Audacity’s Privacy Policy Doesn’t Make It ‘Spyware’ Because Everything Is Spyware Now

Audacity’s Privacy Policy Doesn’t Make It ‘Spyware’ Because Everything Is Spyware Now
Graphic: Audacity

Ever since Audacity was acquired by tech conglomerate Muse Group in late April, fans of the free-to-use audio tool have been raising hell about some of the changes made to the software. First came plans to add telemetry capture. Then came a new contributor licence agreement. Then last week came a privacy policy update that some Audacity die-hards say turns the software into “spyware.” But Audacity isn’t “spyware” — if only because virtually every app we use is some form of spyware these days.

Audacity’s privacy policy was updated on July 2 to clarify that the program will now collect certain forms of “personal data” from the people using it, like the user’s operating system name and version, and that user’s country based on their IP address. On top of this, the privacy policy notes that it will also collect “data necessary for law enforcement, litigation and authorities’ requests (if any).” That last clause was vaguely worded and threatening enough that Audacity users began assuming the worst; some theorised that the software would now tap user’s microphones and pawn that data to law enforcement or other authorities.

It’s not clear whether any of that is actually true. Certain other clauses that users were up in arms about — like one stating that its program “is not intended for individuals below the age of 13″ — were only included to comply with data-collection rules like COPPA that puts a tight cap on any data collected from the pre-teen set. This includes personal data, but also so-called “anonymous data” like the hashed IP addresses Audacity collects, in part because those nuggets can still be traced back to the user it originated from.

What is clear is that Audacity joined the ranks of companies like WhatsApp and TikTok by writing up a privacy policy that was misinterpreted from the get-go — at least, according to the company.

“We believe concerns are due largely to unclear phrasing in the Privacy Policy, which we are now in the process of rectifying,” Muse Group’s head of strategy, Daniel Ray, said in a statement on GitHub. “In the meantime, we would like to clarify what seem to be the major points of concern.”

First, Ray says of Audacity, “We do not and will not sell ANY data we collect or share it with 3rd parties. Full stop,” which seemed to address one of the main concerns that users had. That said, it’s worth mentioning that data “selling” and data “sharing” are legally distinct phrases, and Audacity’s privacy policy still leaves the door wide open to share data with authorities, potential buyers, or with any other body that legally requires it. The policy also notes that it will share data for the “legitimate interest” of its parent company “to offer and ensure the proper functioning of the app,” which is privacy-policy-speak for saying it can, theoretically, share that data with marketing companies or any advertising middlemen.

Ray adds that its data collection is “very limited” and only includes “pseudonymised” IP addresses that are “irretrievable after 24 hours,” system information that includes “OS version and CPU type,” and optional error report data — not users’ microphone recordings or personal details. For context, in the majority of cases, this is the sort of data that cops will request from companies like Apple, Microsoft, or Facebook, since even so-called “anonymous” signals can be tied back to the device that generated it. But even in cases where authorities asked for user data, Ray added, this data won’t be shared immediately upon request; it would only be shared “if compelled by a court of law in a jurisdiction” in which the company operates.

“We operate in many countries around the world and this is a standard policy requirement for providing services in many jurisdictions,” he added, also noting that Europe’s GDPR defines an IP address as “personal data,” which is why Audacity used that phrase in its privacy policy.

Also worth mentioning here is that some of the other products under the Muse Group umbrella — like the music notation software MuseScore — feature nearly identical privacy policies, which suggests the parent company just updated Audacity’s policies for some consistency across its catalogue. But that doesn’t excuse the piss-poor wording on its original draft, which Ray swears will be “revised” soon enough.

If you’re still on edge despite Ray’s explanation — or have simply lost faith in Muse Group’s ability to not destroy Audacity going forward — here’s some good news: The new privacy policy update doesn’t come into effect until Audacity’s next update (3.0.3), and the current version (3.0.2) doesn’t have these data-sharing features enabled. So you can rest easy if you download the software in its current state and just… never update. Even better: Some users are taking advantage of Audacity’s open-source nature to spin-off forks of the software that cut out the unnecessary data collection. In other words, if you want to keep your Audacity data private, you have options.

The truth is, though, if you’re worried about Audacity being spyware then you should also be worried about… every other app being spyware, too. Spotify keeps track of when you’re going to the gym. Your gym keeps track of when you’re logging onto Facebook. Facebook keeps track of literally everything. It’s natural to be on edge when a popular piece of music recording software suddenly updates its privacy policy after being around for two decades, but in the grand scheme of things, you’re likely already using products that share troves more data than Audacity does without a second thought.

So, by all means, be up in arms about Audacity’s update. And we should all be angry about the constant erosion of privacy by apps and services of all kinds — not to mention the godawful data protection laws we have here in the U.S. But we’re going to need a hell of a lot more pitchforks.