The last couple of months have been anything but pleasant for the new owners of the open source audio editor Audacity. It all began in May 2020 with news that Audacity was acquired by MuseGroup; what acquired meant exactly was not made clear back then, considering that Audacity was an open source project.

Also in May of the same year, plans to add Telemetry to Audacity were introduced on GitHub. These plans were dropped a week later because the move was criticized highly.

An update to the Desktop Privacy Notice was published in July 2021, and it too is generating uproar.  The note lists the data that Audacity is collecting as well as the reason for collecting the data, with whom the data is shared and under which circumstances, how the data is protected, and how it is stored and deleted.

The following data is or may be collected by Audacity:

• App Analytics and App Improvements:
  • OS version
  • User country based on IP address
  • OS name and version
  • CPU
  • Non-fatal error codes and messages (i.e. project failed to open)
  • Crash reports in Breakpad MiniDump format
• For legal enforcement
  • Data necessary for law enforcement, litigation and authorities’ requests (if any)

The "legal enforcement" data collecting part of the Desktop Privacy Notice is vague, as it does not list the data that Audacity may provide for "law enforcement, litigation and authorities’ requests". It is unclear why it is not listed. While it is clear that a company does not know which data law enforcement may request, a list of information that Audacity collects or may collect could be listed there.

Another paragraph that is seen as problematic is 7.1 Data storage and transfers of data. Audacity data is stored on servers in the European Economic Area according to the paragraph, but personal data may be shared occasionally with the group's main office in Russia and the group's external counsel in the United States.

The privacy notice looks like a lighter version of the group's Musescore privacy policy, but with less data collecting. The group's initial plan to collect more Telemetry in Audacity was halted because of the public outcry over the decision.

Closing Words

Controversy surrounding the new project owners of Audacity continues. It should be clear by now that any changes made that may affect user privacy are under scrutiny, especially if they are vague or may reduce the privacy of users.

The undefined data that Audacity may collect for law enforcement purposes falls into the category. The transferring of data to Russia or the United States is also problematic from a privacy point of view.