Audacity spyware denial: App-owners defend privacy policy change

Audacity owners Muse Group have denied that the popular open-source audio app is secretly turning into spyware, blaming an unclear privacy policy update rather than nefarious intent for the confusion. Long a popular tool for musicians and podcasters, Audacity made headlines earlier this week after changes to its privacy policy suggested the owners planned to sell user data.

Open-source, Audacity was first released all the way back in 2000. However it was acquired earlier this year by Muse Group, which also owns MuseScore and Ultimate Guitar. Last week the company revealed upcoming changes to Audacity's privacy policy, causing controversy in the process.

The new policy – which would come into play with the upcoming Audacity (3.0.3) release – seemingly gave Muse Group permission to collect user data, transmit it back to its servers, and share it with law enforcement. It also apparently left leeway for Muse Group to sell user data to third-party companies.

The reaction was fairly swift, and almost ubiquitously negative. A fork of Audacity quickly sprang up, splitting off from the proposed privacy changes, while users accused Muse Group of undermining the spirit of open-source software. Now, though, Muse Group says the interpretation of its new policies was incorrect, and that it's updating the language to make completely clear what is planned.

"We do understand that unclear phrasing of the Privacy Policy and lack of context regarding introduction has led to major concerns about how we use and store the very limited data we collect," Daniel Ray, Head of Strategy at Muse Group, posted on the company's GitHub page. "We will be publishing a revised version shortly."

Ray also gave a run-down of some of the things the amended policy will presumably be making more clear. "We do not and will not sell ANY data we collect or share it with 3rd parties," he insists. Meanwhile, "data we collect is very limited."

For example, IP addresses are "pseudonymised and irretrievable after 24 hours," and the only system information collected is OS version and processor type. No further data is gathered, beyond anything included in a manually submitted Error Report.

As for compliance with law enforcement, that too is limited to the same collection boundaries. "Data is not shared upon an agency request," Ray says, "we will do so only if compelled by a court of law in a jurisdiction that we serve."

Finally, the Privacy Policy will not apply to any offline use of Audacity. "We are working with our legal team to revise our privacy policy to more clearly communicate the above points and our intent," Ray concludes.

While it's not uncommon for uncertainty to spread because of "legalese" language, it's worth noting that this isn't the first time Muse Group has been forced to defend itself after changes unwelcome among users. A new Contributor License Agreement (CLA) requirement announced in May, for example, prompted fury at the possibility of a proprietary version of the app, though at the time Ray insisted that there was no plan to make a paid Audacity version or one in which features were locked behind a paywall of some sort.

Prior to that, Muse Group was forced to reverse course when it was spotted adding Google and Yandex telemetry to Audacity. Although the company insisted it had planned to announce the idea first – and make it opt-in – instead users discovered it inadvertently as part of a new pull request. As a result, Muse Group said it would instead be self-hosting error reports.