Audacity scrambles to clarify privacy terms to ease users

privacy terms

Audio-editing software Audacity has been accused by its users of being spyware for governments, following its update of its privacy terms which would see it collecting private user data.

The privacy terms, which were released last week, state that the program will start collecting certain forms of “personal data” like the user’s operating system name and version, and that user’s country based on their IP address.

Audacity will also collect “data necessary for law enforcement, litigation and authorities’ requests (if any).”

The company’s notice explains further that with the new privacy policy the company can hand over any private user data to state regulators, and countries including Russia, the U.S., and the EEA zone. Additionally, it might share the data with anyone they classify as a “third-party,” “advisors,” “staff members,” and/or “potential buyers.”

The move angered software users, describing it as an erosion of privacy.

In response, Audacity, which was acquired by Muse Group last April, considered that the notice was misinterpreted, claiming that “the policy was written by lawyers, to be understood by lawyers rather than the average person,” head of strategy at Muse, Daniel Ray told BBC News.  

“We don’t know anything about our users, and we don’t want users’ personal information – that doesn’t help us,” he stressed.

In parallel, the open-source audio program shared an additional announcement with its users, which entails that any user “under-13s could no longer use the Audacity app, to comply with data laws.” Ray added.

However, anyone of any age could still use the product in its offline mode.

It is worth mentioning that this decision violates the GPL license – the license under which Audacity is released – since GPL, is considered one of the most popular open-source licenses, prevents any restrictions on the usage of software.

The company was forced to post a policy clarification following a hailstorm of complaints it received. As such, Muse Group’s head of strategy posted on GitHub explaining that the company does not and will not sell any data it collects or share it with third parties.

“We believe concerns are due largely to unclear phrasing in the Privacy Policy, which we are now in the process of rectifying. In the meantime, we would like to clarify what seem to be the major points of concern,” Ray said in his post.

Ray described that the data collection process is limited to three main areas.

First, IP address, that is irretrievable after 24 hours and pseudonymized, a data de-identification procedure by which personally identifiable information fields within a data record are replaced by one or more artificial identifiers.

Basic System Info – OS version and CPU type. And lastly, the error report data are sent manually by users as part of an Error Report.

The clarification ensures that Audacity doesn’t collect any additional data beyond these three points.

Ray stressed, however, that the company will not collect or provide any information other than data described above with any government entity or law enforcement agency, unless it was forced through a court of law in a jurisdiction that Audacity serves within.

“We will not collect or provide any information other than data described above with any government entity or law enforcement agency,” he added.

“We do understand that unclear phrasing of the Privacy Policy and lack of context regarding introduction has led to major concerns about how we use and store the very limited data we collect. We will be publishing a revised version shortly,” Ray concluded.