The Audacity! How to wreck an open-source project and anger a community

2 years ago 282

Audacity software has been acquired, and the new verbiage added to the privacy policy has the open-source community up in arms.

Audacity. Surely, you've heard of it. It's one of the most widely used apps by podcasters everywhere. It's one open-source project that has managed to strike the perfect balance between feature list and usability. It has everything you could possibly need to record podcasts, music and just about any type of audio, and it does this while maintaining a level of user-friendliness that few software titles can touch. It's as easy to use as it is feature-rich.

SEE: The best programming languages to learn--and the worst (TechRepublic Premium)

I've been using Audacity daily for over a decade. And I'm turning my back on it. That's right, I will no longer be using this tool for my recording needs. And that's a problem. Why? Because there are three types of audio recording software for Linux:

Those that aren't worth the time to install.
Those that are ridiculously complicated to use.
Audacity.

I could take a week or a month to learn Ardour, but then I'd have to spend an extra month or two getting up to speed with JACK. No thanks (not for podcast and single-track audio recording). I could use a simple audio recording app. No thanks (not when I need plugins like noise reduction). So you see, what the acquiring company has done really puts me in a jam.

Wait. What?

Let's back up a bit.

SEE: 5 Linux server distributions you should be using (TechRepublic Premium)

Here's what happened. A company acquired Audacity. Now, prior to this, you may or may not have heard that the Audacity developers were toying around with adding telemetry to collect data from users. After a public outcry, it seemed that idea was sent to /dev/null to die a timely death.

But then, over the past few days, it became public knowledge that the acquiring company did intend to add telemetry to Audacity. But this flavor of telemetry isn't just collecting information like OS, location and hardware specs. Oh no. You see, the parent company is a multi-national organization intent on collecting the following information:

OS Version
User country (based on IP address)
OS name and version
CPU
Non-fatal error codes and messages
Crash reports

So far so good, right? I'm OK with them collecting that information. But it doesn't end there. The privacy policy adds:

Data necessary for law enforcement, litigation, and authorities' requests.

But then they add this:

"All your personal data is stored on our servers in the European Economic Area (EEA). However, we are occasionally required to share your personal data with our main office in Russia and our external counsel in the USA."

Then they continue that they might share data with anyone they classify as a "third-party" or even "potential buyers." The actual verbiage of the new privacy policy describes those entities they might share your data with as such (taken directly from the official privacy notice that was posted July 2):

"to our staff members. We take precautions to allow access to Personal Data only to those staff members who have a legitimate business need for access and with a contractual prohibition of using the Personal Data for any other purpose.
"to any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, or (ii) to exercise, establish or defend our legal rights;
"to our auditors, advisors, legal representatives and similar agents in connection with the advisory services they provide to us for legitimate business purposes and under contractual prohibition of using the Personal Data for any other purpose.
"to a potential buyer (and its agents and advisers) in connection with any proposed purchase, merger or acquisition of any part of our business, provided that we inform the buyer it must use your Personal Data only for the purposes disclosed in this Notice;
"to any other person if you have provided your prior consent to the disclosure."

In other words, they're going to collect your data and then, if someone wants to buy it, they'll sell it.

Finally, new new owners include verbiage to attempt to dissuade people 13 and younger from using the software with this line:

"The App we provide is not intended for individuals below the age of 13. If you are under 13 years old, please do not use the App."

This is a slap in the face to the open-source community that has spent years using, promoting and improving Audacity. And to make matters worse, the new owners added a requirement that anyone wishing to send a pull request to the original source would have to allow the new owners unrestricted access to the changes.

SEE: C++ programming language: How it became the foundation for everything, and what's next (free PDF) (TechRepublic)

And then, of course, the company backpedaled to say that everyone had misunderstood the privacy policy and they planned to rewrite it. The new holders attempted to clear the air by saying:

Error-reporting was opt-in.
Automatic update checking is opt-out.

That clarification says nothing about their intention on working with third-party data purchasing.

If that's the case, then this is an exercise in how not to acquire an open-source project.

There is, of course, a silver lining. As this is open-source, a fork of Audacity is imminent. In fact, there's already a fork of Audacity, stripped of the telemetry code. There's no telling how long it will take for this fork to become official (and easily installable), but at least we know it's in the works.

This example of Audacity being purchased is a perfect illustration of how to wreck an open-source project without really trying. You acquire it, add stipulations to its usage that are counter to the open-source spirit, and then collect data on those using the software (with the option to sell said data to an interested third-party). It's a perfect recipe to kill a project, especially in the eyes of open-source advocates who happen to take their privacy seriously.

Honestly, I have no idea to what software I will turn to fill the aural void left by Audacity. But I know I cannot, in good conscience, use a piece of software that spits in the eye of open-source and those who have worked so hard to create an app that millions of people depend on. Maybe, with a bit of luck, either the new owners will see the error of their ways and recant, or the fork will get enough support behind it that it'll be released sooner, rather than later.

Either way, if your company plans to acquire an open-source project, take care with what you do to it, otherwise, you'll wind up failing the project, the community and your shareholders.