Audacity has gone Creepy and I suggest we pay attention to the Forking off

Started by Exhale, July 06, 2021, 02:02:34

Previous topic - Next topic

Exhale

Audacity is now collecting stuff like your IP address, os, hardware specs and much more. If these things concern you, as they do me, do not upgrade to the new version and wait for the forks of the software to come out, they are happening right now and hopefully will be out soon.
I am personally shocked by this and it feels like a massive betrayal.

And if we have any users under 13, you are legally not even allowed to use the new version of audacity theoretically because of these new data collecting practices, so please hold back from updating and wait for the forks which will likely respect the original licence of the software and not restrict you from using it.

Please stay safe.

Here is a link to a promising looking fork:
https://github.com/temporary-audacity/audacity

EDIT : from what I am finding out, they cannot legally stop you from using it if you are under 13, they are simply requesting you dont use it... either way this is dodgy as heck
___________________
The turtle moves!

manx


Quote[Audacity changes]

1. Update Check

OpenMPT also has an automatic online update check since at least 2011. I consider such a feature basically unavoidable for any responsible developer because otherwise users will not get notified about critical security updates for the software. OpenMPT will ask before the first time it does an online update check, and you can of course disable the update check in OpenMPT (as is the case for Audacity).

2. System Statistics

Quote from: Exhale on July 06, 2021, 02:02:34
Audacity is now collecting stuff like your IP address, os, hardware specs and much more.

I have not looked into what exactly Audacity is starting to collect now, however you should be aware that OpenMPT is also collecting basic system statistics. As with Audacity, you are asked before OpenMPT sends this data for the first time, and you can disable that. See https://wiki.openmpt.org/Manual:_Setup/Update "Privacy Settings".

Without such statistics, we would not have been able to remove completely unused features in the past. Without removing such features, development would be even slower than it already is (because maintaining unused features for old system takes time and hinders code simplification). See https://forum.openmpt.org/index.php?topic=5708.0 and https://forum.openmpt.org/index.php?topic=6109.0 for further details.

3. Crash Reports

Quote[Audacity starts to collect crash reports.]

While OpenMPT is currently not (optionally) sending crash reports automatically, we actually do plan to implement that some time in the future. Why? Every time an unexperienced user reports a crash, we have to explain to them to actually provide the crash dump so that we can actually debug the issue. This takes about 10 minutes of time from both, us developers as well as from the user. In some cases users also do not want to be bothered at all, which basically results in bugs not getting fixed. Optional automated crash reporting could fix this, at least for some cases. See https://bugs.openmpt.org/view.php?id=1005.

4. CLA (Contributor License Agreement) requirement for Developers

What I find more concerning is the change to require signing a CLA to be allowed to contribute to Audacity. I have not followed the precise clauses in the Audacity CLA, however, in general such a CLA gives the maintaining company additional rights compared to what a contribution under the established project's Open Source License already guarantees. This leaves contributors and users on one side and maintainers on the other side under unequal terms and unequal rights regarding the project's source code and assets.

OpenMPT does not require signing a CLA.

5. Trademarks

Apparently, the name and logo of Audacity are now also registered trademarks.




From a developer's perspective:
(1) is an absolute requirement, and *EVERY* major software should do that
(2) is very useful, and as long as the collected statistics are limited to what is actually meaningful to allow for informed development decisions, I frankly see little problem with that. Note that I did not look into exactly what data Audacity is collecting here. It might be too much or it might not be.
(3) also solves actual problems for which I do not see any other solution that would work equally well.
(4) is the thing that I would be most concerned about. As far as I followed and understood the discussion (I am not a lawyer though), the CLA gives the maintaining company the rights to release closed-source commercial versions of Audacity which contain code from anyone who has contributed and signed the CLA. This is in contrast to the intention of the GPL-2.0-or-later (Audacity's license) and it is understandable that past and current contributors, as well as users, are upset about such a change.
I do not have any opinion on (5).

The thing that IMHO really went wrong with the Audacity situation however, is the way these changes, and in particular the CLA, were communicated and handled. Especially an online update check and crash reporting would probably not have caused such an uproar if it were not for the introduction of the CLA that happened before that (or at the same time).




Quote from: Exhale on July 06, 2021, 02:02:34
Here is a link to a promising looking fork:

There are multiple forks currently emerging, it is probably way too early to call any of them promising or anything, especially since some of the original Audacity contributors apparently agreed to signing the CLA and will thus likely continue to work on the original.

Given *how* things are changing with Audacity and its community, I tend to agree that everyone probably should be somewhat cautious about future Audacity versions.


