New privacy policy is completely unacceptable!
Chryseus opened this issue Β· 535 comments
For anyone not yet aware the official privacy policy was updated on the 2nd of July and contains some very disturbing things, most notably under data collection is "Data necessary for law enforcement, litigation and authoritiesβ requests (if any)", I want to ask what exactly does this mean ? this is completely vague and tells us nothing about what is actually being collected.
As far as I'm concerned any data collection is unacceptable unless what is collected is exactly stated and opt-out is provided, for an open source project this is doubly so, I urge all users to remove Audacity from their system until this is resolved, in addition if you're a Linux user I would contact the package maintainer for your distribution as such a license may not be permitted.
There's no way Debian package maintainers are letting this pass, their policies regarding privacy are pretty strict.
"The App we provide [Audacity] is not intended for individuals below the age of 13. If you are under 13 years old, please do not use the App."
why is audacity rated higher than pg-13. I'm pretty sure this directly contradicts the license.
"Who does Audacity share your Personal Data with?
[...]
3. to our auditors, advisors, legal representatives and similar agents [...]"
so, anyone you call a friend
"The App we provide [Audacity] is not intended for individuals below the age of 13. If you are under 13 years old, please do not use the App."
why is audacity rated higher than pg-13. I'm pretty sure this directly contradicts the license.
I'm pretty sure this is because the GDPR does not allow for children to give consent, although the age depends upon the member state, for example it's 18 in the UK, it's pretty clear whoever wrote it doesn't understand the GDPR.
As @floopfloopfloopfloopfloop points out, this is incompatible with the GPL.
Privacy policy:
If you are under 13 years old, please do not use the App.
GPLv2:
The act of running the Program is not restricted
GPLv3:
This License explicitly affirms your unlimited permission to run the unmodified Program.
Fork this or stop using it. There is no need for big brother in a mostly offline audio program.
It looks like a shorter version of Musescore's Privacy Policy. As of recently, they're owned by the same group.
Use firejail --net=none or opensnitch to deny network access.
the audacity to do this....
The telemetry pull request and now this... They are digging their own grave.
Fork. Fork. Fork. Fork. Fork.
"The App we provide [Audacity] is not intended for individuals below the age of 13. If you are under 13 years old, please do not use the App."
why is audacity rated higher than pg-13. I'm pretty sure this directly contradicts the license.
"Who does Audacity share your Personal Data with?
[...]
3. to our auditors, advisors, legal representatives and similar agents [...]"so, anyone you call a friend
Essentially, if it's restricted to people under 13, that just means that data collection cannot be opted out of.
When you can't use the knife, use the fork
Is this will become another The Great Suspender fiasco?
I think its official, Musegroup are intending to kill Audacity. Someone hit me up with a link to the main fork?
At this point Audacity product can't be trusted even if they revert this change.
Keep me in the loop on a fork as well. This update to the privacy policy has lead me to lose what little trust I had left in the owners of this application caring about user privacy.
Fork. Just fork.
Does anyone know if there are any forks that are actively going to be maintained or the commit which this data collection was added?
If anyone is going to fork, I would expect a community managed system where leaders are elected probably.
Or even better, take them to court for the GPL violation.
Yep, the GPL violations is downright disgusting IMO, it's in direct violation to the code that hundreds of people have put in. Seems the best result here is that a fork of audacity comes out that doesn't have all this frankly nonsense in it. That doesn't seem to exist as of yet, most of them are just backup repos of right before the purchase though
Could you guys not try to sneak in stuff to rip our data FOR 5 MINUTES!
The age restriction now in the privacy policy is completely going against the licensing of the software, someone should get a lawyer to represent every Audacity users under 13 years old who used to be able to use it under GPL license but are suddenly prohibited by the privacy policy, and take the issue to court.
GPL requires that you allow EVERYONE, including those under 13 years old, to use the software freely.
This completely undermines any remnants of trust I might have had for the current Audacity owner, and I'm not going to continue using this software in the current form. Here's hoping for a well maintained fork instead.
If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term.
Can the age clause even apply?
