recording equipment for horn

Is Audacity Spyware or Is It Safe?

Audacity is a free and open-source multi-track audio editor that I’ve been using (and talking about) for years.

Recently, there’s been some discussion on some open-source websites with provocative headlines that claim Audacity has become spyware.

Not only is this not true, it seems like these articles are coming dangerously close to click bait.

Here’s what’s really going on.

Audicity Acquisition and Privacy Policy Updates

A few months ago, Audacity was acquired by the Muse Group. Muse Group was established this year (2021), and is a collection of software focused on musicians. Muse Group’s brands include:

Shortly after the acquisition (May 4, 2021) the following privacy policy update was announced. Keep in mind this is planned for the next version of Audacity (3.0.3):

This request provides the basic telemetry for Audacity.

To implement the network layer libcurl is used to avoid issues with the built-in networking of the wxWidgets.

Universal Google Analytics is used to track the following events:

    Session start and end
    Errors, including errors from the sqlite3 engine, as we need to debug corruption issues reported on the Audacity forum
    Usage of effects, sound generators, analysis tools, so we can prioritize future improvements.
    Usage of file formats for import and export
    OS and Audacity versions

To identify sessions we use a UUID, which is generated and stored on the client machine.

We use Yandex Metrica to be able to correctly estimate the daily active users correctly. We have to use the second service as Google Analytics is known to have some really tight quotas.

Both services also record the IP the request is coming from.

Telemetry collection is optional and configurable at any time. In case of data sharing is disabled - all calls to the telemetry Report* functions are no-op.

Additionally, this pull request comes with a set of libraries to help the future efforts on Audacity.

The inclusion of both Google Analytics and Yandex Metrica, along with the tracking specifics, set off an uproar in the update’s comments. It’s this update, which was never implemented that is the reason that many sources have called Audacity spyware.

At this point, it’s worth pointing out that this kind of basic telemetry reporting is not uncommon in open-source software. Firefox (my browser of choice) does it, and I’m totally fine with some basic metrics being tracked in order to improve (and update) the software.

Updated Updates

A few days after the initial policy update, Audacity responded and clarified that telemetry tracking would be off by default. This means that the user would have to intentionally enable telemetry logging, and so casual users (who don’t dive into settings) or privacy-conscious users would see no real change from previous versions of Audacity. (Another note: Firefox enables their telemetry by default – users have to actively turn it off if they don’t want it phoning home.)

The community still had questions (primarily about 3rd party analytics companies), so Audacity cancelled their planned privacy policy updates. They also issued this update about how/why they will gather usage telemetry.

The main points:

  • Audacity (and Muse Group) have no interest in acquiring or selling user data, and Audacity will always remain free and open source.
  • All the telemetry tracking in the previous update is cancelled, except for automatic update checking (on Audacity start) and error reporting.
  • Audacity will not use 3rd-party analytic software. Audacity will self-host the collected telemetry (error reporting and update checks).
  • Automatic update and error reporting are enabled by default, but users can turn them off at any time. Users can also see (and cancel) an error report before it is sent.
  • Although the update checking (and error reporting) will show Audacity a user’s IP address, the IP address itself will not be stored by Audacity. Instead, a non-reversible hash will be created which will allow Audacity to improve their daily use statistics, while seeing only a user’s country.
  • Additionally, versions of Audacity compiled from source (or downloaded from Linux repositories) will have the error and update checking code disabled by default.

My Conclusion – Audacity Did Things Right

While there are privacy advocates who are against any sort of telemetry, this is one advantage software makers have today. Not only does it let them get quick and accurate reports generated from crashes or other bugs, but that they can also easily push updates to fix these problems before other users have them.

While Audacity didn’t present their privacy updates well, it does seem like they have actually listened to the community. They seem to have done some real work to strike a balance between user preferences and software improvement.

I, for one, will continue to use (and recommend) Audacity (and MuseScore).