #128727) [Link] (1 responses)

> Even without the assault, the online harassment is totally unacceptable.

The dummy sneedacity repository advertised on 4chan features James Crook, an Audacity author, as a main contributor. If that's where the harassment originated, perhaps it's safe to drop Audacity irrespective of any telemetry features.

Another misstep for Audacity

Posted Jul 9, 2021 12:45 UTC (Fri) by excors (subscriber, #95769) [Link]

> The dummy sneedacity repository advertised on 4chan features James Crook, an Audacity author, as a main contributor

I think you're misinterpreting GitHub's contributor list - it's just showing the authors of all commits in the master branch since the beginning of time. The last of James Crook's commits in that repository are from April 13, i.e. they are from the main Audacity repository before it got forked, so he has zero involvement with the fork or the harassment.

Another misstep for Audacity

Posted Jul 9, 2021 9:21 UTC (Fri) by mbunkus (subscriber, #87248) [Link] (1 responses)

Holy shit, that whole issue text sounds scary as hell. He wasn't just harassed (though that is bad enough, surely), he was physically attacked with a knife. On his own property. How batshit crazy are some people!?

Another misstep for Audacity

Posted Jul 10, 2021 22:47 UTC (Sat) by flussence (guest, #85566) [Link]

> How batshit crazy are some people!?

Unfortunately, very. These are the exact same demographic that whipped up a years-long conspiracy theory that *started* with a grown man showing up at a pizza shop with an assault rifle convinced that it was hiding a satanic torture basement behind a fake wall, and culminated in the January 6th sedition attempt. They probably think they're on a mission from on high to "rescue" Audacity from foreigners at all costs.

Another misstep for Audacity

Posted Jul 9, 2021 8:24 UTC (Fri) by immibis (subscriber, #105511) [Link] (2 responses)

Hmm, this article seems to be written in a somewhat biased way by assuming that Audacity's new ownership is *not* a cause for concern. We saw this kind of thing recently with Freenode. New owner imposes new changes; people don't like the changes; then we see the user-base split into two groups: those who think the new ownership is evil incarnate, and those who think it's perfectly fine, there's absolutely no cause for concern, and the first group are batshit crazy. (sometimes words like "SJW" are also thrown in)

I can imagine reading this article several weeks ago, with "Audacity" replaced by "Freenode":

> Since then, the situation would appear to have calmed down somewhat; the mob with the flaming torches broke up and went home prior to reaching the gates (though some of them appear to have found their way to the Libera fork instead). Freenode, it seems, has not quite become the evil menace that some people thought it might.

> It is worth thinking about how this situation came about, though. Nobody who runs a free IRC network, regardless of whether they are building a business around it, wants to be the subject of this sort of attention, after all. Sadly, this episode demonstrates one important aspect of life in this era: if the Internet decides that you are the entity that it is going to hate next, there is little to be done about it. The claims that Freenode is "collapsing" far outpaced any efforts to correct the record, and that association will remain in the minds of many for a long time.

But then, after this, Freenode *did* collapse. It's now a ghost town filled with 40k abandoned bouncer connections and the most active channel is #freenode where people argue random political nonsense. The "mob with the flaming torches" were right after all, and the people who said "the Internet hate mob is batshit crazy" are the ones who ended up being batshit crazy in the end.

Which demonstrates one important thing: if the Internet decides that you are part of an Internet hate mob, there is little to be done about it. The claim that the Internet has decided to unjustifiably hate on Audacity far outpaced any efforts to correct the record, and that association will remain in the minds of many for a long time.

Another misstep for Audacity

Posted Jul 9, 2021 13:39 UTC (Fri) by LtWorf (subscriber, #124958) [Link] (1 responses)

Although mobs can occasionally be right, they aren't necessarily always right.

I agree that the privacy policy is concerning, and looking at the source code only matters on linux, but for windows everyone will download a binary built by the company that made you agree on that privacy policy that gives them freedom to acquire any data they want.

Looking at the source argument is a bit of a fallacy because the concern isn't about what's in the code TODAY, but what will be there.

I think the new owners are testing the waters for what they can get away with.

I was not aware of what happened to one of the maintainers, and that is of course terrible.

Another misstep for Audacity

Posted Jul 11, 2021 5:43 UTC (Sun) by abo (subscriber, #77288) [Link]

Exactly, this is the kind of project where I'll be extra careful to stick with my trusted distro packages rather than upstream builds.