Yep, the GPL violations is downright disgusting IMO, it's in direct violation to the code that hundreds of people have put in. Seems the best result here is that a fork of audacity comes out that doesn't have all this frankly nonsense in it. That doesn't seem to exist as of yet, most of them are just backup repos of right before the purchase though
Problem is muse is not bound by the GPL because the last debaucle regarding the CLA. Muse basically got all the main developers to sign that CLA, and in that thread said they were just rewriting smaller contributions to avoid getting them to sign it.
At this point a fork is the reasonable option, if muse going to be like this.
Yep, the GPL violations is downright disgusting IMO, it's in direct violation to the code that hundreds of people have put in. Seems the best result here is that a fork of audacity comes out that doesn't have all this frankly nonsense in it. That doesn't seem to exist as of yet, most of them are just backup repos of right before the purchase though
Problem is muse is not bound by the GPL because the last debaucle regarding the CLA.
At this point a fork is the reasonable option, if muse going to be like this.
I don't think that all code is yet under the CLA making this a GPL violation if enforced
Yep, the GPL violations is downright disgusting IMO, it's in direct violation to the code that hundreds of people have put in. Seems the best result here is that a fork of audacity comes out that doesn't have all this frankly nonsense in it. That doesn't seem to exist as of yet, most of them are just backup repos of right before the purchase though
Problem is muse is not bound by the GPL because the last debaucle regarding the CLA.
#932
At this point a fork is the reasonable option, if muse going to be like this.I don't think that all code is yet under the CLA making this a GPL violation if enforced
I have not looked closely at the commit history, but they said in the CLA topic they were rewriting all the code from small contributions to avoid having to try and get those people sign the CLA.
Yep, the GPL violations is downright disgusting IMO, it's in direct violation to the code that hundreds of people have put in. Seems the best result here is that a fork of audacity comes out that doesn't have all this frankly nonsense in it. That doesn't seem to exist as of yet, most of them are just backup repos of right before the purchase though
Problem is muse is not bound by the GPL because the last debaucle regarding the CLA. Muse basically got all the main developers to sign that CLA, and in that thread said they were just rewriting smaller contributions to avoid getting them to sign it.
At this point a fork is the reasonable option, if muse going to be like this.
they can say that all they like, rewriting the other contributions does not remove the fact that this work is a derivative work of theirs. GPL remains with the codebase - its a feature, not a bug, and it's designed to prevent exactly this scenario.
Yep, the GPL violations is downright disgusting IMO, it's in direct violation to the code that hundreds of people have put in. Seems the best result here is that a fork of audacity comes out that doesn't have all this frankly nonsense in it. That doesn't seem to exist as of yet, most of them are just backup repos of right before the purchase though
Problem is muse is not bound by the GPL because the last debaucle regarding the CLA.
At this point a fork is the reasonable option, if muse going to be like this.
I don't think that all code is yet under the CLA making this a GPL violation if enforced
I have not looked closely at the commit history, but they said in the CLA topic they were rewriting all the code from small contributions to avoid having to try and get those people sign the CLA.
Yeah but I don't think that, at this current time, is completed yet
Unfortunate, as Audacity is a big name amongst hobbyist software for being some of the best in it's class. I suppose it's not the first time major projects have undergone a "rebranding" when the parent tries to pull some corporate crap, but it's always unfortunate whenever it's needed.
Yep, the GPL violations is downright disgusting IMO, it's in direct violation to the code that hundreds of people have put in. Seems the best result here is that a fork of audacity comes out that doesn't have all this frankly nonsense in it. That doesn't seem to exist as of yet, most of them are just backup repos of right before the purchase though
Problem is muse is not bound by the GPL because the last debaucle regarding the CLA. Muse basically got all the main developers to sign that CLA, and in that thread said they were just rewriting smaller contributions to avoid getting them to sign it.
#932
At this point a fork is the reasonable option, if muse going to be like this.they can say that all they like, rewriting the other contributions does not remove the fact that this work is a derivative work of theirs. GPL remains with the codebase - its a feature, not a bug, and it's designed to prevent exactly this scenario.