Exhale

Thank you for the long and detailed reply - I am hugely concerned about this since the data they are going to collect makes them feel the need to keep 13 and younger users from using the software, they are also talking about selling the data they collect and collecting more data for police if they feel like it - or the wording of their stuff makes all these things likely.

https://www.youtube.com/watch?v=vaX9LuOWRHE&t=303s

https://www.youtube.com/watch?v=noQJNLsS3zw

here are two links you might find interesting on the topic, the second one is hoeg law, if you know anything about him, he is inclined to have a positive outlook on most of these things, however even he is worried.

I can certainly understand the perspective that none of the new forks could be considered promising since they are all brand new, personally I would call them all promising, because the sooner a fork happens when a company decides selling data is an option of free and open source software the better, and all forks are welcome.

I admit I am very upset and feel dirty that software I have loved and trusted for so many years is pretty much officially spyware at this stage, and yeah I will not be updating, and I will be moving to a fork as soon as they are available.
___________________
The turtle moves!

Saga Musix

This discussion (not here on the forum but in general) is fueled by outrage, which doesn't really help with explaining what is actually going on. I'm not going to watch those videos (don't have the time) but the fact that they already have outrage-y clickbait headlines tells me that they don't try to have a level-headed, objective discussion about the topic but that they already made up their mind and just want to fuel the outrage fire even more. I'm not interested in that kind of discussion, and in this age of misinformation I strongly believe we need less discussions of this kind, not more.

Quotethey are also talking about selling the data they collect
Please point out where they are saying that. The privacy policy explicitly says: "We do not sell personal information" - this is also reinforced in their clarification.

Quotecollecting more data for police if they feel like it
No, no no. See, their biggest mistake here is probably not that they are collecting the data, but that they are too honest and open about what storing data implies. Fun fact: The OpenMPT web server is also writing standard Apache access logs. If I was to write a privacy policy for the OpenMPT website and I wanted to cover my ass as much as possible, it would probably have to say the same thing about sending data to police. Why? Not because I'm sending daily reports to law enforcement telling them that a guy called Exhale visited the OpenMPT forum at 9:46 UTC on this Tuesday. However, if for whatever reason police approached me as the owner of this server and demanded to hand out any data about a specific IP address they might suspect has visited my server on a specific day and that is linked to some criminal activity for whatever reason, there is no way I can simply tell them "but I don't want to give you that data, I promised that to my users". You cannot simply say "no" to law enforcement in this kind of situation. This is what that privacy policy is about. If you were concerned about any website forwarding information to the police in their jurisdiction, you might as well stop visiting all of them, and downloading any software. Just because 90% of websites you visit or programs you use maybe don't explicitly mention that they will cooperate with the police doesn't mean that they won't, because they probably don't even have the possibility to not follow such orders if they are asked to. (I'm not a lawyer but I definitely would consult one if I ever ended up in this situation.)

Also, from my understanding, this kind of telemetry is going to be entirely optional in Audacity, just as it is in OpenMPT. Don't agree to Audacity checking for updates or sending telemetry data? Just say no on first launch, as you would do in OpenMPT. As manx said, you might just as claim say that OpenMPT is spyware because it has an update checker and very basic statistics. The real problem with Audacity's approach for me would be that their first attempt at implementing telemetry was going to use Google and Yandex as telemetry providers, but from my understanding the new approach involves a self-hosted solution, which is essentially also what OpenMPT is doing.
» No support, bug reports, feature requests via private messages - they will not be answered. Use the forums and the issue tracker so that everyone can benefit from your post.

manx

As said, I have not looked into the Audacity situation in much detail.
I merely wanted to point out that at least some of the changes (certainly not all of them) actually do make sense, and are in most cases not something to be overly worried about.
Also, the legal situation is very likely not exactly what the company claims to be the case, but also what actually is enforcable in the respective jurisdiction of the users' or contributors' country (which of course does not help very much if the company only cares about its own country's jurisdiction).

manx

On a related note, we (OpenMPT) also make most aspects (the parts that are probably most interesting) of the gathered statistics available publicly at https://buildbot.openmpt.org/statistics/.

Exhale

Thank you for your perspectives guys... it does help a little... I am in tears here I admit... anyways - I think this whole topic has gotten me riled up, and I dont think it has been a good one in general, so I will delete the topic. if I can figure out how. Nope I dont think I can...
Sorry guys :(
Since I cant delete it, I will lock it, so you guys who might have access to it, and if you dont want it cluttering up the recent posts section of the forum page, you can delete it if you want.
Again - I am sorry, I thought this might be an important topic to discuss here, and in a way it has been informative for me at least, maybe it is because I am an idiot.
Best regards to you both and sorry for this noise.
___________________
The turtle moves!

Saga Musix

Just as a general life tip: If you are feeling emotional or enraged, hold back and don't post on the internet. Cool off first. It often helps putting things into perspective.
» No support, bug reports, feature requests via private messages - they will not be answered. Use the forums and the issue tracker so that everyone can benefit from your post.