Another misstep for Audacity

Posted Jul 10, 2021 10:46 UTC (Sat) by ballombe (subscriber, #9523) [Link] (10 responses)

So a private company "buy" a free software project that in no way generates revenue and that they could just use for free by following the GPL.
What is their purpose ? How will they make money from it ?
How will they recoup their investment ?
Unless there are a clear plan going forward, the prudent thing is to move as fast as possible from such project. You cannot trust a company whose only obvious path forward is to screw you.
It is not like it is the first time it happens.

Another misstep for Audacity

Posted Jul 10, 2021 20:10 UTC (Sat) by HenrikH (subscriber, #31152) [Link] (8 responses)

I have no idea how they are making or planning to make money, they have acquired a lot of open source software over the years though: https://mu.se/muse-products so one could perhaps look at some of the early ones like MuseScore and see what they have done with that. My guess is that they are selling some form of support but it's hard do deduce from their website since it contains virtually zero information on what they actually do.

Another misstep for Audacity

Posted Jul 11, 2021 8:53 UTC (Sun) by ballombe (subscriber, #9523) [Link] (1 responses)

... but selling support for free software does not require to buy them outright.
So we are back to square one...

Another misstep for Audacity

Posted Jul 11, 2021 12:21 UTC (Sun) by jkingweb (subscriber, #113039) [Link]

I would imagine it helps, though, especially if the software has a large Windows userbase which acquires the software directly from the original vendor.

If one of Muse's support customers wants X, but upstream rejects Muse's patch for X, customer will not get what they want unless they use Muse's fork, which Muse must now keep up to date with upstream.

Another misstep for Audacity

Posted Jul 18, 2021 16:43 UTC (Sun) by marcH (subscriber, #57642) [Link] (2 responses)

> so one could perhaps look at some of the early ones like MuseScore and see what they have done with that

No, that would trying to get some facts. The Internet is not very interested about these, their potential for new outrage is too often too limited, they tend to cause very mild outrage at best.

Even old outrages are not interesting enough. Take for instance BigPharma: there are known bad behaviors there but they're not news so not interesting, you need something brand new to be exciting like some new COVID or vaccine conspiracy.

> > It would also be nice if the Internet would learn to damp its reactions a bit — but there seems to be little hope of that.

Propaganda and crazies are never going to leave the Internet but I have some hope that the next generations who grew up with them will learn and become a bit more cautious _resharing_.

Do you remember chain letters? These are gone aren't they?

Another misstep for Audacity

Posted Jul 18, 2021 21:31 UTC (Sun) by foom (subscriber, #14868) [Link] (1 responses)

> Do you remember chain letters? These are gone aren't they?
"The Chain Letter Is Back, and Just as Annoying as Before"
https://www.nytimes.com/2020/04/11/style/chain-letters-co...

Another misstep for Audacity

Posted Jul 18, 2021 23:53 UTC (Sun) by marcH (subscriber, #57642) [Link]

Interesting thanks! Two quotes though:

> Ann Shoket, 47, the author of “The Big Life” and former editor of Seventeen magazine, said these challenges give her a sense of belonging. “People are desperate for community,” she said. “They want to know other people are out there and paying attention to them.”

> But generally quarantine-era chain letters are milder than they were two or three decades ago, when harsh punishments were predicted for breaking the thread; maybe a family member would die or you would have bad sex for 10 years. “There is no threat in these contemporary versions,” Ms. Mockler said.
> Perhaps that’s because there is plenty of threat outside.

Another misstep for Audacity

Posted Jul 26, 2021 19:12 UTC (Mon) by yxejamir (subscriber, #103429) [Link] (2 responses)

My understanding is that Musescore is monetized by sharing subscription revenue with artists, who offer their scores for download in source form, i.e. in Musescore's native file format.

Another misstep for Audacity

Posted Jul 27, 2021 17:48 UTC (Tue) by flussence (guest, #85566) [Link]

I believe the reason Musescore is so widely despised is that a large part of their paywalled library consists of Creative Commons license violations where neither the copyright holder nor uploader sees a share of the revenue, as it all goes into the pockets of their middle managers and commercial music industry parasites.

Another misstep for Audacity

Posted Jul 27, 2021 23:03 UTC (Tue) by rodgerd (guest, #58896) [Link]

It started out hosting a bunch of pirated material before it got a commercial framework - a great deal of the rage is from one person who is adamant that no longer allowing access to pirated material for free is "illegal", in his words.

Another misstep for Audacity

Posted Jul 13, 2021 7:18 UTC (Tue) by immibis (subscriber, #105511) [Link]

Adding spyware and ads, allegedly.