Yep, the GPL violations is downright disgusting IMO, it's in direct violation to the code that hundreds of people have put in. Seems the best result here is that a fork of audacity comes out that doesn't have all this frankly nonsense in it. That doesn't seem to exist as of yet, most of them are just backup repos of right before the purchase though
Problem is muse is not bound by the GPL because the last debaucle regarding the CLA. Muse basically got all the main developers to sign that CLA, and in that thread said they were just rewriting smaller contributions to avoid getting them to sign it.
#932
At this point a fork is the reasonable option, if muse going to be like this.they can say that all they like, rewriting the other contributions does not remove the fact that this work is a derivative work of theirs. GPL remains with the codebase - its a feature, not a bug, and it's designed to prevent exactly this scenario.
Depends how they go about rewriting those portions. It's certainly possible to rewrite features to get a different license. You see this often in BSD world. Whether or not they crossed all their t's and dotted all their i's when doing that would be question for a court, and sadly probably only those smaller contributors would have standing to sue.
Unfortunate, as Audacity is a big name amongst hobbyist software for being some of the best in it's class. I suppose it's not the first time major projects have undergone a "rebranding" when the parent tries to pull some corporate crap, but it's always unfortunate whenever it's needed.
Yea for example LibreOffice still a less known name than open office. A fork can't really do anything about trade marks.
I've started to dig through the codebase, and as far as I can tell most if not all things could've been disabled when modifying the cmake files via the following flags:
HAS_CRASHREPORTSHAS_UPDATE_CHECKHAS_NETWORKINGHAS_SENTRY_REPORTING
I also started a fork at https://github.com/cookiengineer/audacity, where I would ideally see this in the form of a foundation where contributors can vote on what happens to it or not. Personally, I'd like to see this project GPL2 compliant (which means no telemetry, no tracking and certainly no PG-13 rating because of it).
In order to be sure that my modifications have no potential side effects or code ignoring the build flags, I've removed all networking related code in my fork, including the Help Menu integrations for Crash Reporting and the Update Manager that is running in the background periodically.
But I also wanted to make a fair statement here: The cmake flags hint that Muse Group's intentions were clearly trying to make it opt-in from a maintainer's perspective (Debian/Arch/whatever distro's policies), so I would not use this against them.
However, the license is chosen unwisely in regards to GPL2 compliance (maybe a copy/paste mistake?), and therefore should be checked again with their legal team - as it was the cause of this issue and the rising internet rage over at HackerNews and Reddit.
I'd also prefer that even when the package maintainer has decided to include tracking options that there would be a dialog in the beginning, asking the user whether or not they want to opt-in to those separately, each able to be deselected or selected.
Having said that, and having seen the actual codebase without making irrelevant claims, I think the intent of the Muse Group was not malicious here; and it seems more to be a simple copy/paste mistake of another license they were using for other software they owned/published before.
Disclaimer: Not associated in any form with Muse Group, not a lawyer, just a concerned European citizen.
I want to shout out to all the core developers who sold this beautiful piece of software, we couldn't have come here without you β€οΈ
Yeah let's not attack the open source developers who worked on this project for years so that this even exists in the first place and finally sold it so they could make a good chunk of money off it.
Does it suck the situation this software is in? Sure, but let's not attack the original developers for that.
Selling a FOSS project to a sketchy company is not nice, but this is why you donate to developers. They have to pay the bills, too.
What a disappointment for such a great software. The community should fork and leave this corporate sketchiness behind.
This spits in the face of the free software spirit.
RIP Audacity.
This change is in violation of the license agreement under which contributions to this codebase have been made.
By restricting anyone under the age of 13 from using the software, you have violated GPLv2 under which the software is licensed at least since 2010.
You do not have the authority of ownership to modify the license under which others' GPLv2 contributions were made without their explicit permission.
You must remove any restrictions that would legally prevent anyone from using this software, or you must change your license and immediately remove any and all contributions by developers that have not explicitly agreed to license their contributions under your new license.
As far as I'm concerned any data collection is unacceptable unless what is collected is exactly stated and opt-out is provided
I'd prefer it if it was Opt-In.
This is the last straw for me. First spyware, then a CLA, and then this. It's fork time baby.
You do not have the authority of ownership to modify the license under which others' GPLv2 contributions were made without their explicit permission.
