Get forked

Fans made an Audacity clone to skirt around data-collection policies

Hell hath no fury like an open-source software fan scorned.

Russian hacker hacking the server in the dark

Audacity has long been a fan-favorite audio editing application for its bare-bones functionality and low, low price of zero dollars. The team behind the software angered fans this week by sending out a privacy notice announcing Audacity would now be collecting user data like IP addresses.

The notice, which was posted to the company’s website on July 2, says Audacity may collect personal information like IP address, location, OS version, and “data necessary for law enforcement litigation and authorities’ requests.” Audacity said as well that, though data would be stored in E.U.-based servers, the company would occasionally be required to “share your personal data with our main office in Russia and our external counsel in the U.S.A.”

Users were understandably upset by the sudden change of heart and policy — some went as far as to call it “possible spyware” — so they went ahead and created a new version of Audacity without the possibility of data-collection. At this point, Audacity has essentially undone the problematic privacy policy, but the damage is already done, as far as some are concerned.

That’s open-source for you — Audacity’s claim to fame is its commitment to being free and open-source since its first release more than two decades ago. By its very nature, Audacity’s source code has always been open to the public — and that’s exactly how coders were able to create a near-identical replica of the program free of Audacity’s new data-collection openings.

A Twitter user by the name of Cookie Engineer created one such fork that’s garnered much interest from the Audacity community. Cookie Engineer, a cybersecurity analyst, told Motherboard they were concerned by the new privacy policy’s allowance for server use outside the E.U., “where the Wild-West of cyber espionage is legitimized.” Cookie Engineer stripped the Audacity code of all networking capabilities and update checks.

Audacity walks it back — Audacity says the online outrage boils down to a simple misunderstanding. The company’s Group Head of Strategy, Daniel Ray, posted a clarification to GitHub on July 5 in an attempt to reassure users that the data collected is very limited and never sold to any third parties. Ray said as well that Audacity would be working with its legal team to revise the policy and more clearly communicate that intent.

“Part of the problem here is that privacy policies are written in legal language,” Ray told Motherboard. “There was a communication breakdown. Take the line about Russia, for example. We have to say that under the GDPR because our system admin guy is physically in Russia.”

That clarification isn’t enough for some users, though. Some worry that Audacity’s new owner, Muse Group, is up to something fishy — Muse, which is in turn owned by a Russian company called WSM Group, acquired Audacity in May 2021 after many years of independence.

Ray says Audacity will continue to be open-source moving forward, and that any data collection is being carried out simply to improve the project. “It shouldn’t be controversial to make free software better,” he says. Unfortunately, the vague privacy policy has already done its damage. It’s going to take more than a quick follow-up to convince Audacity fans the software isn’t changing for the worse.