This FAQ says:
People who have contributed considerable amounts of code have already been asked to sign the CLA, and the vast majority have now done so. Over 90% of all written code is already covered by the CLA, and we are now asking the few remaining people to sign as well as all new contributors.
The first sentence in that CLA is:
You grant MUSECY SM LTD, an affiliate of MuseScore and Ultimate Guitar, (βCompanyβ) the ability to use the Contributions in any way.
90% is not 100%
@duplexsystem
The next sentence in that FAQ is:
It is not necessary for every single person who ever contributed to sign the CLA; only people who made a non-trivial contribution that is still present in the current source code have to sign, as well as all new contributors.
I'm not sure how close they are to 100% now, but all of this wouldn't make any sense if they didn't plan on removing or rewriting everything they can't cover using the CLA. I don't like it either, but it looks like it isn't far fetched to think that they are or at least will in the near future be able to make this change regardless of the current license.
They aren't at 100% yet which means this is still violating the GPL
Oh they appear to be hiding comments they don't agree with
I'm sure our Muse overloads would never do such a thing.
They aren't at 100% yet
I'd love to see an official source on that if there is one. The point of my response to @bredmor was to say that at this point we don't really know if they can do it or not. At the very least it casts some doubt on the argument that they can't implement the new privacy policy because of the GPL
Even if they did go through and rewrite everything it would still be considered a derivative work of the prior code (in most cases) so it would still have the same license restrictions
I dropped Windows because crap like this. As far as I'm concerned the Audacity team can fuck themselves with barbwire wrapped telephone poles.
I am guessing a large proportion of Audacity users are under the age of 13, my daughter included. Young people learn a lot from free software. No locking young people out.
Just asked the Fedora legal team to review the latest changes in license and ToS: https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org/thread/V2VSR6W3SZ3UE6UAS3TH2ZDRHTGXFCU6/
The new ToS is absolutely unacceptable for me.
Remove that "Free" (as in freedom) word that you don't deserve anymore from the website
pt-br
poderiam informar qual foi a última versão sem essa desgraça?
en
what is the last safe version?
Probably stating the obvious here, but there are lawyers that specialize in opensource & free software.
@elycastellano, 3.0.2, that's for sure because situations such as the attempt to introduce "telemetry" were later than when this release was made. But it's best to install 2.4.2 just to be safe.
Considering how schools use this software, including those who are kids, this is pretty unacceptable. Sure, you could fork it, and remove such tracking code, but come on. A normal end user shouldn't have to do that.
@duplexsystem
The next sentence in that FAQ is:It is not necessary for every single person who ever contributed to sign the CLA; only people who made a non-trivial contribution that is still present in the current source code have to sign, as well as all new contributors.
I'm not sure how close they are to 100% now, but all of this wouldn't make any sense if they didn't plan on removing or rewriting everything they can't cover using the CLA. I don't like it either, but it looks like it isn't far fetched to think that they are or at least will in the near future be able to make this change regardless of the current license.
They are legally wrong, very wrong and any that refused to sign that has their code in there would be able to sue them for copyright infringement over that if they did do anything beyond the GPL with the code.
@pizzadude said:
Use firejail --net=none or opensnitch to deny network access.
There is a privilege escalation vulnerability which is fixed in v0.9.64.4 by disabling overlayfs.
With previous versions you can disable overlayfs in /etc/firejail/firejail.config:
$ grep overlayfs /etc/firejail/firejail.config
# Enable or disable overlayfs features, default enabled.
overlayfs no
Considering how schools use this software, including those who are kids, this is pretty unacceptable. Sure, you could fork it, and remove such tracking code, but come on. A normal end user shouldn't have to do that.
Who said a normal end user will do that? It is possible opensource developer to setup a full fork, builds and all under a new name.
@elycastellano, 3.0.2, that's for sure because situations such as the attempt to introduce "telemetry" were later than when this release was made. But it's best to install 2.4.2 just to be safe.
I already have a forked repo on github from the first pull request we had that got denied over this stuff. I'm not the only one who hit the fork button then. So we already have a copy of the code from before anything problematic happened.
Taking notes. I'll just stay with 2.4.2 myself: that's the version I have installed.
I have just one question: Is the data collected by this privacy policy worth the missed opportunity of children to use Audacity in their free time and in schools to get their first band up and running, record a song, tinker with the recordings and put a smile on their parents', grandparents' and friends' faces?
Between this, and telemetry, and
4.4 to a potential buyer (and its agents and advisers) in connection with any proposed purchase, merger or acquisition of any part of our business, provided that we inform the buyer it must use your Personal Data only for the purposes disclosed in this Notice;
is audacity planning on being acquired? Does that conform to the restrictions of GPL-v2?
... I guess the copyright holder could always relicence the work, but does this mean a folk (a la ublock origin) is in order?
UK teacher here
The 13+ age requirement will mean that your software is removed from all schools in the UK when they decide to upgrade from audacity 2.x to audacity 3.x.
Is this the outcome that you desire? Loss of visibility to getting on for 10 million people?
Please consider a telemetry free education version for download to .edu/.ac.uk &c domains.
I'd personally like a really clear understanding of this line from their own Privacy Notice:
"All your personal data is stored on our servers"
What "personal data" of mine are you storing on servers in EEA and Russia?
For what purpose are you transmitting my personal data and storing it on foreign soil?
This privacy notice can eat my ass.
What a disaster! Why do they need my personal data to use free software (or something that's supposed to be free software)?
I'm waiting for a fork of Audacity.
Anything telemetry related has been merged into the project or not?
Coming here to add my thoughts about this "Nobody under 13 can use this program" nonsense:
I started using the internet at 7. The ability to use free editors, whether that be for audio, video, or code, and free services like forums or GitHub, is what enabled me to be so interested in technology and programming. Audacity is by far the biggest open-source audio editor, and I've been using it for years.
You're trying to kill any prospect of young people, especially ones in families that don't have the time or knowledge to understand or guide their technology use, getting to understand and explore audio editing. I've turned away from "13+ only" dialogs, and I'm certain many great young minds will too.
Do better.
Coming here to add my thoughts about this "Nobody under 13 can use this program" nonsense:
This is likely included, because of GDPR guidelines, and because they can't litigate against anyone 13 and under for any suspected copyright violations found while using the program.
There's been some discussion on Reddit about them consuming MuseScore, after stealing a number of community tabs, calling them their own. At least one author intentionally put flaws in their tabs as 'watermarks', and those ended up in the final copies they claimed wasn't from the community.
There's a lot of shady business going on here, with the various projects being swallowed up and put under the Muse Group umbrella, from the copyright assignment enforcement through to the changes in Audacity and the forked version of the wxWidgets library needed to build it.
It's time to start putting Audacity and similar apps under an AppArmor profile that restricts what they can do; read, write and ZERO network access permitted. This should be shipped with the package by default on all Linux distributions, and static Windows Firewall rules applied at install time on those platforms.
I don't know what muse group thinks there gonna get out of this? They're gonna change this or people will just move to a fork.
They're gonna change this or people will just move to a fork.
Unlikely they're going to change this, as they've already committed significant legal, development and other resources to this approach. There's probably revenue streams tied back to feeding the data to law enforcement as well, that they'll lose out on.
A fork, while undesirable in almost every case of an OSS project, is sometimes necessary to ensure the spirit and law of the licenses is respected. The problem with a fork in this specific case, is that the main developers and copyright holders already signed over their rights to the Muse Group through a CLA, and will likely not contribute to a forked version as well.
This means any fork would have to find the same level of development skills/resources, as well as interest in continuing a fork, in order for that fork to survive and replace the one Muse is proposing.
Note: There are already 1.2k forks of the main audacity repository already, many probably resulting from this news, so the codebase can be preserved before it moves under a Private repository.
The problem with every company buying out FOSS software is that they will add some data collection somewhere because law "requires" to do so, and in the least case they could just make it opt-in.
I remember when Audacity was still an independent project. Where did we go wrong?
Isn't capitalism wonderful?
It's just companies trying to take over open-source, nothing special... cough Microsoft cough
Genuine question: How and why were they taken over, and why wasn't the community consulted about the decision (I assume)?
Money I guess?
Given that I'm sure that quite possibly 100s of people have contributed to Audacity's codebase, surely that means they would need the permission of every single contributor in order to sign the rights away like this? This can't be legal.
Given that I'm sure that quite possibly 100s of people have contributed to Audacity's codebase, surely that means they would need the permission of every single contributor in order to sign the rights away like this? This can't be legal.
They claim that 90% of the code has been signed off to them and they own it using a CLA and they are working to remove the rest of the copyrighted code
They claim that 90% of the code has been signed off to them and they own it using a CLA and they are working to remove the rest of the copyrighted code
Source, @caughtquick?
They claim that 90% of the code has been signed off to them and they own it using a CLA and they are working to remove the rest of the copyrighted code
Source?
Anybody got a copy of that page before they were bought out?
the CLA was created when muse bought them out
It seems the muse doesn't seems to be committed to the original goal of audacity which is to be a FREE and OPEN SOURCE audio editor. They want to take all the advantages FOSS provides and now close source the product and commercialize it IMO
It seems the muse doesn't seems to be committed to the original goal of audacity which is to be a FREE and OPEN SOURCE audio editor. They want to take all the advantages FOSS provides and now close source the product and commercialize it IMO
Which is sadly what happens in most cases...
For anyone that's interested I've made an Audacity fork right now, and as I cannot see any telemetry yet (nothing in the settings to be opt'd-out) I'll be watching their commits to see if what they add is safe to add on my fork (which is called Audacitium, inspired from VSCodium)
@AnErrupTion can I donate to the cause
What do you mean?
@AnErrupTion You are aware that my fork already removed all code that contained telemetry and networking? https://github.com/cookiengineer/audacity
The game plan is to analyze every single audio/video clip and check it against known database of Copyrighted material. If you get a match, the police get your data. /s
[ mention me if you want my reply/attention; this issue is hard to keep track of :) ]
@AnErrupTion You are aware that my fork already removed all code that contained telemetry and networking? https://github.com/cookiengineer/audacity
Ah I didn't know, however I think you're a bit too aggressive when removing update checking (removing auto update is fine, but update checking.. really?)
The game plan is to analyze every single audio/video clip and check it against known database of Copyrighted material. If you get a match, the police get your data. /s
[ mention me if you want my reply/attention; this issue is hard to keep track of :) ]
Well that's tricky and... dumb; Audacity is mainly used to edit audio or even create; why in hell would they even do that?
I'm guessing that this is indeed the end.
RIP
I'm guessing that this is indeed the end.
RIP
There are forks and so the community, it will very likely be revived (cookiengineer has removed some stuff in his fork, I have made a fork too of Audacity)
@AnErrupTion You are aware that my fork already removed all code that contained telemetry and networking? https://github.com/cookiengineer/audacity
Ah I didn't know, however I think you're a bit too aggressive when removing update checking (removing auto update is fine, but update checking.. really?)
For most linux users update checking is unnecessary network access. A good compromise would keeping it enable on windows but disabling it on Linux IMO, though I don't know how challenging that would be with the codebase
I'm guessing that this is indeed the end.
RIPThere are forks and so the community, it will very likely be revived (cookiengineer has removed some stuff in his fork, I have made a fork too of Audacity)
I'll definitely check those out.
Shame this had to happen at all though.
I mean yeah with package managers, I myself do use Linux but even then a toggle in the settings would be possible and, as you said, disabling it on Linux but enabling it on Windows and Mac.
I'm guessing that this is indeed the end.
RIPThere are forks and so the community, it will very likely be revived (cookiengineer has removed some stuff in his fork, I have made a fork too of Audacity)
I'll definitely check those out.
Shame this had to happen at all though.
Yeah but it's the sad truth after all... reality is reality, can't change that :/
I'm guessing that this is indeed the end.
RIPThere are forks and so the community, it will very likely be revived (cookiengineer has removed some stuff in his fork, I have made a fork too of Audacity)
I'll definitely check those out.
Shame this had to happen at all though.Yeah but it's the sad truth after all... reality is reality, can't change that :/
Any suggestion on how to keep them from collecting data for now though? Sandboxing? Anything else?